From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] hostapd: Update to 2.10 Date: Fri, 18 Feb 2022 17:52:50 +0000 Message-ID: In-Reply-To: <20220218171336.4024505-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3733812919946025721==" List-Id: --===============3733812919946025721== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Matthias, thank you for submitting this. > For details see: > https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog >=20 > "2022-01-16 - v2.10 > * SAE changes > - improved protection against side channel attacks > [https://w1.fi/security/2022-1/] > - added option send SAE Confirm immediately (sae_config_immediate=3D1) > after SAE Commit > - added support for the hash-to-element mechanism (sae_pwe=3D1 or > sae_pwe=3D2) > - fixed PMKSA caching with OKC > - added support for SAE-PK > * EAP-pwd changes > - improved protection against side channel attacks > [https://w1.fi/security/2022-1/] > * fixed WPS UPnP SUBSCRIBE handling of invalid operations > [https://w1.fi/security/2020-1/] > * fixed PMF disconnection protection bypass > [https://w1.fi/security/2019-7/] > * added support for using OpenSSL 3.0 > * fixed various issues in experimental support for EAP-TEAP server > * added configuration (max_auth_rounds, max_auth_rounds_short) to > increase the maximum number of EAP message exchanges (mainly to > support cases with very large certificates) for the EAP server > * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) > * extended HE (IEEE 802.11ax) support, including 6 GHz support > * removed obsolete IAPP functionality > * fixed EAP-FAST server with TLS GCM/CCM ciphers > * dropped support for libnl 1.1 > * added support for nl80211 control port for EAPOL frame TX/RX > * fixed OWE key derivation with groups 20 and 21; this breaks backwards > compatibility for these groups while the default group 19 remains > backwards compatible; owe_ptk_workaround=3D1 can be used to enabled a > a workaround for the group 20/21 backwards compatibility > * added support for Beacon protection Are there any plans on enabling this? > * added support for Extended Key ID for pairwise keys > * removed WEP support from the default build (CONFIG_WEP=3Dy can be used > to enable it, if really needed) _Another_ broken technology finally bites the dust. Yay! Reviewed-by: Peter M=C3=BCller Thanks, and best regards, Peter M=C3=BCller > * added a build option to remove TKIP support (CONFIG_NO_TKIP=3Dy) > * added support for Transition Disable mechanism to allow the AP to > automatically disable transition mode to improve security > * added support for PASN > * added EAP-TLS server support for TLS 1.3 (disabled by default for now) > * a large number of other fixes, cleanup, and extensions" >=20 > Signed-off-by: Matthias Fischer > --- > lfs/hostapd | 24 ++++++++----------- > .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- > src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- > 3 files changed, 15 insertions(+), 19 deletions(-) >=20 > diff --git a/lfs/hostapd b/lfs/hostapd > index cb2626bf3..f07d378be 100644 > --- a/lfs/hostapd > +++ b/lfs/hostapd > @@ -1,7 +1,7 @@ > #########################################################################= ###### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2021 IPFire Team = # > +# Copyright (C) 2007-2022 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -24,22 +24,18 @@ > =20 > include Config > =20 > -SUMMARY =3D Daemon for running a WPA capable Access Point > +VER =3D 2_10 > =20 > -VER =3D 581dfcc > - > -THISAPP =3D hostapd-$(VER) > -DL_FILE =3D $(THISAPP).tar.gz > +THISAPP =3D hostap_$(VER) > +DL_FILE =3D $(THISAPP).tar.bz2 > DL_FROM =3D $(URL_IPFIRE) > -DIR_APP =3D $(DIR_SRC)/hostap-$(VER) > +DIR_APP =3D $(DIR_SRC)/$(THISAPP) > TARGET =3D $(DIR_INFO)/$(THISAPP) > PROG =3D hostapd > -PAK_VER =3D 58 > +PAK_VER =3D 59 > =20 > DEPS =3D > =20 > -SERVICES =3D hostapd > - > #########################################################################= ###### > # Top-level Rules > #########################################################################= ###### > @@ -48,7 +44,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_MD5 =3D eed922f2daabe16d74adf2b23455d8bd > +$(DL_FILE)_MD5 =3D 973639d02c9f6712b3b3da6d6c70ab37 > =20 > install : $(TARGET) > =20 > @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : > =20 > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > =20 > cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9= -increase_EAPOL-timeouts.patch > cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9= -noscan.patch > =20 > cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config > cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr(a)g" -i Makefile > - cd $(DIR_APP)/hostapd && make $(MAKETUNING) > + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) > cd $(DIR_APP)/hostapd && make install > install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/= backup/addons/includes/hostapd > # install initscript > - $(call INSTALL_INITSCRIPTS,$(SERVICES)) > + $(call INSTALL_INITSCRIPT,hostapd) > mkdir -p /var/ipfire/wlanap > touch /var/ipfire/wlanap/settings > cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostap= d.conf > diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch = b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > index 87aec005b..67d9d4f22 100644 > --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch > @@ -1,8 +1,8 @@ > diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c > --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 > +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 > -@@ -65,9 +65,9 @@ > - struct wpa_group *group); > +@@ -68,9 +68,9 @@ > + static int ieee80211w_kde_len(struct wpa_state_machine *sm); > static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); > =20 > -static const u32 eapol_key_timeout_first =3D 100; /* ms */ > diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hos= tapd/hostapd-2.9-noscan.patch > index 638b76f84..01a33d0d0 100644 > --- a/src/patches/hostapd/hostapd-2.9-noscan.patch > +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch > @@ -1,6 +1,6 @@ > --- a/hostapd/config_file.c > +++ b/hostapd/config_file.c > -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho > +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho > if (bss->ocv && !bss->ieee80211w) > bss->ieee80211w =3D 1; > #endif /* CONFIG_OCV */ > @@ -13,7 +13,7 @@ > } else if (os_strcmp(buf, "ht_capab") =3D=3D 0) { > --- a/src/ap/ap_config.h > +++ b/src/ap/ap_config.h > -@@ -984,6 +984,8 @@ struct hostapd_config { > +@@ -1014,6 +1014,8 @@ struct hostapd_config { > =20 > int ht_op_mode_fixed; > u16 ht_capab; > @@ -24,7 +24,7 @@ > int no_pri_sec_switch; > --- a/src/ap/hw_features.c > +++ b/src/ap/hw_features.c > -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct > +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct > int ret; > =20 > /* Check that HT40 is used and PRI / SEC switch is allowed */ --===============3733812919946025721==--