From patchwork Wed Aug 7 08:22:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7938 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Wf38V6Ynnz3x2s for ; Wed, 7 Aug 2024 08:23:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Wf38S4QGTz14R; Wed, 7 Aug 2024 08:23:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Wf38S2Jvyz33yl; Wed, 7 Aug 2024 08:23:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Wf38N6XTMz33yC for ; Wed, 7 Aug 2024 08:23:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Wf38M6RZgz7c; Wed, 7 Aug 2024 08:22:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1723018980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1/NsnZH5dD1wFaB39qMle3FahhYl0m1LXwGo6EiO7HY=; b=6xsnOZdPoPYkEHmaN5m8ZWFV0wb2S9pdSlt2CbFFKCIyZ6+5d6tZ5s5/omEU5UgAb51jHQ xlZ31fVT3LXDFHCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1723018980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1/NsnZH5dD1wFaB39qMle3FahhYl0m1LXwGo6EiO7HY=; b=XKYo7+StRYfRUOjIPgiFZoyxy+wW0wjH7/cBiKZ2SL+C1ctwgVbk6BoRIPWn6VEi3c+vUm oA8vgIhrts8bU+guLJXuMTDA7jwKtkNlWtOUty5tWtGbZE7BGH4grP7ALzP6qDn3Ier0bm fvGwMiSXLc4iKP5Gd5l6vzFEWtTizPKaNQXg7X/cHOBfJb9NIlwbgYKRftvMGNq9O60IsI flG6yFzxznE+ZWK7fI+SpuHDr4c158XF5TOaDHhY9h9WPolb5+KlwUp6Xmnio/ArN1WvjT Cs9JYLdZL/K2HPZAD0HRv5Pj65d5//k/Ua+arkTK0EuzcBzM0XBM0sJ9JaJtbw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] hostapd: Update to version 2_11 Date: Wed, 7 Aug 2024 10:22:56 +0200 Message-ID: <20240807082256.2371-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: FYBPYOYBNB6LEWRGWSQMMP7SG4FDI4SQ X-Message-ID-Hash: FYBPYOYBNB6LEWRGWSQMMP7SG4FDI4SQ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 2_10 to 2_11 - Update of rootfile not required - Update of patches to latest source tarball - Changelog 2_11 * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * HE/IEEE 802.11ax/Wi-Fi 6 - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * SAE: add support for fetching the password from a RADIUS server * support OpenSSL 3.0 API changes * support background radar detection and CAC with some additional drivers * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) * EAP-SIM/AKA: support IMSI privacy * improve 4-way handshake operations - use Secure=1 in message 3 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * extend PASN support for secure ranging * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible * improved ACS to cover additional channel types/bandwidths * extended Multiple BSSID support * fix beacon protection with FT protocol (incorrect BIGTK was provided) * support unsynchronized service discovery (USD) * add preliminary support for RADIUS/TLS * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) * fix SAE H2E rejected groups validation to avoid downgrade attacks * use stricter validation for some RADIUS messages * a large number of other fixes, cleanup, and extensions Signed-off-by: Adolf Belka --- lfs/hostapd | 12 ++++---- ...ostapd-2.11-increase_EAPOL-timeouts.patch} | 11 ++++--- ...noscan.patch => hostapd-2.11-noscan.patch} | 30 +++++++++++-------- 3 files changed, 28 insertions(+), 25 deletions(-) rename src/patches/hostapd/{hostapd-2.9-increase_EAPOL-timeouts.patch => hostapd-2.11-increase_EAPOL-timeouts.patch} (61%) rename src/patches/hostapd/{hostapd-2.9-noscan.patch => hostapd-2.11-noscan.patch} (56%) diff --git a/lfs/hostapd b/lfs/hostapd index 5db99891d..2efa5a605 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -25,7 +25,7 @@ include Config SUMMARY = Daemon for running a WPA capable Access Point -VER = 2_10 +VER = 2_11 THISAPP = hostap_$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 63 +PAK_VER = 64 DEPS = @@ -47,7 +47,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = de474630835a1208ce456d3151759cd3411dc63b2470de7144117634d4985aba1c878fd2cc2388cf6226bc0674eb2bf48cc4b4491f85f3461966b0278f75ea1e +$(DL_FILE)_BLAKE2 = de98a3634ff937b0068329219e4fa5dece34c9eeb27fa81a9e7de689d5dd2936ceb0ea43923a0e994e0a7bfcd71709b5f739df2f3efdd7c6ec5c765171711a19 install : $(TARGET) @@ -81,8 +81,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-noscan.patch cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch similarity index 61% rename from src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch rename to src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch index 67d9d4f22..d6f04cd12 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch @@ -1,9 +1,8 @@ -diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c ---- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 -+++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -68,9 +68,9 @@ - static int ieee80211w_kde_len(struct wpa_state_machine *sm); - static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); +--- hostap_2_11/src/ap/wpa_auth.c.orig 2024-07-20 20:04:37.000000000 +0200 ++++ hostap_2_11/src/ap/wpa_auth.c 2024-08-06 12:51:22.849029559 +0200 +@@ -75,9 +75,9 @@ + struct wpa_group *group); + -static const u32 eapol_key_timeout_first = 100; /* ms */ -static const u32 eapol_key_timeout_subseq = 1000; /* ms */ diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.11-noscan.patch similarity index 56% rename from src/patches/hostapd/hostapd-2.9-noscan.patch rename to src/patches/hostapd/hostapd-2.11-noscan.patch index 01a33d0d0..ba3a71419 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.11-noscan.patch @@ -1,6 +1,7 @@ ---- a/hostapd/config_file.c -+++ b/hostapd/config_file.c -@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho +diff -Naur hostap_2_11.orig/hostapd/config_file.c hostap_2_11/hostapd/config_file.c +--- hostap_2_11.orig/hostapd/config_file.c 2024-07-20 20:04:37.000000000 +0200 ++++ hostap_2_11/hostapd/config_file.c 2024-08-06 12:55:53.750009117 +0200 +@@ -3678,6 +3678,10 @@ if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -11,9 +12,10 @@ } else if (os_strcmp(buf, "ieee80211n") == 0) { conf->ieee80211n = atoi(pos); } else if (os_strcmp(buf, "ht_capab") == 0) { ---- a/src/ap/ap_config.h -+++ b/src/ap/ap_config.h -@@ -1014,6 +1014,8 @@ struct hostapd_config { +diff -Naur hostap_2_11.orig/src/ap/ap_config.h hostap_2_11/src/ap/ap_config.h +--- hostap_2_11.orig/src/ap/ap_config.h 2024-07-20 20:04:37.000000000 +0200 ++++ hostap_2_11/src/ap/ap_config.h 2024-08-06 12:57:06.779631503 +0200 +@@ -1108,6 +1108,8 @@ int ht_op_mode_fixed; u16 ht_capab; @@ -22,9 +24,10 @@ int ieee80211n; int secondary_channel; int no_pri_sec_switch; ---- a/src/ap/hw_features.c -+++ b/src/ap/hw_features.c -@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct +diff -Naur hostap_2_11.orig/src/ap/hw_features.c hostap_2_11/src/ap/hw_features.c +--- hostap_2_11.orig/src/ap/hw_features.c 2024-07-20 20:04:37.000000000 +0200 ++++ hostap_2_11/src/ap/hw_features.c 2024-08-06 12:58:29.122962573 +0200 +@@ -551,7 +551,8 @@ int ret; /* Check that HT40 is used and PRI / SEC switch is allowed */ @@ -34,9 +37,10 @@ return 0; hostapd_set_state(iface, HAPD_IFACE_HT_SCAN); ---- a/src/ap/ieee802_11_ht.c -+++ b/src/ap/ieee802_11_ht.c -@@ -230,6 +230,9 @@ void hostapd_2040_coex_action(struct hos +diff -Naur hostap_2_11.orig/src/ap/ieee802_11_ht.c hostap_2_11/src/ap/ieee802_11_ht.c +--- hostap_2_11.orig/src/ap/ieee802_11_ht.c 2024-07-20 20:04:37.000000000 +0200 ++++ hostap_2_11/src/ap/ieee802_11_ht.c 2024-08-06 13:00:31.237899938 +0200 +@@ -230,6 +230,9 @@ return; } @@ -46,7 +50,7 @@ if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) { wpa_printf(MSG_DEBUG, "Ignore too short 20/40 BSS Coexistence Management frame"); -@@ -390,6 +393,9 @@ void ht40_intolerant_add(struct hostapd_ +@@ -390,6 +393,9 @@ if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G) return;