From patchwork Fri Jan 17 17:08:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8431 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4YZR5q0K8Vz3x4f for ; Fri, 17 Jan 2025 17:08:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4YZR5m6X6fz2SJ; Fri, 17 Jan 2025 17:08:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4YZR5m4rLMz344H; Fri, 17 Jan 2025 17:08:44 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4YZR5k4lQ2z2xMV for ; Fri, 17 Jan 2025 17:08:42 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4YZR5j3k58z2SJ; Fri, 17 Jan 2025 17:08:41 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1737133721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=+7aDYgSHF1oLriw1Bmu03QGzSFy1JPO+KGjFXIcuk1A=; b=Vq70hG1/osIRbnjWBZAkQ0cxdJCzZ6eYr8rCTtn/eOCSeVmN4lW4cu6reeXv0I3Eb/EZ/5 JCcxCjLFQ4TubWDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1737133721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=+7aDYgSHF1oLriw1Bmu03QGzSFy1JPO+KGjFXIcuk1A=; b=QnzB6ZOvsOA0uNJliiaQIt9NhRJ7KK1d3gV5TG7baNAejHl7+2scvIA9zFiotXc3fBtbDs S4bm52LcLFDIWP1F/+nM+zYKdY7HfBJu3Ue0ZSS7z/Ail9jLElAnrR/KzRFCH+fHWPcP8Q 7NVHdwzcaNkaTYiY6DdzmpzEOuZwGRD3lH3yivMknJH4OPKZLTNth/hE/FvEufQsZMdQAe G6PTaxXIU8WaHB2xJFjgzk7Fkbv9H2Zk23T5isOnVyMymGV179DsRPS8UgutQu05IeOxVk iW948FkT+8/EwI5MFLiPJ46L7L1L2M8qEWm+00k736OtWe9VWR/ZljX7lt69ng== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] wpa-supplicant: Update to version 2.11 Date: Fri, 17 Jan 2025 18:08:38 +0100 Message-ID: <20250117170838.1376068-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ZF5GBBNK4EAG6GINEBAJ4TIIWQ6WGLLZ X-Message-ID-Hash: ZF5GBBNK4EAG6GINEBAJ4TIIWQ6WGLLZ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 2.10 to 2.11 - Update of rootfile not required - Changelog 2.11 * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers * HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * support OpenSSL 3.0 API changes * improve EAP-TLS support for TLSv1.3 * EAP-SIM/AKA: support IMSI privacy * improve mitigation against DoS attacks when PMF is used * improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=1 in message 2 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * improve cross-AKM roaming with driver-based SME/BSS selection * PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default * support a pregenerated MAC (mac_addr=3) as an alternative mechanism for using per-network random MAC addresses * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) to improve security for still unfortunately common invalid configurations that do not set ca_cert * extend SCS support for QoS Characteristics * extend MSCS support * support unsynchronized service discovery (USD) * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) - in addition, verify SSID after key setup when beacon protection is used * fix SAE H2E rejected groups validation to avoid downgrade attacks * a large number of other fixes, cleanup, and extensions Signed-off-by: Adolf Belka --- lfs/wpa_supplicant | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index f3c12992d..38a147619 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.10 +VER = 2.11 THISAPP = wpa_supplicant-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -41,7 +41,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 7f6045e5dcf24f7ccf1ea75c99541f9d68fadaea858a6ca11a95c997de14e33b3aa89138e748664579b5a4ea493d247cf6613da3c5fae49a4dbb5cd58dace752 +$(DL_FILE)_BLAKE2 = 71bd0d11cd31eb5bc6beb51caf0f1399856ea188f316d2330053a2d8c81869057811e9f500828e8981eabd0af38f30a18a3ae584d744005c78681c82fa910abf install : $(TARGET)