Message ID | 20220218171336.4024505-1-matthias.fischer@ipfire.org |
---|---|
State | Accepted |
Commit | 6491a92335a15fa0e3a4df1fed24b40490eaf3cb |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4K0dZg6x1yz3wtR for <patchwork@web04.haj.ipfire.org>; Fri, 18 Feb 2022 17:13:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4K0dZd4MjNz12l; Fri, 18 Feb 2022 17:13:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4K0dZd39TJz2yV8; Fri, 18 Feb 2022 17:13:45 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4K0dZb5YhFz2xbW for <development@lists.ipfire.org>; Fri, 18 Feb 2022 17:13:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4K0dZZ4J9NzfR for <development@lists.ipfire.org>; Fri, 18 Feb 2022 17:13:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1645204422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=yuyJpB8jrYcpnW8j9+Wudqwo5MHJ+5Nn6R22VSKeg9A=; b=tzzM9gLTN7mhAGVwT5O/clm6ro3hOkWMmLeSyV05LUkQ3oRgRw1Npe0OsGeu2UG+Z9VO1n GoEHMRl9gQiuM+Cw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1645204422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=yuyJpB8jrYcpnW8j9+Wudqwo5MHJ+5Nn6R22VSKeg9A=; b=O56r+hlAW1cGA406zOvO3+UjPMqC5z8SLFDfff1d0Mn834jDOzNu0RnaV4VcyIJXVhBEvE W4Q4GaFNBVcGmO9HVsnqFfXdjpRJxniQ2gyqUzXGmtOXppPrb3WHEyE1DcGY0qazU3lbA8 69Ng13BohmrYObBAJHfSeNiR5I/Cqod4/lAIrf6GF3PMAXeDLYjH5BSd5oMGGZQPqOsGd7 Eb2IChdOcmuYImRXPgbGTHiknd8agOkg9K2Qz706PfAIYpGpqaoOzPguor6TW5Pwx/T2vp LRRlNYwTmQVibABJ/SFnuJa1RAYDktJ8rGGs7Deh7cH2kzKjymz6YJIvPQ5MDw== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 1/2] hostapd: Update to 2.10 Date: Fri, 18 Feb 2022 18:13:34 +0100 Message-Id: <20220218171336.4024505-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/2] hostapd: Update to 2.10
|
|
Commit Message
Matthias Fischer
Feb. 18, 2022, 5:13 p.m. UTC
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
"2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1)
after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed WPS UPnP SUBSCRIBE handling of invalid operations
[https://w1.fi/security/2020-1/]
* fixed PMF disconnection protection bypass
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* fixed various issues in experimental support for EAP-TEAP server
* added configuration (max_auth_rounds, max_auth_rounds_short) to
increase the maximum number of EAP message exchanges (mainly to
support cases with very large certificates) for the EAP server
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* extended HE (IEEE 802.11ax) support, including 6 GHz support
* removed obsolete IAPP functionality
* fixed EAP-FAST server with TLS GCM/CCM ciphers
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible; owe_ptk_workaround=1 can be used to enabled a
a workaround for the group 20/21 backwards compatibility
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* added support for PASN
* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
* a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
lfs/hostapd | 24 ++++++++-----------
.../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++--
src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++---
3 files changed, 15 insertions(+), 19 deletions(-)
Comments
Hello Matthias, thank you for submitting this. > For details see: > https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog > > "2022-01-16 - v2.10 > * SAE changes > - improved protection against side channel attacks > [https://w1.fi/security/2022-1/] > - added option send SAE Confirm immediately (sae_config_immediate=1) > after SAE Commit > - added support for the hash-to-element mechanism (sae_pwe=1 or > sae_pwe=2) > - fixed PMKSA caching with OKC > - added support for SAE-PK > * EAP-pwd changes > - improved protection against side channel attacks > [https://w1.fi/security/2022-1/] > * fixed WPS UPnP SUBSCRIBE handling of invalid operations > [https://w1.fi/security/2020-1/] > * fixed PMF disconnection protection bypass > [https://w1.fi/security/2019-7/] > * added support for using OpenSSL 3.0 > * fixed various issues in experimental support for EAP-TEAP server > * added configuration (max_auth_rounds, max_auth_rounds_short) to > increase the maximum number of EAP message exchanges (mainly to > support cases with very large certificates) for the EAP server > * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) > * extended HE (IEEE 802.11ax) support, including 6 GHz support > * removed obsolete IAPP functionality > * fixed EAP-FAST server with TLS GCM/CCM ciphers > * dropped support for libnl 1.1 > * added support for nl80211 control port for EAPOL frame TX/RX > * fixed OWE key derivation with groups 20 and 21; this breaks backwards > compatibility for these groups while the default group 19 remains > backwards compatible; owe_ptk_workaround=1 can be used to enabled a > a workaround for the group 20/21 backwards compatibility > * added support for Beacon protection Are there any plans on enabling this? > * added support for Extended Key ID for pairwise keys > * removed WEP support from the default build (CONFIG_WEP=y can be used > to enable it, if really needed) _Another_ broken technology finally bites the dust. Yay! Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Thanks, and best regards, Peter Müller > * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) > * added support for Transition Disable mechanism to allow the AP to > automatically disable transition mode to improve security > * added support for PASN > * added EAP-TLS server support for TLS 1.3 (disabled by default for now) > * a large number of other fixes, cleanup, and extensions" > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > lfs/hostapd | 24 ++++++++----------- > .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- > src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- > 3 files changed, 15 insertions(+), 19 deletions(-) > > diff --git a/lfs/hostapd b/lfs/hostapd > index cb2626bf3..f07d378be 100644 > --- a/lfs/hostapd > +++ b/lfs/hostapd > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # > +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,22 +24,18 @@ > > include Config > > -SUMMARY = Daemon for running a WPA capable Access Point > +VER = 2_10 > > -VER = 581dfcc > - > -THISAPP = hostapd-$(VER) > -DL_FILE = $(THISAPP).tar.gz > +THISAPP = hostap_$(VER) > +DL_FILE = $(THISAPP).tar.bz2 > DL_FROM = $(URL_IPFIRE) > -DIR_APP = $(DIR_SRC)/hostap-$(VER) > +DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = hostapd > -PAK_VER = 58 > +PAK_VER = 59 > > DEPS = > > -SERVICES = hostapd > - > ############################################################################### > # Top-level Rules > ############################################################################### > @@ -48,7 +44,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd > +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 > > install : $(TARGET) > > @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : > > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > > cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch > > cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config > cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile > - cd $(DIR_APP)/hostapd && make $(MAKETUNING) > + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) > cd $(DIR_APP)/hostapd && make install > install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd > # install initscript > - $(call INSTALL_INITSCRIPTS,$(SERVICES)) > + $(call INSTALL_INITSCRIPT,hostapd) > mkdir -p /var/ipfire/wlanap > touch /var/ipfire/wlanap/settings > cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf > diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > index 87aec005b..67d9d4f22 100644 > --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > @@ -1,8 +1,8 @@ > diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c > --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 > +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 > -@@ -65,9 +65,9 @@ > - struct wpa_group *group); > +@@ -68,9 +68,9 @@ > + static int ieee80211w_kde_len(struct wpa_state_machine *sm); > static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); > > -static const u32 eapol_key_timeout_first = 100; /* ms */ > diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch > index 638b76f84..01a33d0d0 100644 > --- a/src/patches/hostapd/hostapd-2.9-noscan.patch > +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch > @@ -1,6 +1,6 @@ > --- a/hostapd/config_file.c > +++ b/hostapd/config_file.c > -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho > +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho > if (bss->ocv && !bss->ieee80211w) > bss->ieee80211w = 1; > #endif /* CONFIG_OCV */ > @@ -13,7 +13,7 @@ > } else if (os_strcmp(buf, "ht_capab") == 0) { > --- a/src/ap/ap_config.h > +++ b/src/ap/ap_config.h > -@@ -984,6 +984,8 @@ struct hostapd_config { > +@@ -1014,6 +1014,8 @@ struct hostapd_config { > > int ht_op_mode_fixed; > u16 ht_capab; > @@ -24,7 +24,7 @@ > int no_pri_sec_switch; > --- a/src/ap/hw_features.c > +++ b/src/ap/hw_features.c > -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct > +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct > int ret; > > /* Check that HT40 is used and PRI / SEC switch is allowed */
Hello, This patch should have not been merged. > On 18 Feb 2022, at 17:52, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Matthias, > > thank you for submitting this. > >> For details see: >> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog >> "2022-01-16 - v2.10 >> * SAE changes >> - improved protection against side channel attacks >> [https://w1.fi/security/2022-1/] >> - added option send SAE Confirm immediately (sae_config_immediate=1) >> after SAE Commit >> - added support for the hash-to-element mechanism (sae_pwe=1 or >> sae_pwe=2) >> - fixed PMKSA caching with OKC >> - added support for SAE-PK >> * EAP-pwd changes >> - improved protection against side channel attacks >> [https://w1.fi/security/2022-1/] >> * fixed WPS UPnP SUBSCRIBE handling of invalid operations >> [https://w1.fi/security/2020-1/] >> * fixed PMF disconnection protection bypass >> [https://w1.fi/security/2019-7/] >> * added support for using OpenSSL 3.0 >> * fixed various issues in experimental support for EAP-TEAP server >> * added configuration (max_auth_rounds, max_auth_rounds_short) to >> increase the maximum number of EAP message exchanges (mainly to >> support cases with very large certificates) for the EAP server >> * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) >> * extended HE (IEEE 802.11ax) support, including 6 GHz support >> * removed obsolete IAPP functionality >> * fixed EAP-FAST server with TLS GCM/CCM ciphers >> * dropped support for libnl 1.1 >> * added support for nl80211 control port for EAPOL frame TX/RX >> * fixed OWE key derivation with groups 20 and 21; this breaks backwards >> compatibility for these groups while the default group 19 remains >> backwards compatible; owe_ptk_workaround=1 can be used to enabled a >> a workaround for the group 20/21 backwards compatibility >> * added support for Beacon protection > > Are there any plans on enabling this? > >> * added support for Extended Key ID for pairwise keys >> * removed WEP support from the default build (CONFIG_WEP=y can be used >> to enable it, if really needed) > > _Another_ broken technology finally bites the dust. Yay! > > Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > > Thanks, and best regards, > Peter Müller > >> * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) >> * added support for Transition Disable mechanism to allow the AP to >> automatically disable transition mode to improve security >> * added support for PASN >> * added EAP-TLS server support for TLS 1.3 (disabled by default for now) >> * a large number of other fixes, cleanup, and extensions" >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> lfs/hostapd | 24 ++++++++----------- >> .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- >> src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- >> 3 files changed, 15 insertions(+), 19 deletions(-) >> diff --git a/lfs/hostapd b/lfs/hostapd >> index cb2626bf3..f07d378be 100644 >> --- a/lfs/hostapd >> +++ b/lfs/hostapd >> @@ -1,7 +1,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -24,22 +24,18 @@ >> include Config >> -SUMMARY = Daemon for running a WPA capable Access Point >> +VER = 2_10 >> -VER = 581dfcc This reverts changes from another patch which I assume wasn’t intended. -Michael >> - >> -THISAPP = hostapd-$(VER) >> -DL_FILE = $(THISAPP).tar.gz >> +THISAPP = hostap_$(VER) >> +DL_FILE = $(THISAPP).tar.bz2 >> DL_FROM = $(URL_IPFIRE) >> -DIR_APP = $(DIR_SRC)/hostap-$(VER) >> +DIR_APP = $(DIR_SRC)/$(THISAPP) >> TARGET = $(DIR_INFO)/$(THISAPP) >> PROG = hostapd >> -PAK_VER = 58 >> +PAK_VER = 59 >> DEPS = >> -SERVICES = hostapd >> - >> ############################################################################### >> # Top-level Rules >> ############################################################################### >> @@ -48,7 +44,7 @@ objects = $(DL_FILE) >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd >> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 >> install : $(TARGET) >> @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : >> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) >> + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch >> cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config >> cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile >> - cd $(DIR_APP)/hostapd && make $(MAKETUNING) >> + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) >> cd $(DIR_APP)/hostapd && make install >> install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd >> # install initscript >> - $(call INSTALL_INITSCRIPTS,$(SERVICES)) >> + $(call INSTALL_INITSCRIPT,hostapd) >> mkdir -p /var/ipfire/wlanap >> touch /var/ipfire/wlanap/settings >> cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf >> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> index 87aec005b..67d9d4f22 100644 >> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> @@ -1,8 +1,8 @@ >> diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c >> --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 >> +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 >> -@@ -65,9 +65,9 @@ >> - struct wpa_group *group); >> +@@ -68,9 +68,9 @@ >> + static int ieee80211w_kde_len(struct wpa_state_machine *sm); >> static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); >> -static const u32 eapol_key_timeout_first = 100; /* ms */ >> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch >> index 638b76f84..01a33d0d0 100644 >> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch >> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch >> @@ -1,6 +1,6 @@ >> --- a/hostapd/config_file.c >> +++ b/hostapd/config_file.c >> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho >> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho >> if (bss->ocv && !bss->ieee80211w) >> bss->ieee80211w = 1; >> #endif /* CONFIG_OCV */ >> @@ -13,7 +13,7 @@ >> } else if (os_strcmp(buf, "ht_capab") == 0) { >> --- a/src/ap/ap_config.h >> +++ b/src/ap/ap_config.h >> -@@ -984,6 +984,8 @@ struct hostapd_config { >> +@@ -1014,6 +1014,8 @@ struct hostapd_config { >> int ht_op_mode_fixed; >> u16 ht_capab; >> @@ -24,7 +24,7 @@ >> int no_pri_sec_switch; >> --- a/src/ap/hw_features.c >> +++ b/src/ap/hw_features.c >> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct >> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct >> int ret; >> /* Check that HT40 is used and PRI / SEC switch is allowed */
Hello, > On 18 Feb 2022, at 17:52, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Matthias, > > thank you for submitting this. > >> For details see: >> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog >> "2022-01-16 - v2.10 >> * SAE changes >> - improved protection against side channel attacks >> [https://w1.fi/security/2022-1/] >> - added option send SAE Confirm immediately (sae_config_immediate=1) >> after SAE Commit >> - added support for the hash-to-element mechanism (sae_pwe=1 or >> sae_pwe=2) >> - fixed PMKSA caching with OKC >> - added support for SAE-PK >> * EAP-pwd changes >> - improved protection against side channel attacks >> [https://w1.fi/security/2022-1/] >> * fixed WPS UPnP SUBSCRIBE handling of invalid operations >> [https://w1.fi/security/2020-1/] >> * fixed PMF disconnection protection bypass >> [https://w1.fi/security/2019-7/] >> * added support for using OpenSSL 3.0 >> * fixed various issues in experimental support for EAP-TEAP server >> * added configuration (max_auth_rounds, max_auth_rounds_short) to >> increase the maximum number of EAP message exchanges (mainly to >> support cases with very large certificates) for the EAP server >> * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) >> * extended HE (IEEE 802.11ax) support, including 6 GHz support >> * removed obsolete IAPP functionality >> * fixed EAP-FAST server with TLS GCM/CCM ciphers >> * dropped support for libnl 1.1 >> * added support for nl80211 control port for EAPOL frame TX/RX >> * fixed OWE key derivation with groups 20 and 21; this breaks backwards >> compatibility for these groups while the default group 19 remains >> backwards compatible; owe_ptk_workaround=1 can be used to enabled a >> a workaround for the group 20/21 backwards compatibility >> * added support for Beacon protection > > Are there any plans on enabling this? I don’t know if there is any benefit from this and how compatible this is with older clients. > >> * added support for Extended Key ID for pairwise keys >> * removed WEP support from the default build (CONFIG_WEP=y can be used >> to enable it, if really needed) > > _Another_ broken technology finally bites the dust. Yay! We have WEP disabled for a long time now. -Michael > > Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > > Thanks, and best regards, > Peter Müller > >> * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) >> * added support for Transition Disable mechanism to allow the AP to >> automatically disable transition mode to improve security >> * added support for PASN >> * added EAP-TLS server support for TLS 1.3 (disabled by default for now) >> * a large number of other fixes, cleanup, and extensions" >> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> >> --- >> lfs/hostapd | 24 ++++++++----------- >> .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- >> src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- >> 3 files changed, 15 insertions(+), 19 deletions(-) >> diff --git a/lfs/hostapd b/lfs/hostapd >> index cb2626bf3..f07d378be 100644 >> --- a/lfs/hostapd >> +++ b/lfs/hostapd >> @@ -1,7 +1,7 @@ >> ############################################################################### >> # # >> # IPFire.org - A linux based firewall # >> -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # >> +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # >> # # >> # This program is free software: you can redistribute it and/or modify # >> # it under the terms of the GNU General Public License as published by # >> @@ -24,22 +24,18 @@ >> include Config >> -SUMMARY = Daemon for running a WPA capable Access Point >> +VER = 2_10 >> -VER = 581dfcc >> - >> -THISAPP = hostapd-$(VER) >> -DL_FILE = $(THISAPP).tar.gz >> +THISAPP = hostap_$(VER) >> +DL_FILE = $(THISAPP).tar.bz2 >> DL_FROM = $(URL_IPFIRE) >> -DIR_APP = $(DIR_SRC)/hostap-$(VER) >> +DIR_APP = $(DIR_SRC)/$(THISAPP) >> TARGET = $(DIR_INFO)/$(THISAPP) >> PROG = hostapd >> -PAK_VER = 58 >> +PAK_VER = 59 >> DEPS = >> -SERVICES = hostapd >> - >> ############################################################################### >> # Top-level Rules >> ############################################################################### >> @@ -48,7 +44,7 @@ objects = $(DL_FILE) >> $(DL_FILE) = $(DL_FROM)/$(DL_FILE) >> -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd >> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 >> install : $(TARGET) >> @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : >> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) >> + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch >> cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config >> cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile >> - cd $(DIR_APP)/hostapd && make $(MAKETUNING) >> + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) >> cd $(DIR_APP)/hostapd && make install >> install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd >> # install initscript >> - $(call INSTALL_INITSCRIPTS,$(SERVICES)) >> + $(call INSTALL_INITSCRIPT,hostapd) >> mkdir -p /var/ipfire/wlanap >> touch /var/ipfire/wlanap/settings >> cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf >> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> index 87aec005b..67d9d4f22 100644 >> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> @@ -1,8 +1,8 @@ >> diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c >> --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 >> +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 >> -@@ -65,9 +65,9 @@ >> - struct wpa_group *group); >> +@@ -68,9 +68,9 @@ >> + static int ieee80211w_kde_len(struct wpa_state_machine *sm); >> static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); >> -static const u32 eapol_key_timeout_first = 100; /* ms */ >> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch >> index 638b76f84..01a33d0d0 100644 >> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch >> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch >> @@ -1,6 +1,6 @@ >> --- a/hostapd/config_file.c >> +++ b/hostapd/config_file.c >> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho >> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho >> if (bss->ocv && !bss->ieee80211w) >> bss->ieee80211w = 1; >> #endif /* CONFIG_OCV */ >> @@ -13,7 +13,7 @@ >> } else if (os_strcmp(buf, "ht_capab") == 0) { >> --- a/src/ap/ap_config.h >> +++ b/src/ap/ap_config.h >> -@@ -984,6 +984,8 @@ struct hostapd_config { >> +@@ -1014,6 +1014,8 @@ struct hostapd_config { >> int ht_op_mode_fixed; >> u16 ht_capab; >> @@ -24,7 +24,7 @@ >> int no_pri_sec_switch; >> --- a/src/ap/hw_features.c >> +++ b/src/ap/hw_features.c >> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct >> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct >> int ret; >> /* Check that HT40 is used and PRI / SEC switch is allowed */
diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> # +# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@ include Config -SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10 -VER = 581dfcc - -THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59 DEPS = -SERVICES = hostapd - ############################################################################### # Top-level Rules ############################################################################### @@ -48,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 install : $(TARGET) @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile - cd $(DIR_APP)/hostapd && make $(MAKETUNING) + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript - $(call INSTALL_INITSCRIPTS,$(SERVICES)) + $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@ - struct wpa_group *group); +@@ -68,9 +68,9 @@ + static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); -static const u32 eapol_key_timeout_first = 100; /* ms */ diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config { int ht_op_mode_fixed; u16 ht_capab; @@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret; /* Check that HT40 is used and PRI / SEC switch is allowed */