From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] hostapd: Update to 2.10 Date: Sun, 20 Feb 2022 17:47:34 +0000 Message-ID: <40A613E8-A17A-4EB3-A371-08AB8A73F077@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6219767131422053613==" List-Id: --===============6219767131422053613== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, This patch should have not been merged. > On 18 Feb 2022, at 17:52, Peter M=C3=BCller wr= ote: >=20 > Hello Matthias, >=20 > thank you for submitting this. >=20 >> For details see: >> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog >> "2022-01-16 - v2.10 >> * SAE changes >> - improved protection against side channel attacks >> [https://w1.fi/security/2022-1/] >> - added option send SAE Confirm immediately (sae_config_immediate=3D1) >> after SAE Commit >> - added support for the hash-to-element mechanism (sae_pwe=3D1 or >> sae_pwe=3D2) >> - fixed PMKSA caching with OKC >> - added support for SAE-PK >> * EAP-pwd changes >> - improved protection against side channel attacks >> [https://w1.fi/security/2022-1/] >> * fixed WPS UPnP SUBSCRIBE handling of invalid operations >> [https://w1.fi/security/2020-1/] >> * fixed PMF disconnection protection bypass >> [https://w1.fi/security/2019-7/] >> * added support for using OpenSSL 3.0 >> * fixed various issues in experimental support for EAP-TEAP server >> * added configuration (max_auth_rounds, max_auth_rounds_short) to >> increase the maximum number of EAP message exchanges (mainly to >> support cases with very large certificates) for the EAP server >> * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) >> * extended HE (IEEE 802.11ax) support, including 6 GHz support >> * removed obsolete IAPP functionality >> * fixed EAP-FAST server with TLS GCM/CCM ciphers >> * dropped support for libnl 1.1 >> * added support for nl80211 control port for EAPOL frame TX/RX >> * fixed OWE key derivation with groups 20 and 21; this breaks backwards >> compatibility for these groups while the default group 19 remains >> backwards compatible; owe_ptk_workaround=3D1 can be used to enabled a >> a workaround for the group 20/21 backwards compatibility >> * added support for Beacon protection >=20 > Are there any plans on enabling this? >=20 >> * added support for Extended Key ID for pairwise keys >> * removed WEP support from the default build (CONFIG_WEP=3Dy can be used >> to enable it, if really needed) >=20 > _Another_ broken technology finally bites the dust. Yay! >=20 > Reviewed-by: Peter M=C3=BCller >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >> * added a build option to remove TKIP support (CONFIG_NO_TKIP=3Dy) >> * added support for Transition Disable mechanism to allow the AP to >> automatically disable transition mode to improve security >> * added support for PASN >> * added EAP-TLS server support for TLS 1.3 (disabled by default for now) >> * a large number of other fixes, cleanup, and extensions" >> Signed-off-by: Matthias Fischer >> --- >> lfs/hostapd | 24 ++++++++----------- >> .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- >> src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- >> 3 files changed, 15 insertions(+), 19 deletions(-) >> diff --git a/lfs/hostapd b/lfs/hostapd >> index cb2626bf3..f07d378be 100644 >> --- a/lfs/hostapd >> +++ b/lfs/hostapd >> @@ -1,7 +1,7 @@ >> #########################################################################= ###### >> # = # >> # IPFire.org - A linux based firewall = # >> -# Copyright (C) 2007-2021 IPFire Team = # >> +# Copyright (C) 2007-2022 IPFire Team = # >> # = # >> # This program is free software: you can redistribute it and/or modify = # >> # it under the terms of the GNU General Public License as published by = # >> @@ -24,22 +24,18 @@ >> include Config >> -SUMMARY =3D Daemon for running a WPA capable Access Point >> +VER =3D 2_10 >> -VER =3D 581dfcc This reverts changes from another patch which I assume wasn=E2=80=99t intende= d. -Michael >> - >> -THISAPP =3D hostapd-$(VER) >> -DL_FILE =3D $(THISAPP).tar.gz >> +THISAPP =3D hostap_$(VER) >> +DL_FILE =3D $(THISAPP).tar.bz2 >> DL_FROM =3D $(URL_IPFIRE) >> -DIR_APP =3D $(DIR_SRC)/hostap-$(VER) >> +DIR_APP =3D $(DIR_SRC)/$(THISAPP) >> TARGET =3D $(DIR_INFO)/$(THISAPP) >> PROG =3D hostapd >> -PAK_VER =3D 58 >> +PAK_VER =3D 59 >> DEPS =3D >> -SERVICES =3D hostapd >> - >> #########################################################################= ###### >> # Top-level Rules >> #########################################################################= ###### >> @@ -48,7 +44,7 @@ objects =3D $(DL_FILE) >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> -$(DL_FILE)_MD5 =3D eed922f2daabe16d74adf2b23455d8bd >> +$(DL_FILE)_MD5 =3D 973639d02c9f6712b3b3da6d6c70ab37 >> install : $(TARGET) >> @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : >> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) >> + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2= .9-increase_EAPOL-timeouts.patch >> cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9= -noscan.patch >> cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config >> cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr(a)g" -i Makefile >> - cd $(DIR_APP)/hostapd && make $(MAKETUNING) >> + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) >> cd $(DIR_APP)/hostapd && make install >> install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/= backup/addons/includes/hostapd >> # install initscript >> - $(call INSTALL_INITSCRIPTS,$(SERVICES)) >> + $(call INSTALL_INITSCRIPT,hostapd) >> mkdir -p /var/ipfire/wlanap >> touch /var/ipfire/wlanap/settings >> cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostap= d.conf >> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch= b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> index 87aec005b..67d9d4f22 100644 >> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch >> @@ -1,8 +1,8 @@ >> diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c >> --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 >> +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 >> -@@ -65,9 +65,9 @@ >> - struct wpa_group *group); >> +@@ -68,9 +68,9 @@ >> + static int ieee80211w_kde_len(struct wpa_state_machine *sm); >> static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); >> -static const u32 eapol_key_timeout_first =3D 100; /* ms */ >> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/ho= stapd/hostapd-2.9-noscan.patch >> index 638b76f84..01a33d0d0 100644 >> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch >> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch >> @@ -1,6 +1,6 @@ >> --- a/hostapd/config_file.c >> +++ b/hostapd/config_file.c >> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho >> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho >> if (bss->ocv && !bss->ieee80211w) >> bss->ieee80211w =3D 1; >> #endif /* CONFIG_OCV */ >> @@ -13,7 +13,7 @@ >> } else if (os_strcmp(buf, "ht_capab") =3D=3D 0) { >> --- a/src/ap/ap_config.h >> +++ b/src/ap/ap_config.h >> -@@ -984,6 +984,8 @@ struct hostapd_config { >> +@@ -1014,6 +1014,8 @@ struct hostapd_config { >> int ht_op_mode_fixed; >> u16 ht_capab; >> @@ -24,7 +24,7 @@ >> int no_pri_sec_switch; >> --- a/src/ap/hw_features.c >> +++ b/src/ap/hw_features.c >> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct >> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct >> int ret; >> /* Check that HT40 is used and PRI / SEC switch is allowed */ --===============6219767131422053613==--