From patchwork Fri Feb 18 17:13:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 5185 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4K0dZg6x1yz3wtR for ; Fri, 18 Feb 2022 17:13:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4K0dZd4MjNz12l; Fri, 18 Feb 2022 17:13:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4K0dZd39TJz2yV8; Fri, 18 Feb 2022 17:13:45 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4K0dZb5YhFz2xbW for ; Fri, 18 Feb 2022 17:13:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4K0dZZ4J9NzfR for ; Fri, 18 Feb 2022 17:13:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1645204422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=yuyJpB8jrYcpnW8j9+Wudqwo5MHJ+5Nn6R22VSKeg9A=; b=tzzM9gLTN7mhAGVwT5O/clm6ro3hOkWMmLeSyV05LUkQ3oRgRw1Npe0OsGeu2UG+Z9VO1n GoEHMRl9gQiuM+Cw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1645204422; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=yuyJpB8jrYcpnW8j9+Wudqwo5MHJ+5Nn6R22VSKeg9A=; b=O56r+hlAW1cGA406zOvO3+UjPMqC5z8SLFDfff1d0Mn834jDOzNu0RnaV4VcyIJXVhBEvE W4Q4GaFNBVcGmO9HVsnqFfXdjpRJxniQ2gyqUzXGmtOXppPrb3WHEyE1DcGY0qazU3lbA8 69Ng13BohmrYObBAJHfSeNiR5I/Cqod4/lAIrf6GF3PMAXeDLYjH5BSd5oMGGZQPqOsGd7 Eb2IChdOcmuYImRXPgbGTHiknd8agOkg9K2Qz706PfAIYpGpqaoOzPguor6TW5Pwx/T2vp LRRlNYwTmQVibABJ/SFnuJa1RAYDktJ8rGGs7Deh7cH2kzKjymz6YJIvPQ5MDw== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 1/2] hostapd: Update to 2.10 Date: Fri, 18 Feb 2022 18:13:34 +0100 Message-Id: <20220218171336.4024505-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog "2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2) - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/] * fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * fixed various issues in experimental support for EAP-TEAP server * added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * extended HE (IEEE 802.11ax) support, including 6 GHz support * removed obsolete IAPP functionality * fixed EAP-FAST server with TLS GCM/CCM ciphers * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * added support for PASN * added EAP-TLS server support for TLS 1.3 (disabled by default for now) * a large number of other fixes, cleanup, and extensions" Signed-off-by: Matthias Fischer Reviewed-by: Peter Müller --- lfs/hostapd | 24 ++++++++----------- .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team # +# Copyright (C) 2007-2022 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@ include Config -SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10 -VER = 581dfcc - -THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59 DEPS = -SERVICES = hostapd - ############################################################################### # Top-level Rules ############################################################################### @@ -48,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 install : $(TARGET) @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile - cd $(DIR_APP)/hostapd && make $(MAKETUNING) + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript - $(call INSTALL_INITSCRIPTS,$(SERVICES)) + $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@ - struct wpa_group *group); +@@ -68,9 +68,9 @@ + static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); -static const u32 eapol_key_timeout_first = 100; /* ms */ diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config { int ht_op_mode_fixed; u16 ht_capab; @@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret; /* Check that HT40 is used and PRI / SEC switch is allowed */