From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] hostapd: Update to version 2_11
Date: Wed, 07 Aug 2024 10:34:17 +0100 [thread overview]
Message-ID: <CA39E612-7F08-4AD7-A0C1-8C2F46C0D8E6@ipfire.org> (raw)
In-Reply-To: <20240807082256.2371-1-adolf.belka@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 9117 bytes --]
Thank you for this. I will give it a test later now that I have internet again...
> On 7 Aug 2024, at 09:22, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> - Update from version 2_10 to 2_11
> - Update of rootfile not required
> - Update of patches to latest source tarball
> - Changelog
> 2_11
> * Wi-Fi Easy Connect
> - add support for DPP release 3
> - allow Configurator parameters to be provided during config exchange
> * HE/IEEE 802.11ax/Wi-Fi 6
> - various fixes
> * EHT/IEEE 802.11be/Wi-Fi 7
> - add preliminary support
> * SAE: add support for fetching the password from a RADIUS server
> * support OpenSSL 3.0 API changes
> * support background radar detection and CAC with some additional
> drivers
> * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
> * EAP-SIM/AKA: support IMSI privacy
> * improve 4-way handshake operations
> - use Secure=1 in message 3 during PTK rekeying
> * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
> to avoid interoperability issues
> * support new SAE AKM suites with variable length keys
> * support new AKM for 802.1X/EAP with SHA384
> * extend PASN support for secure ranging
> * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
> - this is based on additional details being added in the IEEE 802.11
> standard
> - the new implementation is not backwards compatible
> * improved ACS to cover additional channel types/bandwidths
> * extended Multiple BSSID support
> * fix beacon protection with FT protocol (incorrect BIGTK was provided)
> * support unsynchronized service discovery (USD)
> * add preliminary support for RADIUS/TLS
> * add support for explicit SSID protection in 4-way handshake
> (a mitigation for CVE-2023-52424; disabled by default for now, can be
> enabled with ssid_protection=1)
> * fix SAE H2E rejected groups validation to avoid downgrade attacks
> * use stricter validation for some RADIUS messages
> * a large number of other fixes, cleanup, and extensions
>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> lfs/hostapd | 12 ++++----
> ...ostapd-2.11-increase_EAPOL-timeouts.patch} | 11 ++++---
> ...noscan.patch => hostapd-2.11-noscan.patch} | 30 +++++++++++--------
> 3 files changed, 28 insertions(+), 25 deletions(-)
> rename src/patches/hostapd/{hostapd-2.9-increase_EAPOL-timeouts.patch => hostapd-2.11-increase_EAPOL-timeouts.patch} (61%)
> rename src/patches/hostapd/{hostapd-2.9-noscan.patch => hostapd-2.11-noscan.patch} (56%)
>
> diff --git a/lfs/hostapd b/lfs/hostapd
> index 5db99891d..2efa5a605 100644
> --- a/lfs/hostapd
> +++ b/lfs/hostapd
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
> +# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -25,7 +25,7 @@
> include Config
>
> SUMMARY = Daemon for running a WPA capable Access Point
> -VER = 2_10
> +VER = 2_11
>
> THISAPP = hostap_$(VER)
> DL_FILE = $(THISAPP).tar.bz2
> @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE)
> DIR_APP = $(DIR_SRC)/$(THISAPP)
> TARGET = $(DIR_INFO)/$(THISAPP)
> PROG = hostapd
> -PAK_VER = 63
> +PAK_VER = 64
>
> DEPS =
>
> @@ -47,7 +47,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_BLAKE2 = de474630835a1208ce456d3151759cd3411dc63b2470de7144117634d4985aba1c878fd2cc2388cf6226bc0674eb2bf48cc4b4491f85f3461966b0278f75ea1e
> +$(DL_FILE)_BLAKE2 = de98a3634ff937b0068329219e4fa5dece34c9eeb27fa81a9e7de689d5dd2936ceb0ea43923a0e994e0a7bfcd71709b5f739df2f3efdd7c6ec5c765171711a19
>
> install : $(TARGET)
>
> @@ -81,8 +81,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @$(PREBUILD)
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
> + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
> + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-noscan.patch
>
> cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
> cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr(a)g" -i Makefile
> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
> similarity index 61%
> rename from src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> rename to src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
> index 67d9d4f22..d6f04cd12 100644
> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> +++ b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
> @@ -1,9 +1,8 @@
> -diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
> ---- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019
> -+++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019
> -@@ -68,9 +68,9 @@
> - static int ieee80211w_kde_len(struct wpa_state_machine *sm);
> - static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
> +--- hostap_2_11/src/ap/wpa_auth.c.orig 2024-07-20 20:04:37.000000000 +0200
> ++++ hostap_2_11/src/ap/wpa_auth.c 2024-08-06 12:51:22.849029559 +0200
> +@@ -75,9 +75,9 @@
> + struct wpa_group *group);
> +
>
> -static const u32 eapol_key_timeout_first = 100; /* ms */
> -static const u32 eapol_key_timeout_subseq = 1000; /* ms */
> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.11-noscan.patch
> similarity index 56%
> rename from src/patches/hostapd/hostapd-2.9-noscan.patch
> rename to src/patches/hostapd/hostapd-2.11-noscan.patch
> index 01a33d0d0..ba3a71419 100644
> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch
> +++ b/src/patches/hostapd/hostapd-2.11-noscan.patch
> @@ -1,6 +1,7 @@
> ---- a/hostapd/config_file.c
> -+++ b/hostapd/config_file.c
> -@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
> +diff -Naur hostap_2_11.orig/hostapd/config_file.c hostap_2_11/hostapd/config_file.c
> +--- hostap_2_11.orig/hostapd/config_file.c 2024-07-20 20:04:37.000000000 +0200
> ++++ hostap_2_11/hostapd/config_file.c 2024-08-06 12:55:53.750009117 +0200
> +@@ -3678,6 +3678,10 @@
> if (bss->ocv && !bss->ieee80211w)
> bss->ieee80211w = 1;
> #endif /* CONFIG_OCV */
> @@ -11,9 +12,10 @@
> } else if (os_strcmp(buf, "ieee80211n") == 0) {
> conf->ieee80211n = atoi(pos);
> } else if (os_strcmp(buf, "ht_capab") == 0) {
> ---- a/src/ap/ap_config.h
> -+++ b/src/ap/ap_config.h
> -@@ -1014,6 +1014,8 @@ struct hostapd_config {
> +diff -Naur hostap_2_11.orig/src/ap/ap_config.h hostap_2_11/src/ap/ap_config.h
> +--- hostap_2_11.orig/src/ap/ap_config.h 2024-07-20 20:04:37.000000000 +0200
> ++++ hostap_2_11/src/ap/ap_config.h 2024-08-06 12:57:06.779631503 +0200
> +@@ -1108,6 +1108,8 @@
>
> int ht_op_mode_fixed;
> u16 ht_capab;
> @@ -22,9 +24,10 @@
> int ieee80211n;
> int secondary_channel;
> int no_pri_sec_switch;
> ---- a/src/ap/hw_features.c
> -+++ b/src/ap/hw_features.c
> -@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
> +diff -Naur hostap_2_11.orig/src/ap/hw_features.c hostap_2_11/src/ap/hw_features.c
> +--- hostap_2_11.orig/src/ap/hw_features.c 2024-07-20 20:04:37.000000000 +0200
> ++++ hostap_2_11/src/ap/hw_features.c 2024-08-06 12:58:29.122962573 +0200
> +@@ -551,7 +551,8 @@
> int ret;
>
> /* Check that HT40 is used and PRI / SEC switch is allowed */
> @@ -34,9 +37,10 @@
> return 0;
>
> hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
> ---- a/src/ap/ieee802_11_ht.c
> -+++ b/src/ap/ieee802_11_ht.c
> -@@ -230,6 +230,9 @@ void hostapd_2040_coex_action(struct hos
> +diff -Naur hostap_2_11.orig/src/ap/ieee802_11_ht.c hostap_2_11/src/ap/ieee802_11_ht.c
> +--- hostap_2_11.orig/src/ap/ieee802_11_ht.c 2024-07-20 20:04:37.000000000 +0200
> ++++ hostap_2_11/src/ap/ieee802_11_ht.c 2024-08-06 13:00:31.237899938 +0200
> +@@ -230,6 +230,9 @@
> return;
> }
>
> @@ -46,7 +50,7 @@
> if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
> wpa_printf(MSG_DEBUG,
> "Ignore too short 20/40 BSS Coexistence Management frame");
> -@@ -390,6 +393,9 @@ void ht40_intolerant_add(struct hostapd_
> +@@ -390,6 +393,9 @@
> if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
> return;
>
> --
> 2.45.2
>
prev parent reply other threads:[~2024-08-07 9:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-07 8:22 Adolf Belka
2024-08-07 9:34 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA39E612-7F08-4AD7-A0C1-8C2F46C0D8E6@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox