--- /dev/null
+/etc/sudoers.d/zabbix.user
+/etc/zabbix_agentd/*
nut:x:115:
cdrom:x:116:
usb:x:117:
+zabbix:x:118:
samba:x:1000:
cyrus:x:111:12:Cyrus user:/usr/cyrus:
filter:x:112:12:Spam user:/home/filter:/bin/false
asterisk:x:114:114:Asterisk user:/var/empty:/bin/false
+zabbix:x:118:118:Zabbix Monitoring:/var/empty:/bin/false
samba:x:1000:1000:Samba User:/var/empty:/bin/false
#lib/libxtables.la
lib/libxtables.so
lib/libxtables.so.12
-lib/libxtables.so.12.0.0
+lib/libxtables.so.12.2.0
#lib/xtables
-lib/xtables/libebt_802_3.so
-lib/xtables/libebt_ip.so
-lib/xtables/libebt_log.so
-lib/xtables/libebt_mark_m.so
lib/xtables/libip6t_DNAT.so
lib/xtables/libip6t_DNPT.so
lib/xtables/libip6t_HL.so
lib/xtables/libxt_length.so
lib/xtables/libxt_limit.so
lib/xtables/libxt_mac.so
-lib/xtables/libxt_mangle.so
lib/xtables/libxt_mark.so
lib/xtables/libxt_multiport.so
lib/xtables/libxt_nfacct.so
lib/xtables/libxt_u32.so
lib/xtables/libxt_udp.so
sbin/ip6tables
+#sbin/ip6tables-legacy
+#sbin/ip6tables-legacy-restore
+#sbin/ip6tables-legacy-save
sbin/ip6tables-restore
sbin/ip6tables-save
sbin/iptables
+#sbin/iptables-legacy
+#sbin/iptables-legacy-restore
+#sbin/iptables-legacy-save
sbin/iptables-restore
sbin/iptables-save
sbin/iptables-xml
#sbin/nfnl_osf
-sbin/xtables-multi
+sbin/xtables-legacy-multi
#usr/include/libipq.h
#usr/include/libiptc
#usr/include/libiptc/ipt_kernel_headers.h
#usr/share/man/man8/iptables-save.8
#usr/share/man/man8/iptables.8
#usr/share/man/man8/nfnl_osf.8
+#usr/share/man/man8/xtables-legacy.8
+#usr/share/man/man8/xtables-monitor.8
+#usr/share/man/man8/xtables-nft.8
+#usr/share/man/man8/xtables-translate.8
#usr/share/xtables
usr/share/xtables/pf.os
etc/rc.d/init.d/network
etc/rc.d/init.d/networking/red.up/50-ipsec
srv/web/ipfire/cgi-bin/credits.cgi
+srv/web/ipfire/cgi-bin/dhcp.cgi
srv/web/ipfire/cgi-bin/index.cgi
srv/web/ipfire/cgi-bin/netovpnsrv.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
--- /dev/null
+../../../common/less
\ No newline at end of file
--- /dev/null
+../../../common/wpa_supplicant
\ No newline at end of file
+etc/rc.d/init.d/netsnmpd
etc/rc.d/rc0.d/K02netsnmpd
etc/rc.d/rc3.d/S65netsnmpd
etc/rc.d/rc6.d/K02netsnmpd
etc/snmpd.conf
usr/bin/agentxtrap
+usr/bin/checkbandwidth
usr/bin/encode_keychange
usr/bin/fixproc
usr/bin/ipf-mod.pl
usr/bin/snmpgetnext
usr/bin/snmpinform
usr/bin/snmpnetstat
+usr/bin/snmppcap
+usr/bin/snmpping
+usr/bin/snmpps
usr/bin/snmpset
usr/bin/snmpstatus
usr/bin/snmptable
usr/bin/snmptest
+usr/bin/snmptop
usr/bin/snmptranslate
usr/bin/snmptrap
usr/bin/snmpusm
#usr/include/net-snmp/agent/mode_end_call.h
#usr/include/net-snmp/agent/multiplexer.h
#usr/include/net-snmp/agent/net-snmp-agent-includes.h
+#usr/include/net-snmp/agent/netsnmp_close_fds.h
#usr/include/net-snmp/agent/null.h
#usr/include/net-snmp/agent/old_api.h
#usr/include/net-snmp/agent/read_only.h
#usr/include/net-snmp/library/md5.h
#usr/include/net-snmp/library/mib.h
#usr/include/net-snmp/library/mt_support.h
+#usr/include/net-snmp/library/netsnmp-attribute-format.h
#usr/include/net-snmp/library/oid.h
#usr/include/net-snmp/library/oid_stash.h
#usr/include/net-snmp/library/parse.h
#usr/include/net-snmp/library/snmpAliasDomain.h
#usr/include/net-snmp/library/snmpCallbackDomain.h
#usr/include/net-snmp/library/snmpIPv4BaseDomain.h
+#usr/include/net-snmp/library/snmpIPv6BaseDomain.h
#usr/include/net-snmp/library/snmpSocketBaseDomain.h
#usr/include/net-snmp/library/snmpTCPBaseDomain.h
#usr/include/net-snmp/library/snmpTCPDomain.h
+#usr/include/net-snmp/library/snmpTCPIPv6Domain.h
#usr/include/net-snmp/library/snmpUDPBaseDomain.h
#usr/include/net-snmp/library/snmpUDPDomain.h
#usr/include/net-snmp/library/snmpUDPIPv4BaseDomain.h
+#usr/include/net-snmp/library/snmpUDPIPv6Domain.h
#usr/include/net-snmp/library/snmpUnixDomain.h
#usr/include/net-snmp/library/snmp_alarm.h
#usr/include/net-snmp/library/snmp_api.h
#usr/include/net-snmp/system/cygwin.h
#usr/include/net-snmp/system/darwin.h
#usr/include/net-snmp/system/darwin10.h
+#usr/include/net-snmp/system/darwin11.h
+#usr/include/net-snmp/system/darwin12.h
+#usr/include/net-snmp/system/darwin13.h
+#usr/include/net-snmp/system/darwin14.h
+#usr/include/net-snmp/system/darwin15.h
+#usr/include/net-snmp/system/darwin16.h
+#usr/include/net-snmp/system/darwin17.h
#usr/include/net-snmp/system/darwin7.h
#usr/include/net-snmp/system/darwin8.h
#usr/include/net-snmp/system/darwin9.h
#usr/include/net-snmp/system/generic.h
#usr/include/net-snmp/system/hpux.h
#usr/include/net-snmp/system/irix.h
+#usr/include/net-snmp/system/kfreebsd.h
#usr/include/net-snmp/system/linux.h
#usr/include/net-snmp/system/mingw32.h
+#usr/include/net-snmp/system/mingw32msvc.h
#usr/include/net-snmp/system/mips.h
#usr/include/net-snmp/system/netbsd.h
+#usr/include/net-snmp/system/nto-qnx6.h
#usr/include/net-snmp/system/openbsd.h
#usr/include/net-snmp/system/openbsd4.h
#usr/include/net-snmp/system/openbsd5.h
+#usr/include/net-snmp/system/openbsd6.h
#usr/include/net-snmp/system/osf5.h
#usr/include/net-snmp/system/solaris.h
#usr/include/net-snmp/system/solaris2.3.h
#usr/include/net-snmp/version.h
#usr/lib/libnetsnmp.a
#usr/lib/libnetsnmp.la
-usr/lib/libnetsnmp.so
-usr/lib/libnetsnmp.so.30
-usr/lib/libnetsnmp.so.30.0.3
+#usr/lib/libnetsnmp.so
+usr/lib/libnetsnmp.so.35
+usr/lib/libnetsnmp.so.35.0.0
#usr/lib/libnetsnmpagent.a
#usr/lib/libnetsnmpagent.la
-usr/lib/libnetsnmpagent.so
-usr/lib/libnetsnmpagent.so.30
-usr/lib/libnetsnmpagent.so.30.0.3
+#usr/lib/libnetsnmpagent.so
+usr/lib/libnetsnmpagent.so.35
+usr/lib/libnetsnmpagent.so.35.0.0
#usr/lib/libnetsnmphelpers.a
#usr/lib/libnetsnmphelpers.la
-usr/lib/libnetsnmphelpers.so
-usr/lib/libnetsnmphelpers.so.30
-usr/lib/libnetsnmphelpers.so.30.0.3
+#usr/lib/libnetsnmphelpers.so
+usr/lib/libnetsnmphelpers.so.35
+usr/lib/libnetsnmphelpers.so.35.0.0
#usr/lib/libnetsnmpmibs.a
#usr/lib/libnetsnmpmibs.la
-usr/lib/libnetsnmpmibs.so
-usr/lib/libnetsnmpmibs.so.30
-usr/lib/libnetsnmpmibs.so.30.0.3
+#usr/lib/libnetsnmpmibs.so
+usr/lib/libnetsnmpmibs.so.35
+usr/lib/libnetsnmpmibs.so.35.0.0
#usr/lib/libnetsnmptrapd.a
#usr/lib/libnetsnmptrapd.la
-usr/lib/libnetsnmptrapd.so
-usr/lib/libnetsnmptrapd.so.30
-usr/lib/libnetsnmptrapd.so.30.0.3
+#usr/lib/libnetsnmptrapd.so
+usr/lib/libnetsnmptrapd.so.35
+usr/lib/libnetsnmptrapd.so.35.0.0
#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/Makefile.subs.pl
+usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/Bundle/MakefileSubs.pm
#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP
usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/ASN.pm
usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/NetSNMP/OID.pm
#usr/share/man/man1/snmpgetnext.1
#usr/share/man/man1/snmpinform.1
#usr/share/man/man1/snmpnetstat.1
+#usr/share/man/man1/snmpps.1
#usr/share/man/man1/snmpset.1
#usr/share/man/man1/snmpstatus.1
#usr/share/man/man1/snmptable.1
#usr/share/man/man1/snmptest.1
+#usr/share/man/man1/snmptop.1
#usr/share/man/man1/snmptranslate.1
#usr/share/man/man1/snmptrap.1
#usr/share/man/man1/snmpusm.1
#usr/share/man/man5/variables.5
#usr/share/man/man8/snmpd.8
#usr/share/man/man8/snmptrapd.8
-usr/share/snmp
-usr/share/snmp/mib2c-data
+#usr/share/snmp
+#usr/share/snmp/mib2c-data
usr/share/snmp/mib2c-data/default-mfd-top.m2c
usr/share/snmp/mib2c-data/details-enums.m2i
usr/share/snmp/mib2c-data/details-node.m2i
usr/share/snmp/mib2c.mfd.conf
usr/share/snmp/mib2c.notify.conf
usr/share/snmp/mib2c.old-api.conf
+usr/share/snmp/mib2c.org-mode.conf
usr/share/snmp/mib2c.perl.conf
usr/share/snmp/mib2c.raw-table.conf
usr/share/snmp/mib2c.scalar.conf
usr/share/snmp/mib2c.table_data.conf
-usr/share/snmp/mibs
+#usr/share/snmp/mibs
usr/share/snmp/mibs/AGENTX-MIB.txt
usr/share/snmp/mibs/BRIDGE-MIB.txt
usr/share/snmp/mibs/DISMAN-EVENT-MIB.txt
usr/share/snmp/mibs/SNMP-USER-BASED-SM-MIB.txt
usr/share/snmp/mibs/SNMP-USM-AES-MIB.txt
usr/share/snmp/mibs/SNMP-USM-DH-OBJECTS-MIB.txt
+usr/share/snmp/mibs/SNMP-USM-HMAC-SHA2-MIB.txt
usr/share/snmp/mibs/SNMP-VIEW-BASED-ACM-MIB.txt
usr/share/snmp/mibs/SNMPv2-CONF.txt
usr/share/snmp/mibs/SNMPv2-MIB.txt
usr/share/snmp/mibs/UDP-MIB.txt
usr/share/snmp/snmp_perl.pl
usr/share/snmp/snmp_perl_trapd.pl
-usr/share/snmp/snmpconf-data
-usr/share/snmp/snmpconf-data/snmp-data
+#usr/share/snmp/snmpconf-data
+#usr/share/snmp/snmpconf-data/snmp-data
usr/share/snmp/snmpconf-data/snmp-data/authopts
usr/share/snmp/snmpconf-data/snmp-data/debugging
usr/share/snmp/snmpconf-data/snmp-data/mibs
usr/share/snmp/snmpconf-data/snmp-data/output
usr/share/snmp/snmpconf-data/snmp-data/snmpconf-config
-usr/share/snmp/snmpconf-data/snmpd-data
+#usr/share/snmp/snmpconf-data/snmpd-data
usr/share/snmp/snmpconf-data/snmpd-data/acl
usr/share/snmp/snmpconf-data/snmpd-data/basic_setup
usr/share/snmp/snmpconf-data/snmpd-data/extending
usr/share/snmp/snmpconf-data/snmpd-data/snmpconf-config
usr/share/snmp/snmpconf-data/snmpd-data/system
usr/share/snmp/snmpconf-data/snmpd-data/trapsinks
-usr/share/snmp/snmpconf-data/snmptrapd-data
+#usr/share/snmp/snmpconf-data/snmptrapd-data
usr/share/snmp/snmpconf-data/snmptrapd-data/authentication
usr/share/snmp/snmpconf-data/snmptrapd-data/formatting
usr/share/snmp/snmpconf-data/snmptrapd-data/logging
usr/share/snmp/snmpconf-data/snmptrapd-data/runtime
usr/share/snmp/snmpconf-data/snmptrapd-data/snmpconf-config
usr/share/snmp/snmpconf-data/snmptrapd-data/traphandle
-var/ipfire/backup/addons/includes/netsnmpd
-etc/rc.d/init.d/netsnmpd
+var/ipfire/backup/addons/includes/netsnmpd
\ No newline at end of file
usr/lib/postfix/postfix-script
usr/lib/postfix/postfix-tls-script
usr/lib/postfix/postfix-wrapper
+usr/lib/postfix/postlogd
usr/lib/postfix/postmulti-script
usr/lib/postfix/postscreen
usr/lib/postfix/proxymap
#usr/share/man/man8/oqmgr.8
#usr/share/man/man8/pickup.8
#usr/share/man/man8/pipe.8
+#usr/share/man/man8/postlogd.8
#usr/share/man/man8/postscreen.8
#usr/share/man/man8/proxymap.8
#usr/share/man/man8/qmgr.8
--- /dev/null
+etc/logrotate.d/zabbix_agentd
+etc/rc.d/init.d/zabbix_agentd
+etc/sudoers.d/zabbix.user
+etc/zabbix_agentd
+etc/zabbix_agentd/scripts
+etc/zabbix_agentd/zabbix_agentd.conf
+etc/zabbix_agentd/zabbix_agentd.d
+usr/bin/zabbix_get
+usr/bin/zabbix_sender
+usr/lib/modules
+usr/lib/zabbix
+usr/sbin/zabbix_agentd
+#usr/share/man/man1/zabbix_get.1
+#usr/share/man/man1/zabbix_sender.1
+#usr/share/man/man8/zabbix_agentd.8
+var/ipfire/backup/addons/includes/zabbix_agentd
+#var/log/zabbix
--- /dev/null
+/var/log/zabbix/zabbix_agentd.log {
+ monthly
+ rotate 12
+ compress
+ delaycompress
+ missingok
+ notifempty
+ create 0640 zabbix zabbix
+}
--- /dev/null
+# Include file for sudoers file
+#
+# This is needed for some userparameters to be able to execute commands that only run as root (using sudo)
+# e.g. /usr/bin/openssl or /usr/sbin/smartctl
+#
+# USE AT YOU'RE OWN RISK. USING THIS WRONG CAN RESULT IN A SECURITY BREACH!
+#
+# Some hints:
+# - It is strongly recommended to edit this file only using the visudo -f <filename> command. If you mess up this file,
+# you might end up locking yourself out of your system!
+# - Append the full path to each command, using "," as separator.
+# - Only add commands you really need. Zabbix should not have more rights than it has to.
+#
+# Uncomment the following two lines and edit the example of commands to fit your needs:
+#
+#Defaults:zabbix !requiretty
+#zabbix ALL=(ALL) NOPASSWD: <path to command1>, <path to command2>
--- /dev/null
+# This is a configuration file for Zabbix agent daemon (Unix)
+# To get more information about Zabbix, visit http://www.zabbix.com
+
+############ GENERAL PARAMETERS #################
+
+### Option: PidFile
+# Name of PID file.
+#
+# Mandatory: no
+# Default:
+# PidFile=/tmp/zabbix_agentd.pid
+
+PidFile=/var/run/zabbix/zabbix_agentd.pid
+
+### Option: LogType
+# Specifies where log messages are written to:
+# system - syslog
+# file - file specified with LogFile parameter
+# console - standard output
+#
+# Mandatory: no
+# Default:
+# LogType=file
+
+### Option: LogFile
+# Log file name for LogType 'file' parameter.
+#
+# Mandatory: yes, if LogType is set to file, otherwise no
+# Default:
+# LogFile=
+
+LogFile=/var/log/zabbix/zabbix_agentd.log
+
+### Option: LogFileSize
+# Maximum size of log file in MB.
+# 0 - disable automatic log rotation.
+#
+# Mandatory: no
+# Range: 0-1024
+# Default:
+# LogFileSize=1
+
+LogFileSize=0
+
+### Option: DebugLevel
+# Specifies debug level:
+# 0 - basic information about starting and stopping of Zabbix processes
+# 1 - critical information
+# 2 - error information
+# 3 - warnings
+# 4 - for debugging (produces lots of information)
+# 5 - extended debugging (produces even more information)
+#
+# Mandatory: no
+# Range: 0-5
+# Default:
+# DebugLevel=3
+
+### Option: SourceIP
+# Source IP address for outgoing connections.
+#
+# Mandatory: no
+# Default:
+# SourceIP=
+
+### Option: EnableRemoteCommands
+# Whether remote commands from Zabbix server are allowed.
+# 0 - not allowed
+# 1 - allowed
+#
+# Mandatory: no
+# Default:
+# EnableRemoteCommands=0
+
+### Option: LogRemoteCommands
+# Enable logging of executed shell commands as warnings.
+# 0 - disabled
+# 1 - enabled
+#
+# Mandatory: no
+# Default:
+# LogRemoteCommands=0
+
+##### Passive checks related
+
+### Option: Server
+# List of comma delimited IP addresses, optionally in CIDR notation, or DNS names of Zabbix servers and Zabbix proxies.
+# Incoming connections will be accepted only from the hosts listed here.
+# If IPv6 support is enabled then '127.0.0.1', '::127.0.0.1', '::ffff:127.0.0.1' are treated equally
+# and '::/0' will allow any IPv4 or IPv6 address.
+# '0.0.0.0/0' can be used to allow any IPv4 address.
+# Example: Server=127.0.0.1,192.168.1.0/24,::1,2001:db8::/32,zabbix.example.com
+#
+# Mandatory: yes, if StartAgents is not explicitly set to 0
+# Default:
+# Server=
+
+Server=127.0.0.1
+
+### Option: ListenPort
+# Agent will listen on this port for connections from the server.
+#
+# Mandatory: no
+# Range: 1024-32767
+# Default:
+# ListenPort=10050
+
+### Option: ListenIP
+# List of comma delimited IP addresses that the agent should listen on.
+# First IP address is sent to Zabbix server if connecting to it to retrieve list of active checks.
+#
+# Mandatory: no
+# Default:
+# ListenIP=0.0.0.0
+
+### Option: StartAgents
+# Number of pre-forked instances of zabbix_agentd that process passive checks.
+# If set to 0, disables passive checks and the agent will not listen on any TCP port.
+#
+# Mandatory: no
+# Range: 0-100
+# Default:
+# StartAgents=3
+
+##### Active checks related
+
+### Option: ServerActive
+# List of comma delimited IP:port (or DNS name:port) pairs of Zabbix servers and Zabbix proxies for active checks.
+# If port is not specified, default port is used.
+# IPv6 addresses must be enclosed in square brackets if port for that host is specified.
+# If port is not specified, square brackets for IPv6 addresses are optional.
+# If this parameter is not specified, active checks are disabled.
+# Example: ServerActive=127.0.0.1:20051,zabbix.domain,[::1]:30051,::1,[12fc::1]
+#
+# Mandatory: no
+# Default:
+# ServerActive=
+
+ServerActive=127.0.0.1
+
+### Option: Hostname
+# Unique, case sensitive hostname.
+# Required for active checks and must match hostname as configured on the server.
+# Value is acquired from HostnameItem if undefined.
+#
+# Mandatory: no
+# Default:
+# Hostname=
+
+### Option: HostnameItem
+# Item used for generating Hostname if it is undefined. Ignored if Hostname is defined.
+# Does not support UserParameters or aliases.
+#
+# Mandatory: no
+# Default:
+# HostnameItem=system.hostname
+
+### Option: HostMetadata
+# Optional parameter that defines host metadata.
+# Host metadata is used at host auto-registration process.
+# An agent will issue an error and not start if the value is over limit of 255 characters.
+# If not defined, value will be acquired from HostMetadataItem.
+#
+# Mandatory: no
+# Range: 0-255 characters
+# Default:
+# HostMetadata=
+
+### Option: HostMetadataItem
+# Optional parameter that defines an item used for getting host metadata.
+# Host metadata is used at host auto-registration process.
+# During an auto-registration request an agent will log a warning message if
+# the value returned by specified item is over limit of 255 characters.
+# This option is only used when HostMetadata is not defined.
+#
+# Mandatory: no
+# Default:
+# HostMetadataItem=
+
+### Option: RefreshActiveChecks
+# How often list of active checks is refreshed, in seconds.
+#
+# Mandatory: no
+# Range: 60-3600
+# Default:
+# RefreshActiveChecks=120
+
+### Option: BufferSend
+# Do not keep data longer than N seconds in buffer.
+#
+# Mandatory: no
+# Range: 1-3600
+# Default:
+# BufferSend=5
+
+### Option: BufferSize
+# Maximum number of values in a memory buffer. The agent will send
+# all collected data to Zabbix Server or Proxy if the buffer is full.
+#
+# Mandatory: no
+# Range: 2-65535
+# Default:
+# BufferSize=100
+
+### Option: MaxLinesPerSecond
+# Maximum number of new lines the agent will send per second to Zabbix Server
+# or Proxy processing 'log' and 'logrt' active checks.
+# The provided value will be overridden by the parameter 'maxlines',
+# provided in 'log' or 'logrt' item keys.
+#
+# Mandatory: no
+# Range: 1-1000
+# Default:
+# MaxLinesPerSecond=20
+
+############ ADVANCED PARAMETERS #################
+
+### Option: Alias
+# Sets an alias for an item key. It can be used to substitute long and complex item key with a smaller and simpler one.
+# Multiple Alias parameters may be present. Multiple parameters with the same Alias key are not allowed.
+# Different Alias keys may reference the same item key.
+# For example, to retrieve the ID of user 'zabbix':
+# Alias=zabbix.userid:vfs.file.regexp[/etc/passwd,^zabbix:.:([0-9]+),,,,\1]
+# Now shorthand key zabbix.userid may be used to retrieve data.
+# Aliases can be used in HostMetadataItem but not in HostnameItem parameters.
+#
+# Mandatory: no
+# Range:
+# Default:
+
+### Option: Timeout
+# Spend no more than Timeout seconds on processing
+#
+# Mandatory: no
+# Range: 1-30
+# Default:
+# Timeout=3
+
+### Option: AllowRoot
+# Allow the agent to run as 'root'. If disabled and the agent is started by 'root', the agent
+# will try to switch to the user specified by the User configuration option instead.
+# Has no effect if started under a regular user.
+# 0 - do not allow
+# 1 - allow
+#
+# Mandatory: no
+# Default:
+# AllowRoot=0
+
+### Option: User
+# Drop privileges to a specific, existing user on the system.
+# Only has effect if run as 'root' and AllowRoot is disabled.
+#
+# Mandatory: no
+# Default:
+# User=zabbix
+
+### Option: Include
+# You may include individual files or all files in a directory in the configuration file.
+# Installing Zabbix will create include directory in /usr/local/etc, unless modified during the compile time.
+#
+# Mandatory: no
+# Default:
+# Include=
+
+Include=/etc/zabbix_agentd/zabbix_agentd.d/*.conf
+
+
+####### USER-DEFINED MONITORED PARAMETERS #######
+
+### Option: UnsafeUserParameters
+# Allow all characters to be passed in arguments to user-defined parameters.
+# The following characters are not allowed:
+# \ ' " ` * ? [ ] { } ~ $ ! & ; ( ) < > | # @
+# Additionally, newline characters are not allowed.
+# 0 - do not allow
+# 1 - allow
+#
+# Mandatory: no
+# Range: 0-1
+# Default:
+# UnsafeUserParameters=0
+
+### Option: UserParameter
+# User-defined parameter to monitor. There can be several user-defined parameters.
+# Format: UserParameter=<key>,<shell command>
+# See 'zabbix_agentd' directory for examples.
+#
+# Mandatory: no
+# Default:
+# UserParameter=
+
+####### LOADABLE MODULES #######
+
+### Option: LoadModulePath
+# Full path to location of agent modules.
+# Default depends on compilation options.
+# To see the default path run command "zabbix_agentd --help".
+#
+# Mandatory: no
+# Default:
+# LoadModulePath=/usr/lib/modules
+
+LoadModulePath=/usr/lib/zabbix
+
+### Option: LoadModule
+# Module to load at agent startup. Modules are used to extend functionality of the agent.
+# Format: LoadModule=<module.so>
+# The modules must be located in directory specified by LoadModulePath.
+# It is allowed to include multiple LoadModule parameters.
+#
+# Mandatory: no
+# Default:
+# LoadModule=
+
+####### TLS-RELATED PARAMETERS #######
+
+### Option: TLSConnect
+# How the agent should connect to server or proxy. Used for active checks.
+# Only one value can be specified:
+# unencrypted - connect without encryption
+# psk - connect using TLS and a pre-shared key
+# cert - connect using TLS and a certificate
+#
+# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+# Default:
+# TLSConnect=unencrypted
+
+### Option: TLSAccept
+# What incoming connections to accept.
+# Multiple values can be specified, separated by comma:
+# unencrypted - accept connections without encryption
+# psk - accept connections secured with TLS and a pre-shared key
+# cert - accept connections secured with TLS and a certificate
+#
+# Mandatory: yes, if TLS certificate or PSK parameters are defined (even for 'unencrypted' connection)
+# Default:
+# TLSAccept=unencrypted
+
+### Option: TLSCAFile
+# Full pathname of a file containing the top-level CA(s) certificates for
+# peer certificate verification.
+#
+# Mandatory: no
+# Default:
+# TLSCAFile=
+
+### Option: TLSCRLFile
+# Full pathname of a file containing revoked certificates.
+#
+# Mandatory: no
+# Default:
+# TLSCRLFile=
+
+### Option: TLSServerCertIssuer
+# Allowed server certificate issuer.
+#
+# Mandatory: no
+# Default:
+# TLSServerCertIssuer=
+
+### Option: TLSServerCertSubject
+# Allowed server certificate subject.
+#
+# Mandatory: no
+# Default:
+# TLSServerCertSubject=
+
+### Option: TLSCertFile
+# Full pathname of a file containing the agent certificate or certificate chain.
+#
+# Mandatory: no
+# Default:
+# TLSCertFile=
+
+### Option: TLSKeyFile
+# Full pathname of a file containing the agent private key.
+#
+# Mandatory: no
+# Default:
+# TLSKeyFile=
+
+### Option: TLSPSKIdentity
+# Unique, case sensitive string used to identify the pre-shared key.
+#
+# Mandatory: no
+# Default:
+# TLSPSKIdentity=
+
+### Option: TLSPSKFile
+# Full pathname of a file containing the pre-shared key.
+#
+# Mandatory: no
+# Default:
+# TLSPSKFile=
&General::log($Lang::tr{'fixed ip lease added'});
# Enter edit mode
- $dhcpsettings{'KEY2'} = $key;
+ $dhcpsettings{'KEY2'} = 0;
} else {
@current2[$dhcpsettings{'KEY2'}] = "$dhcpsettings{'FIX_MAC'},$dhcpsettings{'FIX_ADDR'},$dhcpsettings{'FIX_ENABLED'},$dhcpsettings{'FIX_NEXTADDR'},$dhcpsettings{'FIX_FILENAME'},$dhcpsettings{'FIX_ROOTPATH'},$dhcpsettings{'FIX_REMARK'}\n";
$dhcpsettings{'KEY2'} = ''; # End edit mode
&General::log($Lang::tr{'fixed ip lease modified'});
+
+ # sort newly added/modified entry
+ &sortcurrent2;
}
#Write changes to dhcpd.conf.
- &sortcurrent2; # sort newly added/modified entry
&buildconf; # before calling buildconf which use fixed lease file !
}
}
print FILE ", " . $dhcpsettings{"WINS2_${itf}"} if ($dhcpsettings{"WINS2_${itf}"});
print FILE ";\n" if ($dhcpsettings{"WINS1_${itf}"});
print FILE "\tnext-server " . $dhcpsettings{"NEXT_${itf}"} . ";\n" if ($dhcpsettings{"NEXT_${itf}"});
- print FILE "\tfilename \"" . $dhcpsettings{"FILE_${itf}"} . "\";\n" if ($dhcpsettings{"FILE_${itf}"});
+ print FILE "\tfilename \"" . &EscapeFilename($dhcpsettings{"FILE_${itf}"}) . "\";\n" if ($dhcpsettings{"FILE_${itf}"});
print FILE "\tdefault-lease-time " . ($dhcpsettings{"DEFAULT_LEASE_TIME_${itf}"} * 60). ";\n";
print FILE "\tmax-lease-time " . ($dhcpsettings{"MAX_LEASE_TIME_${itf}"} * 60) . ";\n";
print FILE "\tallow bootp;\n" if ($dhcpsettings{"ENABLEBOOTP_${itf}"} eq 'on');
print FILE "\thardware ethernet $temp[0];\n";
print FILE "\tfixed-address $temp[1];\n";
print FILE "\tnext-server $temp[3];\n" if ($temp[3]);
- print FILE "\tfilename \"$temp[4]\";\n" if ($temp[4]);
+ print FILE "\tfilename \"" . &EscapeFilename($temp[4]) . "\";\n" if ($temp[4]);
print FILE "\toption root-path \"$temp[5]\";\n" if ($temp[5]);
print FILE "}\n";
$key++;
close FILE;
if ( $dhcpsettings{"ENABLE_GREEN"} eq 'on' || $dhcpsettings{"ENABLE_BLUE"} eq 'on' ) {system '/usr/local/bin/dhcpctrl enable >/dev/null 2>&1';}
else {system '/usr/local/bin/dhcpctrl disable >/dev/null 2>&1';}
- system '/usr/local/bin/dhcpctrl restart >/dev/null 2>&1';
+ system '/usr/local/bin/dhcpctrl restart >/dev/null 2>&1 &';
}
#
}
return 0;
}
+
+sub EscapeFilename($) {
+ my $filename = shift;
+
+ # Replace all single / by \/
+ $filename =~ s/\//\\\//g;
+
+ return $filename;
+}
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2013-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
undef (@dummy);
my @bandwidth_limits = (
- 1000 * 1024, # 1G
+ 1000 * 1024, # 1 GBit/s
500 * 1024,
200 * 1024,
- 100 * 1024, # 100M
+ 100 * 1024, # 100 MBit/s
64 * 1024,
50 * 1024,
25 * 1024,
8 * 1024,
4 * 1024,
2 * 1024,
- 1024, # 1M
- 512,
- 256,
- 160
+ 1024 # 1 MBit/s
);
my @accounting_periods = ('daily', 'weekly', 'monthly');
# Cleanup environment from any variables
unexport BUILD_ARCH BUILD_PLATFORM BUILDTARGET CROSSTARGET TOOLCHAIN TOOLS_DIR
+PARALLELISM = $(shell echo $$( \
+ if [ -n "$(MAX_PARALLELISM)" ] && [ $(MAX_PARALLELISM) -lt $(DEFAULT_PARALLELISM) ]; then \
+ echo $(MAX_PARALLELISM); \
+ else \
+ echo $(DEFAULT_PARALLELISM); \
+ fi) \
+)
+
+MAKETUNING = -j$(PARALLELISM)
+
ifeq "$(BUILD_ARCH)" "aarch64"
IS_64BIT = 1
endif
CFLAGS += -O3 -fno-strict-aliasing
CXXFLAGS += -O3 -fno-strict-aliasing
+# The compiler uses a lot of memory to compile boost, hence we reduce
+# the total number of processes a little bit to be able to build on
+# smaller machines
+MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512)))
+
CONFIGURE_OPTIONS = \
--prefix=/usr \
--layout=tagged \
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./bootstrap.sh --with-toolset=gcc
- cd $(DIR_APP) && ./b2 -d+2 -q $(CONFIGURE_OPTIONS) stage
+ cd $(DIR_APP) && ./b2 -d+2 -q $(MAKETUNING) $(CONFIGURE_OPTIONS) stage
cd $(DIR_APP) && ./b2 $(CONFIGURE_OPTIONS) install
@rm -rf $(DIR_APP)
--enable-{network,nfs,ntpd,ping,processes,rrdtool,sensors,swap,syslog} \
--enable-{tcpconns,unixsock,users,wireless} \
--with-librrd=/usr/share/rrdtool-1.2.30
- cd $(DIR_APP) && make install
+ cd $(DIR_APP) && make install #collectd-4 does not support parallel build
cp -vf $(DIR_SRC)/config/collectd/collectd.* /etc/
mv /etc/collectd.vpn /var/ipfire/ovpn/collectd.vpn
chown nobody.nobody /var/ipfire/ovpn/collectd.vpn
--enable-autocreate \
--enable-idled
- cd $(DIR_APP) && make $(EXTRA_MAKE)
+ cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP) && make install
-mkdir /var/imap
chown cyrus:mail /var/imap
--enable-early-chroot \
--disable-dhcpv6
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make #This package does not support parallel build
cd $(DIR_APP) && make install
mkdir -pv /var/state/dhcp
DEPS = ""
+MAX_PARALLELISM = $(shell echo $$(( $(SYSTEM_MEMORY) / 512)))
+
###############################################################################
# Top-level Rules
###############################################################################
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
#install initscripts
$(EXTRA_ENV) \
$(DIR_APP)/libstdc++-v3/configure \
$(EXTRA_CONFIG)
- cd $(DIR_SRC)/gcc-build && make $(EXTRA_MAKE)
+ cd $(DIR_SRC)/gcc-build && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_SRC)/gcc-build && make $(EXTRA_INSTALL) install
else
$(EXTRA_ENV) \
$(DIR_APP)/configure \
$(EXTRA_CONFIG)
- cd $(DIR_SRC)/gcc-build && make $(EXTRA_MAKE)
+ cd $(DIR_SRC)/gcc-build && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_SRC)/gcc-build && make $(EXTRA_INSTALL) install
endif
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
ifeq "$(ROOT)" ""
cd $(DIR_APP) && ./configure $(EXTRA_CONFIG)
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
else
cd $(DIR_APP)/gettext-tools && ./configure $(EXTRA_CONFIG)
- cd $(DIR_APP)/gettext-tools && make -C gnulib-lib
- cd $(DIR_APP)/gettext-tools && make -C intl pluralx.c
- cd $(DIR_APP)/gettext-tools && make -C src msgfmt
+ cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C gnulib-lib
+ cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C intl pluralx.c
+ cd $(DIR_APP)/gettext-tools && make $(MAKETUNING) -C src msgfmt
cd $(DIR_APP)/gettext-tools && cp -v src/msgfmt $(TOOLS_DIR)/bin
endif
@rm -rf $(DIR_APP)
cd $(DIR_APP) && PAGE=A4 ./configure \
--prefix=/usr
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make #This package does not support parallel build
cd $(DIR_APP) && make install
ln -svf eqn /usr/bin/geqn
ln -svf tbl /usr/bin/gtbl
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 2.6
+VER = 2.7
THISAPP = hostapd-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = hostapd
-PAK_VER = 43
+PAK_VER = 44
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eaa56dce9bd8f1d195eb62596eab34c7
+$(DL_FILE)_MD5 = 8d3799f3a3c247cff47d41503698721b
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd-2.3_increase_EAPOL-timeouts.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.6-noscan.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-increase_EAPOL-timeouts.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.7-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
TARGET = $(DIR_INFO)/$(THISAPP)
SLOGAN = An Open Source Firewall Solution
-DOWNLOAD_URL = http://downloads.ipfire.org/releases/ipfire-2.x/$(VERSION)-core$(CORE)/$(SNAME)-$(VERSION).$(BUILD_ARCH)-full-core$(CORE).iso
+DOWNLOAD_URL = https://downloads.ipfire.org/releases/ipfire-2.x/$(VERSION)-core$(CORE)/$(SNAME)-$(VERSION).$(BUILD_ARCH)-full-core$(CORE).iso
###############################################################################
# Top-level Rules
# Extract iPXE source
cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz
cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe
- cd $(DIR_APP) && make bin/ipxe.lkrn
+ cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn
ifeq "$(BUILD_ARCH)" "x86_64"
- cd $(DIR_APP) && make bin-x86_64-efi/ipxe.efi
+ cd $(DIR_APP) && make $(MAKETUNING) bin-x86_64-efi/ipxe.efi
endif
# Installation
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 1.6.2
+VER = 1.8.2
THISAPP = iptables-$(VER)
DL_FILE = $(THISAPP).tar.bz2
# Top-level Rules
###############################################################################
objects = $(DL_FILE) \
- netfilter-layer7-v2.22.tar.gz
+ netfilter-layer7-v2.23.tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-netfilter-layer7-v2.22.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.22.tar.gz
+netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz
-$(DL_FILE)_MD5 = 7d2b7847e4aa8832a18437b8a4c1873d
-netfilter-layer7-v2.22.tar.gz_MD5 = 98dff8a3d5a31885b73341633f69501f
+$(DL_FILE)_MD5 = 944558e88ddcc3b9b0d9550070fa3599
+netfilter-layer7-v2.23.tar.gz_MD5 = 10910b6173d18e426cb56ae7e1300eeb
install : $(TARGET)
@cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
# Layer7
- cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.22.tar.gz
- cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
+ cd $(DIR_SRC) && tar zxf $(DIR_DL)/netfilter-layer7-v2.23.tar.gz
+ cd $(DIR_APP) && cp -vf $(DIR_SRC)/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/* \
./extensions/
# imq
--libdir=/lib \
--includedir=/usr/include \
--enable-libipq \
+ --with-xtlibdir=/lib/xtables \
--libexecdir=/lib \
--bindir=/sbin \
--sbindir=/sbin \
--enable-dns-for-realm \
CPPFLAGS="-I/usr/include/et"
- cd $(DIR_APP) && make #$(MAKETUNING)
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
for LIB in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure --with-plugins=all,!qnaplog,!dbus --prefix=/usr
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
#install initscripts
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 481
+VER = 530
THISAPP = less-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 50ef46065c65257141a7340123527767
+$(DL_FILE)_MD5 = 6a39bccf420c946b0fd7ffc64961315b
install : $(TARGET)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
rm -rf /usr/netpbm
cp $(DIR_SRC)/config/netpbm/config.mk $(DIR_APP)
- cd $(DIR_APP) && make CFLAGS="$(CFLAGS)"
+ cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" #The build of this version cannot be parallelized
cd $(DIR_APP) && make package PKGDIR=/usr/netpbm
mkdir -pv /usr/include/netpbm
mkdir -pv /usr/share/netpbm
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 5.7.3
+VER = 5.8
THISAPP = net-snmp-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = netsnmpd
-PAK_VER = 7
+PAK_VER = 8
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d4a3459e1577d0efa8d96ca70a885e53
+$(DL_FILE)_MD5 = 63bfc65fbb86cdb616598df1aff6458a
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/net-snmp-5.7.3-openssl.patch
+
$(UPDATE_AUTOMAKE)
cd $(DIR_APP) && ./configure \
--prefix=/usr \
sctp-mib rmon-mib etherlike-mib ucd-snmp/lmsensorsMib"
--libdir=/usr/lib \
--sysconfdir="/etc"
- cd $(DIR_APP) && make
+
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
install -v -m 644 $(DIR_SRC)/config/netsnmpd/snmpd.conf /etc/snmpd.conf
install -v -m 644 $(DIR_SRC)/config/backup/includes/netsnmpd \
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc/nut \
--with-usb --with-user=root --with-group=nut \
--with-wrap=no --with-udev-dir=/etc/udev
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# sed -i -e "s|ATTR{|SYSFS{|g" /etc/udev/rules.d/52-nut-usbups.rules
mkdir -p /var/state/ups
$(CFLAGS) $(LDFLAGS)
cd $(DIR_APP) && make depend
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
ifeq "$(KCFG)" "-sse2"
-mkdir -pv /usr/lib/sse2
TARGET = $(DIR_INFO)/$(THISAPP)-tools
endif
+# Perl does not build with -j larger than 23
+MAX_PARALLELISM = 23
+
###############################################################################
# Top-level Rules
###############################################################################
include Config
-VER = 3.3.2
+VER = 3.4.1
THISAPP = postfix-$(VER)
DL_FILE = $(THISAPP).tar.gz
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = postfix
-PAK_VER = 17
+PAK_VER = 18
DEPS = ""
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4e6ed7056576e0c54cfce6040a0bb0ad
+$(DL_FILE)_MD5 = d292bb49a1c79ff6d2eb9c5e88c51425
install : $(TARGET)
--disable-tcl \
--disable-ruby \
--disable-python
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
-mkdir -p /srv/web/ipfire/html/graphs/
chmod 777 /srv/web/ipfire/html/graphs/
--enable-cups \
--disable-avahi \
--with-syslog
- cd $(DIR_APP)/source3 && make idl_full
- cd $(DIR_APP)/source3 && make proto && make all $(MAKETUNING) $(EXTRA_MAKE)
+ cd $(DIR_APP)/source3 && make $(MAKETUNING) idl_full
+ cd $(DIR_APP)/source3 && make $(MAKETUNING) proto && make all $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP)/source3 && make install
cd $(DIR_APP)/source3 && chmod -v 644 /usr/include/libsmbclient.h
#cd $(DIR_APP)/source3 && install -v -m755 nsswitch/libnss_wins.so /lib
--enable-react \
--enable-flexresp3
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
mv /usr/bin/snort /usr/sbin/
-mkdir -p /etc/snort/rules
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
-PAK_VER = 33
+PAK_VER = 34
DEPS = ""
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
include Config
-VER = 2.6
+VER = 2.7
THISAPP = wpa_supplicant-$(VER)
DL_FILE = $(THISAPP).tar.gz
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 091569eb4440b7d7f2b4276dbfc03c3c
+$(DL_FILE)_MD5 = a68538fb62766f40f890125026c42c10
install : $(TARGET)
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # Security Patches https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
- cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
-
cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config
cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile
cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && make DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \
+ cd $(DIR_APP) && make $(MAKETUNING) DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \
LOCAL_CONFIGURE_OPTIONS="--enable-readline=yes"
cd $(DIR_APP) && make install install-dev
cd $(DIR_APP) && install -v -m755 -D libhandle/libhandle.la /usr/lib/libhandle.la
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2019 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 4.0.4
+
+THISAPP = zabbix-$(VER)
+DL_FILE = $(THISAPP).tar.gz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+PROG = zabbix_agentd
+PAK_VER = 1
+DEPS = ""
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 46fdb83d4b24e13127a20a3e874b1d8f
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+dist:
+ @$(PAK)
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axvf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --enable-agent \
+ --sysconfdir=/etc/zabbix_agentd \
+ --with-openssl
+
+ cd $(DIR_APP) && make
+ cd $(DIR_APP) && make install
+
+ # Create config directory and create files
+ -rmdir /etc/zabbix_agentd/zabbix_agentd.conf.d
+ -mkdir -pv /etc/zabbix_agentd/zabbix_agentd.d
+ -mkdir -pv /etc/zabbix_agentd/scripts
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/zabbix_agentd.conf \
+ /etc/zabbix_agentd/zabbix_agentd.conf
+
+ # Create directory for additional agent modules
+ -mkdir -pv /usr/lib/zabbix
+
+ # Create directory for logging
+ -mkdir -pv /var/log/zabbix
+ chown zabbix.zabbix /var/log/zabbix
+
+ # Create directory for pid.
+ -mkdir -pv /var/run/zabbix
+ chown zabbix.zabbix /var/run/zabbix
+
+ # Install initscripts
+ $(call INSTALL_INITSCRIPT,zabbix_agentd)
+
+ # Install sudoers include file
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/sudoers \
+ /etc/sudoers.d/zabbix.user
+
+ # Install include file for backup
+ install -v -m 644 $(DIR_SRC)/config/backup/includes/zabbix_agentd \
+ /var/ipfire/backup/addons/includes/zabbix_agentd
+
+ # Install include file for Logrotate
+ -mkdir -pv /etc/logrotate.d
+ install -v -m 644 $(DIR_SRC)/config/zabbix_agentd/logrotate \
+ /etc/logrotate.d/zabbix_agentd
+
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
CXXFLAGS="${CFLAGS}"
# Determine parallelism
- if [ -z "${MAKETUNING}" ]; then
- # We assume that each process consumes about
- # 192MB of memory. Therefore we find out how
- # many processes fit into memory.
- local mem_max=$(( ${HOST_MEM} / 192 ))
-
- local processors="$(system_processors)"
- local cpu_max=$(( ${processors} + 1 ))
-
- local parallelism
- if [ ${mem_max} -lt ${cpu_max} ]; then
- parallelism=${mem_max}
- else
- parallelism=${cpu_max}
- fi
-
- # limit to -j23 because perl will not build
- # more
- if [ ${parallelism} -gt 23 ]; then
- parallelism=23
- fi
-
- MAKETUNING="-j${parallelism}"
+ # We assume that each process consumes about
+ # 128MB of memory. Therefore we find out how
+ # many processes fit into memory.
+ local mem_max=$(( ${SYSTEM_MEMORY} / 128 ))
+ local cpu_max=$(( ${SYSTEM_PROCESSORS} + 1 ))
+
+ local parallelism
+ if [ ${mem_max} -lt ${cpu_max} ]; then
+ parallelism=${mem_max}
+ else
+ parallelism=${cpu_max}
fi
+ # Use this as default PARALLELISM
+ DEFAULT_PARALLELISM="${parallelism}"
+
# Compression parameters
# We use mode 8 for reasonable memory usage when decompressing
# but with overall good compression
# We need to limit memory because XZ uses too much when running
# in parallel and it isn't very smart in limiting itself.
# We allow XZ to use up to 70% of all system memory.
- local xz_memory=$(( HOST_MEM * 7 / 10 ))
+ local xz_memory=$(( SYSTEM_MEMORY * 7 / 10 ))
# XZ memory cannot be larger than 2GB on 32 bit systems
case "${build_arch}" in
# Setup environment
set +h
LC_ALL=POSIX
- export LFS LC_ALL CFLAGS CXXFLAGS MAKETUNING
+ export LFS LC_ALL CFLAGS CXXFLAGS DEFAULT_PARALLELISM
unset CC CXX CPP LD_LIBRARY_PATH LD_PRELOAD
# Make some extra directories
CCACHE_COMPILERCHECK="${CCACHE_COMPILERCHECK}" \
KVER="${KVER}" \
XZ_OPT="${XZ_OPT}" \
+ DEFAULT_PARALLELISM="${DEFAULT_PARALLELISM}" \
+ SYSTEM_PROCESSORS="${SYSTEM_PROCESSORS}" \
+ SYSTEM_MEMORY="${SYSTEM_MEMORY}" \
$(fake_environ) \
$(qemu_environ) \
"$@"
CCACHE_COMPILERCHECK="${CCACHE_COMPILERCHECK}" \
CFLAGS="${CFLAGS}" \
CXXFLAGS="${CXXFLAGS}" \
- MAKETUNING="${MAKETUNING}" \
+ DEFAULT_PARALLELISM="${DEFAULT_PARALLELISM}" \
+ SYSTEM_PROCESSORS="${SYSTEM_PROCESSORS}" \
+ SYSTEM_MEMORY="${SYSTEM_MEMORY}" \
make -f $* \
TOOLCHAIN=1 \
TOOLS_DIR="${TOOLS_DIR}" \
enterchroot \
${EXTRA_PATH}bash -x -c "cd /usr/src/lfs && \
- MAKETUNING=${MAKETUNING} \
make -f $* \
LFS_BASEDIR=/usr/src install" \
>> ${LOGFILE} 2>&1 &
unset TARGET_ARCH
fi
-# Get the amount of memory in this build system
-HOST_MEM=$(system_memory)
+# Get some information about the host system
+SYSTEM_PROCESSORS="$(system_processors)"
+SYSTEM_MEMORY="$(system_memory)"
if [ -n "${BUILD_ARCH}" ]; then
configure_build "${BUILD_ARCH}"
lfsmake2 libedit
lfsmake2 knot
lfsmake2 spectre-meltdown-checker
+ lfsmake2 zabbix_agentd
}
buildinstaller() {
--- /dev/null
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/zabbix_agentd
+#
+# Description : This script starts the Zabbix Agent as a daemon (zabbix_agentd)
+#
+# Authors : Alexander Koch (ipfire@starkstromkonsument.de)
+#
+# Version : 01.00
+#
+# Notes :
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+case "${1}" in
+ start)
+ if [ ! -d "/var/run/zabbix" ]; then
+ mkdir -p /var/run/zabbix
+ chown zabbix.zabbix /var/run/zabbix
+ fi
+
+ boot_mesg "Starting Zabbix Agent..."
+ loadproc /usr/sbin/zabbix_agentd -c /etc/zabbix_agentd/zabbix_agentd.conf
+ ;;
+
+ stop)
+ boot_mesg "Stopping Zabbix Agent..."
+ killproc /usr/sbin/zabbix_agentd
+ ;;
+
+ restart)
+ ${0} stop
+ sleep 1
+ ${0} start
+ ;;
+
+ status)
+ statusproc /usr/sbin/zabbix_agentd
+ ;;
+
+ *)
+ echo "Usage: ${0} {start|stop|restart|status}"
+ exit 1
+ ;;
+esac
+
+# End $rc_base/init.d/zabbix_agentd
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+
+if ! getent group zabbix &>/dev/null; then
+ groupadd -g 118 zabbix
+fi
+
+if ! getent passwd zabbix; then
+ useradd -u 118 -g zabbix -d /var/empty -s /bin/false zabbix
+fi
+
+extract_files
+
+# Create symlinks for runlevel interaction.
+ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc3.d/S65zabbix_agentd
+ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc0.d/K02zabbix_agentd
+ln -sf ../init.d/zabbix_agentd /etc/rc.d/rc6.d/K02zabbix_agentd
+
+# Create additonal directories and set permissions
+mkdir -pv /var/log/zabbix
+chown zabbix.zabbix /var/log/zabbix
+
+restore_backup ${NAME}
+start_service --background ${NAME}
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+stop_service ${NAME}
+make_backup ${NAME}
+remove_files
+
+# Remove init-scripts and symlinks
+rm -rfv /etc/rc.d/rc*.d/*zabbix_agentd
--- /dev/null
+#!/bin/bash
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+./uninstall.sh
+./install.sh
+++ /dev/null
-diff -Naur hostapd-2.6.org/hostapd/config_file.c hostapd-2.6/hostapd/config_file.c
---- hostapd-2.6.org/hostapd/config_file.c 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/hostapd/config_file.c 2018-10-26 09:16:34.393456086 +0200
-@@ -2863,6 +2863,10 @@
- }
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211N
-+ } else if (os_strcmp(buf, "noscan") == 0) {
-+ conf->noscan = atoi(pos);
-+ } else if (os_strcmp(buf, "ht_coex") == 0) {
-+ conf->no_ht_coex = !atoi(pos);
- } else if (os_strcmp(buf, "ieee80211n") == 0) {
- conf->ieee80211n = atoi(pos);
- } else if (os_strcmp(buf, "ht_capab") == 0) {
-diff -Naur hostapd-2.6.org/src/ap/ap_config.h hostapd-2.6/src/ap/ap_config.h
---- hostapd-2.6.org/src/ap/ap_config.h 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/src/ap/ap_config.h 2018-10-26 09:16:34.393456086 +0200
-@@ -664,6 +664,8 @@
-
- int ht_op_mode_fixed;
- u16 ht_capab;
-+ int noscan;
-+ int no_ht_coex;
- int ieee80211n;
- int secondary_channel;
- int no_pri_sec_switch;
-diff -Naur hostapd-2.6.org/src/ap/hw_features.c hostapd-2.6/src/ap/hw_features.c
---- hostapd-2.6.org/src/ap/hw_features.c 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/src/ap/hw_features.c 2018-10-26 09:16:34.393456086 +0200
-@@ -474,7 +474,8 @@
- int ret;
-
- /* Check that HT40 is used and PRI / SEC switch is allowed */
-- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
-+ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
-+ iface->conf->noscan)
- return 0;
-
- hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
-diff -Naur hostapd-2.6.org/src/ap/ieee802_11_ht.c hostapd-2.6/src/ap/ieee802_11_ht.c
---- hostapd-2.6.org/src/ap/ieee802_11_ht.c 2016-10-02 20:51:11.000000000 +0200
-+++ hostapd-2.6/src/ap/ieee802_11_ht.c 2018-10-26 09:17:42.976793198 +0200
-@@ -244,6 +244,9 @@
- if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
- return;
-
-+ if (iface->conf->noscan || iface->conf->no_ht_coex)
-+ return;
-+
- if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie))
- return;
-
-@@ -368,6 +371,9 @@
- if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
- return;
-
-+ if (iface->conf->noscan || iface->conf->no_ht_coex)
-+ return;
-+
- wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR
- " in Association Request", MAC2STR(sta->addr));
-
-diff -Naur hostapd-2.3.org/src/ap/wpa_auth.c hostapd-2.3/src/ap/wpa_auth.c
---- hostapd-2.3.org/src/ap/wpa_auth.c 2014-10-09 16:41:31.000000000 +0200
-+++ hostapd-2.3/src/ap/wpa_auth.c 2015-04-07 16:32:10.671422975 +0200
-@@ -45,9 +45,9 @@
+diff U3 a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+--- a/src/ap/wpa_auth.c Sun Dec 2 20:34:59 2018
++++ b/src/ap/wpa_auth.c Mon Mar 4 15:47:26 2019
+@@ -63,9 +63,9 @@
+ struct wpa_group *group);
+ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
- static const u32 dot11RSNAConfigGroupUpdateCount = 4;
- static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
-static const u32 eapol_key_timeout_first = 100; /* ms */
-static const u32 eapol_key_timeout_subseq = 1000; /* ms */
-static const u32 eapol_key_timeout_first_group = 500; /* ms */
+static const u32 eapol_key_timeout_first = 300; /* ms */
+static const u32 eapol_key_timeout_subseq = 3000; /* ms */
+static const u32 eapol_key_timeout_first_group = 1500; /* ms */
+ static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
/* TODO: make these configurable */
- static const int dot11RSNAConfigPMKLifetime = 43200;
--- /dev/null
+diff U3 a/src/ap/ap_config.h b/src/ap/ap_config.h
+--- a/src/ap/ap_config.h Sun Dec 2 20:34:59 2018
++++ b/src/ap/ap_config.h Mon Mar 4 15:58:05 2019
+@@ -779,6 +779,8 @@
+
+ int ht_op_mode_fixed;
+ u16 ht_capab;
++ int noscan;
++ int no_ht_coex;
+ int ieee80211n;
+ int secondary_channel;
+ int no_pri_sec_switch;
+diff U3 a/hostapd/config_file.c b/hostapd/config_file.c
+--- a/hostapd/config_file.c Sun Dec 2 20:34:59 2018
++++ b/hostapd/config_file.c Mon Mar 4 15:56:51 2019
+@@ -3317,6 +3317,10 @@
+ }
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211N
++ } else if (os_strcmp(buf, "noscan") == 0) {
++ conf->noscan = atoi(pos);
++ } else if (os_strcmp(buf, "ht_coex") == 0) {
++ conf->no_ht_coex = !atoi(pos);
+ } else if (os_strcmp(buf, "ieee80211n") == 0) {
+ conf->ieee80211n = atoi(pos);
+ } else if (os_strcmp(buf, "ht_capab") == 0) {
+diff U3 a/src/ap/hw_features.c b/src/ap/hw_features.c
+--- a/src/ap/hw_features.c Sun Dec 2 20:34:59 2018
++++ b/src/ap/hw_features.c Mon Mar 4 15:59:08 2019
+@@ -480,7 +480,8 @@
+ int ret;
+
+ /* Check that HT40 is used and PRI / SEC switch is allowed */
+- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
++ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
++ iface->conf->noscan)
+ return 0;
+
+ hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
+diff U3 a/src/ap/ieee802_11_ht.c b/src/ap/ieee802_11_ht.c
+--- a/src/ap/ieee802_11_ht.c Sun Dec 2 20:34:59 2018
++++ b/src/ap/ieee802_11_ht.c Mon Mar 4 16:02:13 2019
+@@ -252,6 +252,9 @@
+ return;
+ }
+
++ if (iface->conf->noscan || iface->conf->no_ht_coex)
++ return;
++
+ if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
+ wpa_printf(MSG_DEBUG,
+ "Ignore too short 20/40 BSS Coexistence Management frame");
+@@ -410,6 +413,9 @@
+ void ht40_intolerant_add(struct hostapd_iface *iface, struct sta_info *sta)
+ {
+ if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
++ return;
++
++ if (iface->conf->noscan || iface->conf->no_ht_coex)
+ return;
+
+ wpa_printf(MSG_INFO, "HT: Forty MHz Intolerant is set by STA " MACSTR
+++ /dev/null
-diff -urNp old/apps/snmpusm.c new/apps/snmpusm.c
---- old/apps/snmpusm.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/apps/snmpusm.c 2017-02-20 15:20:36.994022905 +0100
-@@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va
- oid *keyoid, size_t keyoid_len) {
- u_char *dhkeychange;
- DH *dh;
-- BIGNUM *other_pub;
-+ BIGNUM *p, *g, *pub_key, *other_pub;
- u_char *key;
- size_t key_len;
-
-@@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va
- dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
- }
-
-- if (!dh || !dh->g || !dh->p) {
-+ if (dh)
-+ DH_get0_pqg(dh, &p, NULL, &g);
-+
-+ if (!dh || !g || !p) {
- SNMP_FREE(dhkeychange);
- return SNMPERR_GENERR;
- }
-
-- DH_generate_key(dh);
-- if (!dh->pub_key) {
-+ if (!DH_generate_key(dh)) {
- SNMP_FREE(dhkeychange);
- return SNMPERR_GENERR;
- }
-
-- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
-+ DH_get0_key(dh, &pub_key, NULL);
-+
-+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
- SNMP_FREE(dhkeychange);
- fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
-- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
-+ (unsigned long)vars->val_len, BN_num_bytes(pub_key));
- return SNMPERR_GENERR;
- }
-
-- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
-+ BN_bn2bin(pub_key, dhkeychange + vars->val_len);
-
- key_len = DH_size(dh);
- if (!key_len) {
-diff -urNp old/configure new/configure
---- old/configure 2017-02-20 10:08:16.440396223 +0100
-+++ new/configure 2017-02-20 10:57:15.749734281 +0100
-@@ -23176,9 +23176,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP
- fi
-
-
-- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh`
--{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5
--$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; }
-+ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh`
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5
-+$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; }
- if eval \${$as_ac_Lib+:} false; then :
- $as_echo_n "(cached) " >&6
- else
-@@ -23193,11 +23193,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
- #ifdef __cplusplus
- extern "C"
- #endif
--char EVP_MD_CTX_create ();
-+char EVP_MD_CTX_new ();
- int
- main ()
- {
--return EVP_MD_CTX_create ();
-+return EVP_MD_CTX_new ();
- ;
- return 0;
- }
-@@ -23216,10 +23216,10 @@ eval ac_res=\$$as_ac_Lib
- $as_echo "$ac_res" >&6; }
- if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
-
--$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h
-+$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h
-
-
--$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h
-+$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h
-
- fi
-
-@@ -23293,7 +23293,7 @@ char SSL_library_init ();
- int
- main ()
- {
--return SSL_library_init ();
-+return OPENSSL_init_ssl(0, NULL);
- ;
- return 0;
- }
-diff -urNp old/configure.d/config_os_libs2 new/configure.d/config_os_libs2
---- old/configure.d/config_os_libs2 2014-12-08 21:23:22.000000000 +0100
-+++ new/configure.d/config_os_libs2 2017-02-20 10:56:21.041616611 +0100
-@@ -292,11 +292,11 @@ if test "x$tryopenssl" != "xno" -a "x$tr
- AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
- [Define to 1 if you have the `AES_cfb128_encrypt' function.]))
-
-- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
-- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
-- [Define to 1 if you have the `EVP_MD_CTX_create' function.])
-- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
-- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
-+ AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new,
-+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [],
-+ [Define to 1 if you have the `EVP_MD_CTX_new' function.])
-+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [],
-+ [Define to 1 if you have the `EVP_MD_CTX_free' function.]))
- fi
- if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
- AC_CHECK_LIB(ssl, DTLSv1_method,
-@@ -307,7 +307,7 @@ if test "x$tryopenssl" != "xno" -a "x$tr
- TLSPROG=yes
- fi
- if echo " $transport_result_list " | $GREP "TLS" > /dev/null; then
-- AC_CHECK_LIB(ssl, SSL_library_init,
-+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl,
- AC_DEFINE(HAVE_LIBSSL, 1,
- [Define to 1 if you have the `ssl' library (-lssl).])
- LIBCRYPTO=" -lssl $LIBCRYPTO",
-diff -urNp old/include/net-snmp/net-snmp-config.h.in new/include/net-snmp/net-snmp-config.h.in
---- old/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:08:16.443522417 +0100
-+++ new/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:24:05.790584283 +0100
-@@ -149,11 +149,11 @@
- /* Define to 1 if you have the `eval_pv' function. */
- #undef HAVE_EVAL_PV
-
--/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
--#undef HAVE_EVP_MD_CTX_CREATE
-+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-+#undef HAVE_EVP_MD_CTX_NEW
-
--/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
--#undef HAVE_EVP_MD_CTX_DESTROY
-+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-+#undef HAVE_EVP_MD_CTX_FREE
-
- /* Define if you have EVP_sha224/256 in openssl */
- #undef HAVE_EVP_SHA224
-diff -urNp old/snmplib/keytools.c new/snmplib/keytools.c
---- old/snmplib/keytools.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/snmplib/keytools.c 2017-02-20 10:30:27.412068264 +0100
-@@ -149,8 +149,8 @@ generate_Ku(const oid * hashtype, u_int
- */
- #ifdef NETSNMP_USE_OPENSSL
-
--#ifdef HAVE_EVP_MD_CTX_CREATE
-- ctx = EVP_MD_CTX_create();
-+#ifdef HAVE_EVP_MD_CTX_NEW
-+ ctx = EVP_MD_CTX_new();
- #else
- ctx = malloc(sizeof(*ctx));
- if (!EVP_MD_CTX_init(ctx))
-@@ -259,8 +259,8 @@ generate_Ku(const oid * hashtype, u_int
- memset(buf, 0, sizeof(buf));
- #ifdef NETSNMP_USE_OPENSSL
- if (ctx) {
--#ifdef HAVE_EVP_MD_CTX_DESTROY
-- EVP_MD_CTX_destroy(ctx);
-+#ifdef HAVE_EVP_MD_CTX_FREE
-+ EVP_MD_CTX_free(ctx);
- #else
- EVP_MD_CTX_cleanup(ctx);
- free(ctx);
-diff -urNp old/snmplib/scapi.c new/snmplib/scapi.c
---- old/snmplib/scapi.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/snmplib/scapi.c 2017-02-20 10:27:34.152379515 +0100
-@@ -486,14 +486,14 @@ sc_hash(const oid * hashtype, size_t has
- }
-
- /** initialize the pointer */
--#ifdef HAVE_EVP_MD_CTX_CREATE
-- cptr = EVP_MD_CTX_create();
-+#ifdef HAVE_EVP_MD_CTX_NEW
-+ cptr = EVP_MD_CTX_new();
- #else
- cptr = malloc(sizeof(*cptr));
- #if defined(OLD_DES)
- memset(cptr, 0, sizeof(*cptr));
- #else
-- EVP_MD_CTX_init(cptr);
-+ EVP_MD_CTX_init(&cptr);
- #endif
- #endif
- if (!EVP_DigestInit(cptr, hashfn)) {
-@@ -507,11 +507,11 @@ sc_hash(const oid * hashtype, size_t has
- /** do the final pass */
- EVP_DigestFinal(cptr, MAC, &tmp_len);
- *MAC_len = tmp_len;
--#ifdef HAVE_EVP_MD_CTX_DESTROY
-- EVP_MD_CTX_destroy(cptr);
-+#ifdef HAVE_EVP_MD_CTX_FREE
-+ EVP_MD_CTX_free(cptr);
- #else
- #if !defined(OLD_DES)
-- EVP_MD_CTX_cleanup(cptr);
-+ EVP_MD_CTX_cleanup(&cptr);
- #endif
- free(cptr);
- #endif
-diff -urNp old/snmplib/snmp_openssl.c new/snmplib/snmp_openssl.c
---- old/snmplib/snmp_openssl.c 2014-12-08 21:23:22.000000000 +0100
-+++ new/snmplib/snmp_openssl.c 2017-02-20 12:46:00.059727928 +0100
-@@ -47,7 +47,7 @@ void netsnmp_init_openssl(void) {
- DEBUGMSGTL(("snmp_openssl", "initializing\n"));
-
- /* Initializing OpenSSL */
-- SSL_library_init();
-+ OPENSSL_init_ssl(0, NULL);
- SSL_load_error_strings();
- ERR_load_BIO_strings();
- OpenSSL_add_all_algorithms();
-@@ -164,11 +164,11 @@ netsnmp_openssl_cert_dump_names(X509 *oc
- oname_entry = X509_NAME_get_entry(osubj_name, i);
- netsnmp_assert(NULL != oname_entry);
-
-- if (oname_entry->value->type != V_ASN1_PRINTABLESTRING)
-+ if (X509_NAME_ENTRY_get_data(oname_entry)->type != V_ASN1_PRINTABLESTRING)
- continue;
-
- /** get NID */
-- onid = OBJ_obj2nid(oname_entry->object);
-+ onid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(oname_entry));
- if (onid == NID_undef) {
- prefix_long = prefix_short = "UNKNOWN";
- }
-@@ -179,9 +179,9 @@ netsnmp_openssl_cert_dump_names(X509 *oc
-
- DEBUGMSGT(("9:cert:dump:names",
- "[%02d] NID type %d, ASN type %d\n", i, onid,
-- oname_entry->value->type));
-+ X509_NAME_ENTRY_get_data(oname_entry)->type));
- DEBUGMSGT(("9:cert:dump:names", "%s/%s: '%s'\n", prefix_long,
-- prefix_short, ASN1_STRING_data(oname_entry->value)));
-+ prefix_short, ASN1_STRING_data(X509_NAME_ENTRY_get_data(oname_entry))));
- }
- }
- #endif /* NETSNMP_FEATURE_REMOVE_CERT_DUMP_NAMES */
-@@ -470,7 +470,7 @@ netsnmp_openssl_cert_get_hash_type(X509
- if (NULL == ocert)
- return 0;
-
-- return _nid2ht(OBJ_obj2nid(ocert->sig_alg->algorithm));
-+ return _nid2ht(X509_get_signature_nid(ocert));
- }
-
- /**
-@@ -487,7 +487,7 @@ netsnmp_openssl_cert_get_fingerprint(X50
- if (NULL == ocert)
- return NULL;
-
-- nid = OBJ_obj2nid(ocert->sig_alg->algorithm);
-+ nid = X509_get_signature_nid(ocert);
- DEBUGMSGT(("9:openssl:fingerprint", "alg %d, cert nid %d (%d)\n", alg, nid,
- _nid2ht(nid)));
-
-diff -urNp old/win32/net-snmp/net-snmp-config.h new/win32/net-snmp/net-snmp-config.h
---- old/win32/net-snmp/net-snmp-config.h 2014-12-08 21:23:22.000000000 +0100
-+++ new/win32/net-snmp/net-snmp-config.h 2017-02-20 10:23:20.796778512 +0100
-@@ -1366,11 +1366,11 @@
- /* Define to 1 if you have the <openssl/aes.h> header file. */
- #define HAVE_OPENSSL_AES_H 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
--#define HAVE_EVP_MD_CTX_CREATE 1
-+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-+#define HAVE_EVP_MD_CTX_NEW 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
--#define HAVE_EVP_MD_CTX_DESTROY 1
-+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-+#define HAVE_EVP_MD_CTX_FREE 1
-
- /* Define to 1 if you have the `AES_cfb128_encrypt' function. */
- #define HAVE_AES_CFB128_ENCRYPT 1
-diff -urNp old/win32/net-snmp/net-snmp-config.h.in new/win32/net-snmp/net-snmp-config.h.in
---- old/win32/net-snmp/net-snmp-config.h.in 2014-12-08 21:23:22.000000000 +0100
-+++ new/win32/net-snmp/net-snmp-config.h.in 2017-02-20 10:22:51.348367754 +0100
-@@ -1366,11 +1366,11 @@
- /* Define to 1 if you have the <openssl/aes.h> header file. */
- #define HAVE_OPENSSL_AES_H 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
--#define HAVE_EVP_MD_CTX_CREATE 1
-+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
-+#define HAVE_EVP_MD_CTX_NEW 1
-
--/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
--#define HAVE_EVP_MD_CTX_DESTROY 1
-+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
-+#define HAVE_EVP_MD_CTX_FREE 1
-
- /* Define to 1 if you have the `AES_cfb128_encrypt' function. */
- #define HAVE_AES_CFB128_ENCRYPT 1
+++ /dev/null
-From 3692833a62280a0270e4e1ba30f9acf5a8c8f808 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 14 Jul 2017 15:15:35 +0200
-Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
-
-Do not reinstall TK to the driver during Reassociation Response frame
-processing if the first attempt of setting the TK succeeded. This avoids
-issues related to clearing the TX/RX PN that could result in reusing
-same PN values for transmitted frames (e.g., due to CCM nonce reuse and
-also hitting replay protection on the receiver) and accepting replayed
-frames on RX side.
-
-This issue was introduced by the commit
-0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
-authenticator') which allowed wpa_ft_install_ptk() to be called multiple
-times with the same PTK. While the second configuration attempt is
-needed with some drivers, it must be done only if the first attempt
-failed.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/ap/ieee802_11.c | 16 +++++++++++++---
- src/ap/wpa_auth.c | 11 +++++++++++
- src/ap/wpa_auth.h | 3 ++-
- src/ap/wpa_auth_ft.c | 10 ++++++++++
- src/ap/wpa_auth_i.h | 1 +
- 5 files changed, 37 insertions(+), 4 deletions(-)
-
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index 5163139..174af8b 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -2552,6 +2552,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
- {
- struct ieee80211_ht_capabilities ht_cap;
- struct ieee80211_vht_capabilities vht_cap;
-+ int set = 1;
-
- /*
- * Remove the STA entry to ensure the STA PS state gets cleared and
-@@ -2559,9 +2560,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
- * FT-over-the-DS, where a station re-associates back to the same AP but
- * skips the authentication flow, or if working with a driver that
- * does not support full AP client state.
-+ *
-+ * Skip this if the STA has already completed FT reassociation and the
-+ * TK has been configured since the TX/RX PN must not be reset to 0 for
-+ * the same key.
- */
-- if (!sta->added_unassoc)
-+ if (!sta->added_unassoc &&
-+ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
-+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
-+ set = 0;
-+ }
-
- #ifdef CONFIG_IEEE80211N
- if (sta->flags & WLAN_STA_HT)
-@@ -2584,11 +2594,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
- sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
- sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
- sta->vht_opmode, sta->p2p_ie ? 1 : 0,
-- sta->added_unassoc)) {
-+ set)) {
- hostapd_logger(hapd, sta->addr,
- HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
- "Could not %s STA to kernel driver",
-- sta->added_unassoc ? "set" : "add");
-+ set ? "set" : "add");
-
- if (sta->added_unassoc) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index aca687c..42ef0bf 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1785,6 +1785,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
- #else /* CONFIG_FILS */
- break;
- #endif /* CONFIG_FILS */
-+ case WPA_DRV_STA_REMOVED:
-+ sm->tk_already_set = FALSE;
-+ return 0;
- }
-
- #ifdef CONFIG_IEEE80211R_AP
-@@ -3939,6 +3942,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
- }
-
-
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
-+{
-+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
-+ return 0;
-+ return sm->tk_already_set;
-+}
-+
-+
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry)
- {
-diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
-index 5e8a4cc..f92f8b6 100644
---- a/src/ap/wpa_auth.h
-+++ b/src/ap/wpa_auth.h
-@@ -300,7 +300,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
- u8 *data, size_t data_len);
- enum wpa_event {
- WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
-- WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS
-+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED
- };
- void wpa_remove_ptk(struct wpa_state_machine *sm);
- int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
-@@ -313,6 +313,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
- int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
- int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
- int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry);
- struct rsn_pmksa_cache_entry *
-diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
-index dd99db7..2120cfd 100644
---- a/src/ap/wpa_auth_ft.c
-+++ b/src/ap/wpa_auth_ft.c
-@@ -1937,6 +1937,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
- return;
- }
-
-+ if (sm->tk_already_set) {
-+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
-+ * PN in the driver */
-+ wpa_printf(MSG_DEBUG,
-+ "FT: Do not re-install same PTK to the driver");
-+ return;
-+ }
-+
- /* FIX: add STA entry to kernel/driver here? The set_key will fail
- * most likely without this.. At the moment, STA entry is added only
- * after association has been completed. This function will be called
-@@ -1949,6 +1957,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
-
- /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
- sm->pairwise_set = TRUE;
-+ sm->tk_already_set = TRUE;
- }
-
-
-@@ -2152,6 +2161,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
-
- sm->pairwise = pairwise;
- sm->PTK_valid = TRUE;
-+ sm->tk_already_set = FALSE;
- wpa_ft_install_ptk(sm);
-
- buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
-diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
-index 23d2af3..b779af7 100644
---- a/src/ap/wpa_auth_i.h
-+++ b/src/ap/wpa_auth_i.h
-@@ -61,6 +61,7 @@ struct wpa_state_machine {
- struct wpa_ptk PTK;
- Boolean PTK_valid;
- Boolean pairwise_set;
-+ Boolean tk_already_set;
- int keycount;
- Boolean Pair;
- struct wpa_key_replay_counter {
---
-2.7.4
-
+++ /dev/null
-From cf62cadcadc68377d72e2238a0f06b21c0777f90 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Wed, 12 Jul 2017 16:03:24 +0200
-Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
-
-Track the current GTK and IGTK that is in use and when receiving a
-(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
-not install the given key if it is already in use. This prevents an
-attacker from trying to trick the client into resetting or lowering the
-sequence counter associated to the group key.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 11 +++++
- src/rsn_supp/wpa.c | 118 ++++++++++++++++++++++++++++++------------------
- src/rsn_supp/wpa_i.h | 4 ++
- 3 files changed, 88 insertions(+), 45 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index cc8edf8..0872b12 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -221,6 +221,17 @@ struct wpa_ptk {
- size_t tk_len;
- };
-
-+struct wpa_gtk {
-+ u8 gtk[WPA_GTK_MAX_LEN];
-+ size_t gtk_len;
-+};
-+
-+#ifdef CONFIG_IEEE80211W
-+struct wpa_igtk {
-+ u8 igtk[WPA_IGTK_MAX_LEN];
-+ size_t igtk_len;
-+};
-+#endif /* CONFIG_IEEE80211W */
-
- /* WPA IE version 1
- * 00-50-f2:1 (OUI:OUI type)
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 739689d..5e5fb2a 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -800,6 +800,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
-+ /* Detect possible key reinstallation */
-+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
-+ gd->keyidx, gd->tx, gd->gtk_len);
-+ return 0;
-+ }
-+
- wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
-@@ -834,6 +843,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+
- return 0;
- }
-
-@@ -940,6 +952,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- }
-
-
-+#ifdef CONFIG_IEEE80211W
-+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-+ const struct wpa_igtk_kde *igtk)
-+{
-+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
-+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
-+
-+ /* Detect possible key reinstallation */
-+ if (sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
-+ keyidx);
-+ return 0;
-+ }
-+
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
-+ keyidx, MAC2STR(igtk->pn));
-+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
-+ if (keyidx > 4095) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Invalid IGTK KeyID %d", keyidx);
-+ return -1;
-+ }
-+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-+ broadcast_ether_addr,
-+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
-+ igtk->igtk, len) < 0) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Failed to configure IGTK to the driver");
-+ return -1;
-+ }
-+
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+
-+ return 0;
-+}
-+#endif /* CONFIG_IEEE80211W */
-+
-+
- static int ieee80211w_set_keys(struct wpa_sm *sm,
- struct wpa_eapol_ie_parse *ie)
- {
-@@ -950,30 +1004,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- if (ie->igtk) {
- size_t len;
- const struct wpa_igtk_kde *igtk;
-- u16 keyidx;
-+
- len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
- return -1;
-+
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- keyidx = WPA_GET_LE16(igtk->keyid);
-- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
-- "pn %02x%02x%02x%02x%02x%02x",
-- keyidx, MAC2STR(igtk->pn));
-- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
-- igtk->igtk, len);
-- if (keyidx > 4095) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Invalid IGTK KeyID %d", keyidx);
-- return -1;
-- }
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igtk->pn, sizeof(igtk->pn),
-- igtk->igtk, len) < 0) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Failed to configure IGTK to the driver");
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
- }
-
- return 0;
-@@ -2491,7 +2529,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
- */
- void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- {
-- int clear_ptk = 1;
-+ int clear_keys = 1;
-
- if (sm == NULL)
- return;
-@@ -2517,7 +2555,7 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- /* Prepare for the next transition */
- wpa_ft_prepare_auth_request(sm, NULL);
-
-- clear_ptk = 0;
-+ clear_keys = 0;
- }
- #endif /* CONFIG_IEEE80211R */
- #ifdef CONFIG_FILS
-@@ -2527,11 +2565,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- * AUTHENTICATED state to get the EAPOL port Authorized.
- */
- wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
-- clear_ptk = 0;
-+ clear_keys = 0;
- }
- #endif /* CONFIG_FILS */
-
-- if (clear_ptk) {
-+ if (clear_keys) {
- /*
- * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
- * this is not part of a Fast BSS Transition.
-@@ -2541,6 +2579,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- }
-
- #ifdef CONFIG_TDLS
-@@ -3117,6 +3159,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(sm->pmk, 0, sizeof(sm->pmk));
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
- os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
-@@ -3189,29 +3235,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- os_memset(&gd, 0, sizeof(gd));
- #ifdef CONFIG_IEEE80211W
- } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
-- struct wpa_igtk_kde igd;
-- u16 keyidx;
--
-- os_memset(&igd, 0, sizeof(igd));
-- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
-- os_memcpy(igd.keyid, buf + 2, 2);
-- os_memcpy(igd.pn, buf + 4, 6);
--
-- keyidx = WPA_GET_LE16(igd.keyid);
-- os_memcpy(igd.igtk, buf + 10, keylen);
--
-- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
-- igd.igtk, keylen);
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igd.pn, sizeof(igd.pn),
-- igd.igtk, keylen) < 0) {
-- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
-- "WNM mode");
-- os_memset(&igd, 0, sizeof(igd));
-+ const struct wpa_igtk_kde *igtk;
-+
-+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
-- os_memset(&igd, 0, sizeof(igd));
- #endif /* CONFIG_IEEE80211W */
- } else {
- wpa_printf(MSG_DEBUG, "Unknown element id");
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 82e1941..2827ed6 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -31,6 +31,10 @@ struct wpa_sm {
- u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
-+ struct wpa_gtk gtk;
-+#ifdef CONFIG_IEEE80211W
-+ struct wpa_igtk igtk;
-+#endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
-
---
-2.7.4
-
+++ /dev/null
-From a0d426a662997b87095c87edc1d2bdc6e1c8fd11 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:12:24 +0300
-Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
- Mode cases
-
-This extends the protection to track last configured GTK/IGTK value
-separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
-corner case where these two different mechanisms may get used when the
-GTK/IGTK has changed and tracking a single value is not sufficient to
-detect a possible key reconfiguration.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 55 +++++++++++++++++++++++++++++++++++++---------------
- src/rsn_supp/wpa_i.h | 2 ++
- 2 files changed, 41 insertions(+), 16 deletions(-)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 5e5fb2a..3c8871d 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -795,14 +795,17 @@ struct wpa_gtk_data {
-
- static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const struct wpa_gtk_data *gd,
-- const u8 *key_rsc)
-+ const u8 *key_rsc, int wnm_sleep)
- {
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
- /* Detect possible key reinstallation */
-- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
-+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
- gd->keyidx, gd->tx, gd->gtk_len);
-@@ -843,8 +846,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-- sm->gtk.gtk_len = gd->gtk_len;
-- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ if (wnm_sleep) {
-+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len);
-+ } else {
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ }
-
- return 0;
- }
-@@ -938,7 +947,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
- gtk_len, gtk_len,
- &gd.key_rsc_len, &gd.alg) ||
-- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
-+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "RSN: Failed to install GTK");
- os_memset(&gd, 0, sizeof(gd));
-@@ -954,14 +963,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
-
- #ifdef CONFIG_IEEE80211W
- static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-- const struct wpa_igtk_kde *igtk)
-+ const struct wpa_igtk_kde *igtk,
-+ int wnm_sleep)
- {
- size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- u16 keyidx = WPA_GET_LE16(igtk->keyid);
-
- /* Detect possible key reinstallation */
-- if (sm->igtk.igtk_len == len &&
-- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ if ((sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
-+ (sm->igtk_wnm_sleep.igtk_len == len &&
-+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
- keyidx);
-@@ -986,8 +999,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
- return -1;
- }
-
-- sm->igtk.igtk_len = len;
-- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ if (wnm_sleep) {
-+ sm->igtk_wnm_sleep.igtk_len = len;
-+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len);
-+ } else {
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ }
-
- return 0;
- }
-@@ -1010,7 +1029,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- return -1;
-
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
- return -1;
- }
-
-@@ -1659,7 +1678,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
- if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
- key_rsc = null_rsc;
-
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
- wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
- goto failed;
- os_memset(&gd, 0, sizeof(gd));
-@@ -2580,8 +2599,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- }
-
-@@ -3160,8 +3181,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
-@@ -3226,7 +3249,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
-
- wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
- gd.gtk, gd.gtk_len);
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
- os_memset(&gd, 0, sizeof(gd));
- wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
- "WNM mode");
-@@ -3238,7 +3261,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- const struct wpa_igtk_kde *igtk;
-
- igtk = (const struct wpa_igtk_kde *) (buf + 2);
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
- return -1;
- #endif /* CONFIG_IEEE80211W */
- } else {
-@@ -4132,7 +4155,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
- os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
-
- wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
-- if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
-+ if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
- wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
- goto fail;
- }
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 2827ed6..156e6cb 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -32,8 +32,10 @@ struct wpa_sm {
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
- struct wpa_gtk gtk;
-+ struct wpa_gtk gtk_wnm_sleep;
- #ifdef CONFIG_IEEE80211W
- struct wpa_igtk igtk;
-+ struct wpa_igtk igtk_wnm_sleep;
- #endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
---
-2.7.4
-
+++ /dev/null
-From 327b6d780f2667e99e9b74d4c064531c0208b22b Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 29 Sep 2017 04:22:51 +0200
-Subject: [PATCH 4/8] Prevent installation of an all-zero TK
-
-Properly track whether a PTK has already been installed to the driver
-and the TK part cleared from memory. This prevents an attacker from
-trying to trick the client into installing an all-zero TK.
-
-This fixes the earlier fix in commit
-ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
-driver in EAPOL-Key 3/4 retry case') which did not take into account
-possibility of an extra message 1/4 showing up between retries of
-message 3/4.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 1 +
- src/rsn_supp/wpa.c | 6 +++---
- src/rsn_supp/wpa_i.h | 1 -
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index 0872b12..8411686 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -219,6 +219,7 @@ struct wpa_ptk {
- size_t kck_len;
- size_t kek_len;
- size_t tk_len;
-+ int installed; /* 1 if key has already been installed to driver */
- };
-
- struct wpa_gtk {
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 3c8871d..cf9bf1c 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -594,7 +594,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
- os_memset(buf, 0, sizeof(buf));
- }
- sm->tptk_set = 1;
-- sm->tk_to_set = 1;
-
- kde = sm->assoc_wpa_ie;
- kde_len = sm->assoc_wpa_ie_len;
-@@ -701,7 +700,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
- enum wpa_alg alg;
- const u8 *key_rsc;
-
-- if (!sm->tk_to_set) {
-+ if (sm->ptk.installed) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Do not re-install same PTK to the driver");
- return 0;
-@@ -745,7 +744,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
-
- /* TK is not needed anymore in supplicant */
- os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
-- sm->tk_to_set = 0;
-+ sm->ptk.installed = 1;
-
- if (sm->wpa_ptk_rekey) {
- eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-@@ -4183,6 +4182,7 @@ int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len)
- * takes care of association frame encryption/decryption. */
- /* TK is not needed anymore in supplicant */
- os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
-+ sm->ptk.installed = 1;
-
- /* FILS HLP Container */
- fils_process_hlp_container(sm, ie_start, end - ie_start);
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 156e6cb..3b42245 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -24,7 +24,6 @@ struct wpa_sm {
- struct wpa_ptk ptk, tptk;
- int ptk_set, tptk_set;
- unsigned int msg_3_of_4_ok:1;
-- unsigned int tk_to_set:1;
- u8 snonce[WPA_NONCE_LEN];
- u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
- int renew_snonce;
---
-2.7.4
-
+++ /dev/null
-From f1800cce24e8f81e909a68fe8ef1f13abfdec9e3 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:32:57 +0300
-Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
-
-The Authenticator state machine path for PTK rekeying ended up bypassing
-the AUTHENTICATION2 state where a new ANonce is generated when going
-directly to the PTKSTART state since there is no need to try to
-determine the PMK again in such a case. This is far from ideal since the
-new PTK would depend on a new nonce only from the supplicant.
-
-Fix this by generating a new ANonce when moving to the PTKSTART state
-for the purpose of starting new 4-way handshake to rekey PTK.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 42ef0bf..3b2f97c 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1953,6 +1953,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
- }
-
-
-+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
-+{
-+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
-+ wpa_printf(MSG_ERROR,
-+ "WPA: Failed to get random data for ANonce");
-+ sm->Disconnect = TRUE;
-+ return -1;
-+ }
-+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
-+ WPA_NONCE_LEN);
-+ sm->TimeoutCtr = 0;
-+ return 0;
-+}
-+
-+
- SM_STATE(WPA_PTK, INITPMK)
- {
- u8 msk[2 * PMK_LEN];
-@@ -3129,9 +3144,12 @@ SM_STEP(WPA_PTK)
- SM_ENTER(WPA_PTK, AUTHENTICATION);
- else if (sm->ReAuthenticationRequest)
- SM_ENTER(WPA_PTK, AUTHENTICATION2);
-- else if (sm->PTKRequest)
-- SM_ENTER(WPA_PTK, PTKSTART);
-- else switch (sm->wpa_ptk_state) {
-+ else if (sm->PTKRequest) {
-+ if (wpa_auth_sm_ptk_update(sm) < 0)
-+ SM_ENTER(WPA_PTK, DISCONNECTED);
-+ else
-+ SM_ENTER(WPA_PTK, PTKSTART);
-+ } else switch (sm->wpa_ptk_state) {
- case WPA_PTK_INITIALIZE:
- break;
- case WPA_PTK_DISCONNECT:
---
-2.7.4
-
+++ /dev/null
-From 1b198fae80a4c97ecf358fe825c0488d6ac0e65e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:03:15 +0300
-Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
-
-Do not try to reconfigure the same TPK-TK to the driver after it has
-been successfully configured. This is an explicit check to avoid issues
-related to resetting the TX/RX packet number. There was already a check
-for this for TPK M2 (retries of that message are ignored completely), so
-that behavior does not get modified.
-
-For TPK M3, the TPK-TK could have been reconfigured, but that was
-followed by immediate teardown of the link due to an issue in updating
-the STA entry. Furthermore, for TDLS with any real security (i.e.,
-ignoring open/WEP), the TPK message exchange is protected on the AP path
-and simple replay attacks are not feasible.
-
-As an additional corner case, make sure the local nonce gets updated if
-the peer uses a very unlikely "random nonce" of all zeros.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
-index 7c95bed..5e350ed 100644
---- a/src/rsn_supp/tdls.c
-+++ b/src/rsn_supp/tdls.c
-@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
- u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
- } tpk;
- int tpk_set;
-+ int tk_set; /* TPK-TK configured to the driver */
- int tpk_success;
- int tpk_in_progress;
-
-@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- u8 rsc[6];
- enum wpa_alg alg;
-
-+ if (peer->tk_set) {
-+ /*
-+ * This same TPK-TK has already been configured to the driver
-+ * and this new configuration attempt (likely due to an
-+ * unexpected retransmitted frame) would result in clearing
-+ * the TX/RX sequence number which can break security, so must
-+ * not allow that to happen.
-+ */
-+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
-+ " has already been configured to the driver - do not reconfigure",
-+ MAC2STR(peer->addr));
-+ return -1;
-+ }
-+
- os_memset(rsc, 0, 6);
-
- switch (peer->cipher) {
-@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- return -1;
- }
-
-+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
-+ MAC2STR(peer->addr));
- if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
- rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
- wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
- "driver");
- return -1;
- }
-+ peer->tk_set = 1;
- return 0;
- }
-
-@@ -693,7 +711,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- peer->cipher = 0;
- peer->qos_info = 0;
- peer->wmm_capable = 0;
-- peer->tpk_set = peer->tpk_success = 0;
-+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
- peer->chan_switch_enabled = 0;
- os_memset(&peer->tpk, 0, sizeof(peer->tpk));
- os_memset(peer->inonce, 0, WPA_NONCE_LEN);
-@@ -1156,6 +1174,7 @@ skip_rsnie:
- wpa_tdls_peer_free(sm, peer);
- return -1;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
- peer->inonce, WPA_NONCE_LEN);
- os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
-@@ -1749,6 +1768,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
- }
-
-
-+static int tdls_nonce_set(const u8 *nonce)
-+{
-+ int i;
-+
-+ for (i = 0; i < WPA_NONCE_LEN; i++) {
-+ if (nonce[i])
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+
- static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
- const u8 *buf, size_t len)
- {
-@@ -2002,7 +2034,8 @@ skip_rsn:
- peer->rsnie_i_len = kde.rsn_ie_len;
- peer->cipher = cipher;
-
-- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
-+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
-+ !tdls_nonce_set(peer->inonce)) {
- /*
- * There is no point in updating the RNonce for every obtained
- * TPK M1 frame (e.g., retransmission due to timeout) with the
-@@ -2018,6 +2051,7 @@ skip_rsn:
- "TDLS: Failed to get random data for responder nonce");
- goto error;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- }
-
- #if 0
---
-2.7.4
-
+++ /dev/null
-From b839814391abb4f95486ef2e24eb5498267eccf5 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:25:02 +0300
-Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
- request
-
-Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
-Mode Response if WNM-Sleep Mode has not been used') started ignoring the
-response when no WNM-Sleep Mode Request had been used during the
-association. This can be made tighter by clearing the used flag when
-successfully processing a response. This adds an additional layer of
-protection against unexpected retransmissions of the response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 7339ed2..28346ea 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
-
- if (!wpa_s->wnmsleep_used) {
- wpa_printf(MSG_DEBUG,
-- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
-+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
- return;
- }
-
-@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
- return;
- }
-
-+ wpa_s->wnmsleep_used = 0;
-+
- if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
- wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
- wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
---
-2.7.4
-
+++ /dev/null
-From dc55ea1e483125145459ae1e55be3b95e6263302 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 12:06:37 +0300
-Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
-
-The driver is expected to not report a second association event without
-the station having explicitly request a new association. As such, this
-case should not be reachable. However, since reconfiguring the same
-pairwise or group keys to the driver could result in nonce reuse issues,
-be extra careful here and do an additional state check to avoid this
-even if the local driver ends up somehow accepting an unexpected
-Reassociation Response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 3 +++
- src/rsn_supp/wpa_ft.c | 8 ++++++++
- src/rsn_supp/wpa_i.h | 1 +
- 3 files changed, 12 insertions(+)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index cf9bf1c..ed467e6 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
- #ifdef CONFIG_FILS
- sm->fils_completed = 0;
- #endif /* CONFIG_FILS */
-+#ifdef CONFIG_IEEE80211R
-+ sm->ft_reassoc_completed = 0;
-+#endif /* CONFIG_IEEE80211R */
-
- /* Keys are not needed in the WPA state machine anymore */
- wpa_sm_drop_sa(sm);
-diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
-index aeb7aff..1ff7afe 100644
---- a/src/rsn_supp/wpa_ft.c
-+++ b/src/rsn_supp/wpa_ft.c
-@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
- u16 capab;
-
- sm->ft_completed = 0;
-+ sm->ft_reassoc_completed = 0;
-
- buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
- 2 + sm->r0kh_id_len + ric_ies_len + 100;
-@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ if (sm->ft_reassoc_completed) {
-+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
-+ return 0;
-+ }
-+
- if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
- wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
- return -1;
-@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ sm->ft_reassoc_completed = 1;
-+
- if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
- return -1;
-
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 3b42245..148c654 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -128,6 +128,7 @@ struct wpa_sm {
- size_t r0kh_id_len;
- u8 r1kh_id[FT_R1KH_ID_LEN];
- int ft_completed;
-+ int ft_reassoc_completed;
- int over_the_ds_in_progress;
- u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
- int set_ptk_after_assoc;
---
-2.7.4
-
+++ /dev/null
-From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 14 Jul 2017 15:15:35 +0200
-Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
-
-Do not reinstall TK to the driver during Reassociation Response frame
-processing if the first attempt of setting the TK succeeded. This avoids
-issues related to clearing the TX/RX PN that could result in reusing
-same PN values for transmitted frames (e.g., due to CCM nonce reuse and
-also hitting replay protection on the receiver) and accepting replayed
-frames on RX side.
-
-This issue was introduced by the commit
-0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
-authenticator') which allowed wpa_ft_install_ptk() to be called multiple
-times with the same PTK. While the second configuration attempt is
-needed with some drivers, it must be done only if the first attempt
-failed.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/ap/ieee802_11.c | 16 +++++++++++++---
- src/ap/wpa_auth.c | 11 +++++++++++
- src/ap/wpa_auth.h | 3 ++-
- src/ap/wpa_auth_ft.c | 10 ++++++++++
- src/ap/wpa_auth_i.h | 1 +
- 5 files changed, 37 insertions(+), 4 deletions(-)
-
-diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
-index 4e04169..333035f 100644
---- a/src/ap/ieee802_11.c
-+++ b/src/ap/ieee802_11.c
-@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
- {
- struct ieee80211_ht_capabilities ht_cap;
- struct ieee80211_vht_capabilities vht_cap;
-+ int set = 1;
-
- /*
- * Remove the STA entry to ensure the STA PS state gets cleared and
-@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
- * FT-over-the-DS, where a station re-associates back to the same AP but
- * skips the authentication flow, or if working with a driver that
- * does not support full AP client state.
-+ *
-+ * Skip this if the STA has already completed FT reassociation and the
-+ * TK has been configured since the TX/RX PN must not be reset to 0 for
-+ * the same key.
- */
-- if (!sta->added_unassoc)
-+ if (!sta->added_unassoc &&
-+ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
-+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
-+ set = 0;
-+ }
-
- #ifdef CONFIG_IEEE80211N
- if (sta->flags & WLAN_STA_HT)
-@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
- sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
- sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
- sta->vht_opmode, sta->p2p_ie ? 1 : 0,
-- sta->added_unassoc)) {
-+ set)) {
- hostapd_logger(hapd, sta->addr,
- HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
- "Could not %s STA to kernel driver",
-- sta->added_unassoc ? "set" : "add");
-+ set ? "set" : "add");
-
- if (sta->added_unassoc) {
- hostapd_drv_sta_remove(hapd, sta->addr);
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 3587086..707971d 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
- #else /* CONFIG_IEEE80211R */
- break;
- #endif /* CONFIG_IEEE80211R */
-+ case WPA_DRV_STA_REMOVED:
-+ sm->tk_already_set = FALSE;
-+ return 0;
- }
-
- #ifdef CONFIG_IEEE80211R
-@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
- }
-
-
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
-+{
-+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
-+ return 0;
-+ return sm->tk_already_set;
-+}
-+
-+
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry)
- {
-diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
-index 0de8d97..97461b0 100644
---- a/src/ap/wpa_auth.h
-+++ b/src/ap/wpa_auth.h
-@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
- u8 *data, size_t data_len);
- enum wpa_event {
- WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
-- WPA_REAUTH_EAPOL, WPA_ASSOC_FT
-+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
- };
- void wpa_remove_ptk(struct wpa_state_machine *sm);
- int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
-@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
- int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
- int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
- int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
-+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
- int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
- struct rsn_pmksa_cache_entry *entry);
- struct rsn_pmksa_cache_entry *
-diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
-index 42242a5..e63b99a 100644
---- a/src/ap/wpa_auth_ft.c
-+++ b/src/ap/wpa_auth_ft.c
-@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
- return;
- }
-
-+ if (sm->tk_already_set) {
-+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
-+ * PN in the driver */
-+ wpa_printf(MSG_DEBUG,
-+ "FT: Do not re-install same PTK to the driver");
-+ return;
-+ }
-+
- /* FIX: add STA entry to kernel/driver here? The set_key will fail
- * most likely without this.. At the moment, STA entry is added only
- * after association has been completed. This function will be called
-@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
-
- /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
- sm->pairwise_set = TRUE;
-+ sm->tk_already_set = TRUE;
- }
-
-
-@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
-
- sm->pairwise = pairwise;
- sm->PTK_valid = TRUE;
-+ sm->tk_already_set = FALSE;
- wpa_ft_install_ptk(sm);
-
- buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
-diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
-index 72b7eb3..7fd8f05 100644
---- a/src/ap/wpa_auth_i.h
-+++ b/src/ap/wpa_auth_i.h
-@@ -65,6 +65,7 @@ struct wpa_state_machine {
- struct wpa_ptk PTK;
- Boolean PTK_valid;
- Boolean pairwise_set;
-+ Boolean tk_already_set;
- int keycount;
- Boolean Pair;
- struct wpa_key_replay_counter {
---
-2.7.4
-
+++ /dev/null
-From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Wed, 12 Jul 2017 16:03:24 +0200
-Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
-
-Track the current GTK and IGTK that is in use and when receiving a
-(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
-not install the given key if it is already in use. This prevents an
-attacker from trying to trick the client into resetting or lowering the
-sequence counter associated to the group key.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 11 +++++
- src/rsn_supp/wpa.c | 116 ++++++++++++++++++++++++++++++------------------
- src/rsn_supp/wpa_i.h | 4 ++
- 3 files changed, 87 insertions(+), 44 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index af1d0f0..d200285 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -217,6 +217,17 @@ struct wpa_ptk {
- size_t tk_len;
- };
-
-+struct wpa_gtk {
-+ u8 gtk[WPA_GTK_MAX_LEN];
-+ size_t gtk_len;
-+};
-+
-+#ifdef CONFIG_IEEE80211W
-+struct wpa_igtk {
-+ u8 igtk[WPA_IGTK_MAX_LEN];
-+ size_t igtk_len;
-+};
-+#endif /* CONFIG_IEEE80211W */
-
- /* WPA IE version 1
- * 00-50-f2:1 (OUI:OUI type)
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 3c47879..95bd7be 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
-+ /* Detect possible key reinstallation */
-+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
-+ gd->keyidx, gd->tx, gd->gtk_len);
-+ return 0;
-+ }
-+
- wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
-@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+
- return 0;
- }
-
-@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- }
-
-
-+#ifdef CONFIG_IEEE80211W
-+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-+ const struct wpa_igtk_kde *igtk)
-+{
-+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
-+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
-+
-+ /* Detect possible key reinstallation */
-+ if (sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
-+ keyidx);
-+ return 0;
-+ }
-+
-+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
-+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
-+ keyidx, MAC2STR(igtk->pn));
-+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
-+ if (keyidx > 4095) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Invalid IGTK KeyID %d", keyidx);
-+ return -1;
-+ }
-+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-+ broadcast_ether_addr,
-+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
-+ igtk->igtk, len) < 0) {
-+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-+ "WPA: Failed to configure IGTK to the driver");
-+ return -1;
-+ }
-+
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+
-+ return 0;
-+}
-+#endif /* CONFIG_IEEE80211W */
-+
-+
- static int ieee80211w_set_keys(struct wpa_sm *sm,
- struct wpa_eapol_ie_parse *ie)
- {
-@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- if (ie->igtk) {
- size_t len;
- const struct wpa_igtk_kde *igtk;
-- u16 keyidx;
-+
- len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
- return -1;
-+
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- keyidx = WPA_GET_LE16(igtk->keyid);
-- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
-- "pn %02x%02x%02x%02x%02x%02x",
-- keyidx, MAC2STR(igtk->pn));
-- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
-- igtk->igtk, len);
-- if (keyidx > 4095) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Invalid IGTK KeyID %d", keyidx);
-- return -1;
-- }
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igtk->pn, sizeof(igtk->pn),
-- igtk->igtk, len) < 0) {
-- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
-- "WPA: Failed to configure IGTK to the driver");
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
- }
-
- return 0;
-@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
- */
- void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- {
-- int clear_ptk = 1;
-+ int clear_keys = 1;
-
- if (sm == NULL)
- return;
-@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- /* Prepare for the next transition */
- wpa_ft_prepare_auth_request(sm, NULL);
-
-- clear_ptk = 0;
-+ clear_keys = 0;
- }
- #endif /* CONFIG_IEEE80211R */
-
-- if (clear_ptk) {
-+ if (clear_keys) {
- /*
- * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
- * this is not part of a Fast BSS Transition.
-@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- }
-
- #ifdef CONFIG_TDLS
-@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(sm->pmk, 0, sizeof(sm->pmk));
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
-+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+#ifdef CONFIG_IEEE80211W
-+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+#endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
- os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
-@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- os_memset(&gd, 0, sizeof(gd));
- #ifdef CONFIG_IEEE80211W
- } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
-- struct wpa_igtk_kde igd;
-- u16 keyidx;
--
-- os_memset(&igd, 0, sizeof(igd));
-- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
-- os_memcpy(igd.keyid, buf + 2, 2);
-- os_memcpy(igd.pn, buf + 4, 6);
--
-- keyidx = WPA_GET_LE16(igd.keyid);
-- os_memcpy(igd.igtk, buf + 10, keylen);
--
-- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
-- igd.igtk, keylen);
-- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
-- broadcast_ether_addr,
-- keyidx, 0, igd.pn, sizeof(igd.pn),
-- igd.igtk, keylen) < 0) {
-- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
-- "WNM mode");
-- os_memset(&igd, 0, sizeof(igd));
-+ const struct wpa_igtk_kde *igtk;
-+
-+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
-+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
- return -1;
-- }
-- os_memset(&igd, 0, sizeof(igd));
- #endif /* CONFIG_IEEE80211W */
- } else {
- wpa_printf(MSG_DEBUG, "Unknown element id");
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index f653ba6..afc9e37 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -31,6 +31,10 @@ struct wpa_sm {
- u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
-+ struct wpa_gtk gtk;
-+#ifdef CONFIG_IEEE80211W
-+ struct wpa_igtk igtk;
-+#endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
-
---
-2.7.4
-
+++ /dev/null
-From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:12:24 +0300
-Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
- Mode cases
-
-This extends the protection to track last configured GTK/IGTK value
-separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
-corner case where these two different mechanisms may get used when the
-GTK/IGTK has changed and tracking a single value is not sufficient to
-detect a possible key reconfiguration.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 53 +++++++++++++++++++++++++++++++++++++---------------
- src/rsn_supp/wpa_i.h | 2 ++
- 2 files changed, 40 insertions(+), 15 deletions(-)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 95bd7be..7a2c68d 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -709,14 +709,17 @@ struct wpa_gtk_data {
-
- static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- const struct wpa_gtk_data *gd,
-- const u8 *key_rsc)
-+ const u8 *key_rsc, int wnm_sleep)
- {
- const u8 *_gtk = gd->gtk;
- u8 gtk_buf[32];
-
- /* Detect possible key reinstallation */
-- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
-+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
-+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
-+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
- gd->keyidx, gd->tx, gd->gtk_len);
-@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
- }
- os_memset(gtk_buf, 0, sizeof(gtk_buf));
-
-- sm->gtk.gtk_len = gd->gtk_len;
-- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ if (wnm_sleep) {
-+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
-+ sm->gtk_wnm_sleep.gtk_len);
-+ } else {
-+ sm->gtk.gtk_len = gd->gtk_len;
-+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
-+ }
-
- return 0;
- }
-@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
- (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
- gtk_len, gtk_len,
- &gd.key_rsc_len, &gd.alg) ||
-- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
-+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "RSN: Failed to install GTK");
- os_memset(&gd, 0, sizeof(gd));
-@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
-
- #ifdef CONFIG_IEEE80211W
- static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
-- const struct wpa_igtk_kde *igtk)
-+ const struct wpa_igtk_kde *igtk,
-+ int wnm_sleep)
- {
- size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
- u16 keyidx = WPA_GET_LE16(igtk->keyid);
-
- /* Detect possible key reinstallation */
-- if (sm->igtk.igtk_len == len &&
-- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
-+ if ((sm->igtk.igtk_len == len &&
-+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
-+ (sm->igtk_wnm_sleep.igtk_len == len &&
-+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len) == 0)) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
- keyidx);
-@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
- return -1;
- }
-
-- sm->igtk.igtk_len = len;
-- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ if (wnm_sleep) {
-+ sm->igtk_wnm_sleep.igtk_len = len;
-+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
-+ sm->igtk_wnm_sleep.igtk_len);
-+ } else {
-+ sm->igtk.igtk_len = len;
-+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
-+ }
-
- return 0;
- }
-@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
- return -1;
-
- igtk = (const struct wpa_igtk_kde *) ie->igtk;
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
- return -1;
- }
-
-@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
- if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
- key_rsc = null_rsc;
-
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
- wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
- goto failed;
- os_memset(&gd, 0, sizeof(gd));
-@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
- sm->tptk_set = 0;
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- }
-
-@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
- os_memset(&sm->ptk, 0, sizeof(sm->ptk));
- os_memset(&sm->tptk, 0, sizeof(sm->tptk));
- os_memset(&sm->gtk, 0, sizeof(sm->gtk));
-+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
- #ifdef CONFIG_IEEE80211W
- os_memset(&sm->igtk, 0, sizeof(sm->igtk));
-+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
- #endif /* CONFIG_IEEE80211W */
- #ifdef CONFIG_IEEE80211R
- os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
-@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
-
- wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
- gd.gtk, gd.gtk_len);
-- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
-+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
- os_memset(&gd, 0, sizeof(gd));
- wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
- "WNM mode");
-@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
- const struct wpa_igtk_kde *igtk;
-
- igtk = (const struct wpa_igtk_kde *) (buf + 2);
-- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
-+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
- return -1;
- #endif /* CONFIG_IEEE80211W */
- } else {
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index afc9e37..9a54631 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -32,8 +32,10 @@ struct wpa_sm {
- int rx_replay_counter_set;
- u8 request_counter[WPA_REPLAY_COUNTER_LEN];
- struct wpa_gtk gtk;
-+ struct wpa_gtk gtk_wnm_sleep;
- #ifdef CONFIG_IEEE80211W
- struct wpa_igtk igtk;
-+ struct wpa_igtk igtk_wnm_sleep;
- #endif /* CONFIG_IEEE80211W */
-
- struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
---
-2.7.4
-
+++ /dev/null
-From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
-From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
-Date: Fri, 29 Sep 2017 04:22:51 +0200
-Subject: [PATCH 4/8] Prevent installation of an all-zero TK
-
-Properly track whether a PTK has already been installed to the driver
-and the TK part cleared from memory. This prevents an attacker from
-trying to trick the client into installing an all-zero TK.
-
-This fixes the earlier fix in commit
-ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
-driver in EAPOL-Key 3/4 retry case') which did not take into account
-possibility of an extra message 1/4 showing up between retries of
-message 3/4.
-
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
----
- src/common/wpa_common.h | 1 +
- src/rsn_supp/wpa.c | 5 ++---
- src/rsn_supp/wpa_i.h | 1 -
- 3 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
-index d200285..1021ccb 100644
---- a/src/common/wpa_common.h
-+++ b/src/common/wpa_common.h
-@@ -215,6 +215,7 @@ struct wpa_ptk {
- size_t kck_len;
- size_t kek_len;
- size_t tk_len;
-+ int installed; /* 1 if key has already been installed to driver */
- };
-
- struct wpa_gtk {
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 7a2c68d..0550a41 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
- os_memset(buf, 0, sizeof(buf));
- }
- sm->tptk_set = 1;
-- sm->tk_to_set = 1;
-
- kde = sm->assoc_wpa_ie;
- kde_len = sm->assoc_wpa_ie_len;
-@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
- enum wpa_alg alg;
- const u8 *key_rsc;
-
-- if (!sm->tk_to_set) {
-+ if (sm->ptk.installed) {
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
- "WPA: Do not re-install same PTK to the driver");
- return 0;
-@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
-
- /* TK is not needed anymore in supplicant */
- os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
-- sm->tk_to_set = 0;
-+ sm->ptk.installed = 1;
-
- if (sm->wpa_ptk_rekey) {
- eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 9a54631..41f371f 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -24,7 +24,6 @@ struct wpa_sm {
- struct wpa_ptk ptk, tptk;
- int ptk_set, tptk_set;
- unsigned int msg_3_of_4_ok:1;
-- unsigned int tk_to_set:1;
- u8 snonce[WPA_NONCE_LEN];
- u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
- int renew_snonce;
---
-2.7.4
-
+++ /dev/null
-From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Oct 2017 12:32:57 +0300
-Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
-
-The Authenticator state machine path for PTK rekeying ended up bypassing
-the AUTHENTICATION2 state where a new ANonce is generated when going
-directly to the PTKSTART state since there is no need to try to
-determine the PMK again in such a case. This is far from ideal since the
-new PTK would depend on a new nonce only from the supplicant.
-
-Fix this by generating a new ANonce when moving to the PTKSTART state
-for the purpose of starting new 4-way handshake to rekey PTK.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
-index 707971d..bf10cc1 100644
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
- }
-
-
-+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
-+{
-+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
-+ wpa_printf(MSG_ERROR,
-+ "WPA: Failed to get random data for ANonce");
-+ sm->Disconnect = TRUE;
-+ return -1;
-+ }
-+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
-+ WPA_NONCE_LEN);
-+ sm->TimeoutCtr = 0;
-+ return 0;
-+}
-+
-+
- SM_STATE(WPA_PTK, INITPMK)
- {
- u8 msk[2 * PMK_LEN];
-@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
- SM_ENTER(WPA_PTK, AUTHENTICATION);
- else if (sm->ReAuthenticationRequest)
- SM_ENTER(WPA_PTK, AUTHENTICATION2);
-- else if (sm->PTKRequest)
-- SM_ENTER(WPA_PTK, PTKSTART);
-- else switch (sm->wpa_ptk_state) {
-+ else if (sm->PTKRequest) {
-+ if (wpa_auth_sm_ptk_update(sm) < 0)
-+ SM_ENTER(WPA_PTK, DISCONNECTED);
-+ else
-+ SM_ENTER(WPA_PTK, PTKSTART);
-+ } else switch (sm->wpa_ptk_state) {
- case WPA_PTK_INITIALIZE:
- break;
- case WPA_PTK_DISCONNECT:
---
-2.7.4
-
+++ /dev/null
-From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:03:15 +0300
-Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
-
-Do not try to reconfigure the same TPK-TK to the driver after it has
-been successfully configured. This is an explicit check to avoid issues
-related to resetting the TX/RX packet number. There was already a check
-for this for TPK M2 (retries of that message are ignored completely), so
-that behavior does not get modified.
-
-For TPK M3, the TPK-TK could have been reconfigured, but that was
-followed by immediate teardown of the link due to an issue in updating
-the STA entry. Furthermore, for TDLS with any real security (i.e.,
-ignoring open/WEP), the TPK message exchange is protected on the AP path
-and simple replay attacks are not feasible.
-
-As an additional corner case, make sure the local nonce gets updated if
-the peer uses a very unlikely "random nonce" of all zeros.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
- 1 file changed, 36 insertions(+), 2 deletions(-)
-
-diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
-index e424168..9eb9738 100644
---- a/src/rsn_supp/tdls.c
-+++ b/src/rsn_supp/tdls.c
-@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
- u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
- } tpk;
- int tpk_set;
-+ int tk_set; /* TPK-TK configured to the driver */
- int tpk_success;
- int tpk_in_progress;
-
-@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- u8 rsc[6];
- enum wpa_alg alg;
-
-+ if (peer->tk_set) {
-+ /*
-+ * This same TPK-TK has already been configured to the driver
-+ * and this new configuration attempt (likely due to an
-+ * unexpected retransmitted frame) would result in clearing
-+ * the TX/RX sequence number which can break security, so must
-+ * not allow that to happen.
-+ */
-+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
-+ " has already been configured to the driver - do not reconfigure",
-+ MAC2STR(peer->addr));
-+ return -1;
-+ }
-+
- os_memset(rsc, 0, 6);
-
- switch (peer->cipher) {
-@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- return -1;
- }
-
-+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
-+ MAC2STR(peer->addr));
- if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
- rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
- wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
- "driver");
- return -1;
- }
-+ peer->tk_set = 1;
- return 0;
- }
-
-@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
- peer->cipher = 0;
- peer->qos_info = 0;
- peer->wmm_capable = 0;
-- peer->tpk_set = peer->tpk_success = 0;
-+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
- peer->chan_switch_enabled = 0;
- os_memset(&peer->tpk, 0, sizeof(peer->tpk));
- os_memset(peer->inonce, 0, WPA_NONCE_LEN);
-@@ -1159,6 +1177,7 @@ skip_rsnie:
- wpa_tdls_peer_free(sm, peer);
- return -1;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
- peer->inonce, WPA_NONCE_LEN);
- os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
-@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
- }
-
-
-+static int tdls_nonce_set(const u8 *nonce)
-+{
-+ int i;
-+
-+ for (i = 0; i < WPA_NONCE_LEN; i++) {
-+ if (nonce[i])
-+ return 1;
-+ }
-+
-+ return 0;
-+}
-+
-+
- static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
- const u8 *buf, size_t len)
- {
-@@ -2004,7 +2036,8 @@ skip_rsn:
- peer->rsnie_i_len = kde.rsn_ie_len;
- peer->cipher = cipher;
-
-- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
-+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
-+ !tdls_nonce_set(peer->inonce)) {
- /*
- * There is no point in updating the RNonce for every obtained
- * TPK M1 frame (e.g., retransmission due to timeout) with the
-@@ -2020,6 +2053,7 @@ skip_rsn:
- "TDLS: Failed to get random data for responder nonce");
- goto error;
- }
-+ peer->tk_set = 0; /* A new nonce results in a new TK */
- }
-
- #if 0
---
-2.7.4
-
+++ /dev/null
-From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 11:25:02 +0300
-Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
- request
-
-Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
-Mode Response if WNM-Sleep Mode has not been used') started ignoring the
-response when no WNM-Sleep Mode Request had been used during the
-association. This can be made tighter by clearing the used flag when
-successfully processing a response. This adds an additional layer of
-protection against unexpected retransmissions of the response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 1b3409c..67a07ff 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
-
- if (!wpa_s->wnmsleep_used) {
- wpa_printf(MSG_DEBUG,
-- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
-+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
- return;
- }
-
-@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
- return;
- }
-
-+ wpa_s->wnmsleep_used = 0;
-+
- if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
- wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
- wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
---
-2.7.4
-
+++ /dev/null
-From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 22 Sep 2017 12:06:37 +0300
-Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
-
-The driver is expected to not report a second association event without
-the station having explicitly request a new association. As such, this
-case should not be reachable. However, since reconfiguring the same
-pairwise or group keys to the driver could result in nonce reuse issues,
-be extra careful here and do an additional state check to avoid this
-even if the local driver ends up somehow accepting an unexpected
-Reassociation Response frame.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/rsn_supp/wpa.c | 3 +++
- src/rsn_supp/wpa_ft.c | 8 ++++++++
- src/rsn_supp/wpa_i.h | 1 +
- 3 files changed, 12 insertions(+)
-
-diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
-index 0550a41..2a53c6f 100644
---- a/src/rsn_supp/wpa.c
-+++ b/src/rsn_supp/wpa.c
-@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
- #ifdef CONFIG_TDLS
- wpa_tdls_disassoc(sm);
- #endif /* CONFIG_TDLS */
-+#ifdef CONFIG_IEEE80211R
-+ sm->ft_reassoc_completed = 0;
-+#endif /* CONFIG_IEEE80211R */
-
- /* Keys are not needed in the WPA state machine anymore */
- wpa_sm_drop_sa(sm);
-diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
-index 205793e..d45bb45 100644
---- a/src/rsn_supp/wpa_ft.c
-+++ b/src/rsn_supp/wpa_ft.c
-@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
- u16 capab;
-
- sm->ft_completed = 0;
-+ sm->ft_reassoc_completed = 0;
-
- buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
- 2 + sm->r0kh_id_len + ric_ies_len + 100;
-@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ if (sm->ft_reassoc_completed) {
-+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
-+ return 0;
-+ }
-+
- if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
- wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
- return -1;
-@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
- return -1;
- }
-
-+ sm->ft_reassoc_completed = 1;
-+
- if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
- return -1;
-
-diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
-index 41f371f..56f88dc 100644
---- a/src/rsn_supp/wpa_i.h
-+++ b/src/rsn_supp/wpa_i.h
-@@ -128,6 +128,7 @@ struct wpa_sm {
- size_t r0kh_id_len;
- u8 r1kh_id[FT_R1KH_ID_LEN];
- int ft_completed;
-+ int ft_reassoc_completed;
- int over_the_ds_in_progress;
- u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
- int set_ptk_after_assoc;
---
-2.7.4
-
projects / people / pmueller / ipfire-2.x.git / commitdiff
