For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
"2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2) - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/] * fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * fixed various issues in experimental support for EAP-TEAP server * added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * extended HE (IEEE 802.11ax) support, including 6 GHz support * removed obsolete IAPP functionality * fixed EAP-FAST server with TLS GCM/CCM ciphers * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * added support for PASN * added EAP-TLS server support for TLS 1.3 (disabled by default for now) * a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/hostapd | 24 ++++++++----------- .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- 3 files changed, 15 insertions(+), 19 deletions(-)
diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@
include Config
-SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10
-VER = 581dfcc - -THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59
DEPS =
-SERVICES = hostapd - ############################################################################### # Top-level Rules ############################################################################### @@ -48,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
install : $(TARGET)
@@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile - cd $(DIR_APP)/hostapd && make $(MAKETUNING) + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript - $(call INSTALL_INITSCRIPTS,$(SERVICES)) + $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@ - struct wpa_group *group); +@@ -68,9 +68,9 @@ + static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
-static const u32 eapol_key_timeout_first = 100; /* ms */ diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config {
int ht_op_mode_fixed; u16 ht_capab; @@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret;
/* Check that HT40 is used and PRI / SEC switch is allowed */
For details see: https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
"2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/wpa_supplicant | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index c64b6aab4..ad9150611 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,13 +24,14 @@
include Config
-VER = 581dfcc +VER = 2.10
THISAPP = wpa_supplicant-$(VER) -DL_FILE = hostapd-$(VER).tar.gz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) +PROG = wpa_supplicant
############################################################################### # Top-level Rules @@ -40,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = d26797fcb002898d4ee989179346e1cc
install : $(TARGET)
@@ -73,10 +74,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile - cd $(DIR_APP)/wpa_supplicant && make $(MAKETUNING) - cd $(DIR_APP)/wpa_supplicant && make install + cd $(DIR_APP)/wpa_supplicant && make && make install @rm -rf $(DIR_APP) @$(POSTBUILD)
Reviewed-by: Peter Müller peter.mueller@ipfire.org
For details see: https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
"2022-01-16 - v2.10
- SAE changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
- EAP-pwd changes
[https://w1.fi/security/2022-1/]
- improved protection against side channel attacks
- fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/]
- fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/]
- fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/]
- added support for using OpenSSL 3.0
- increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates)
- fixed various issues in experimental support for EAP-TEAP peer
- added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
- a number of MKA/MACsec fixes and extensions
- added support for SAE (WPA3-Personal) AP mode configuration
- added P2P support for EDMG (IEEE 802.11ay) channels
- fixed EAP-FAST peer with TLS GCM/CCM ciphers
- improved throughput estimation and BSS selection
- dropped support for libnl 1.1
- added support for nl80211 control port for EAPOL frame TX/RX
- fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible
- added support for Beacon protection
- added support for Extended Key ID for pairwise keys
- removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed)
- added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
- added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security
- extended D-Bus interface
- added support for PASN
- added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools
- added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
- added support for SCS, MSCS, DSCP policy
- changed driver interface selection to default to automatic fallback to other compiled in options
- a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/wpa_supplicant | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index c64b6aab4..ad9150611 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,13 +24,14 @@
include Config
-VER = 581dfcc +VER = 2.10
THISAPP = wpa_supplicant-$(VER) -DL_FILE = hostapd-$(VER).tar.gz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) +PROG = wpa_supplicant
############################################################################### # Top-level Rules @@ -40,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = d26797fcb002898d4ee989179346e1cc
install : $(TARGET)
@@ -73,10 +74,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile
- cd $(DIR_APP)/wpa_supplicant && make $(MAKETUNING)
- cd $(DIR_APP)/wpa_supplicant && make install
- cd $(DIR_APP)/wpa_supplicant && make && make install @rm -rf $(DIR_APP) @$(POSTBUILD)
Hello Matthias,
thank you for submitting this.
For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
"2022-01-16 - v2.10
- SAE changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
- EAP-pwd changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/]
- fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/]
- added support for using OpenSSL 3.0
- fixed various issues in experimental support for EAP-TEAP server
- added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server
- added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
- extended HE (IEEE 802.11ax) support, including 6 GHz support
- removed obsolete IAPP functionality
- fixed EAP-FAST server with TLS GCM/CCM ciphers
- dropped support for libnl 1.1
- added support for nl80211 control port for EAPOL frame TX/RX
- fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility
- added support for Beacon protection
Are there any plans on enabling this?
- added support for Extended Key ID for pairwise keys
- removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed)
_Another_ broken technology finally bites the dust. Yay!
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Thanks, and best regards, Peter Müller
- added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
- added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security
- added support for PASN
- added EAP-TLS server support for TLS 1.3 (disabled by default for now)
- a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/hostapd | 24 ++++++++----------- .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- 3 files changed, 15 insertions(+), 19 deletions(-)
diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@
include Config
-SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10
-VER = 581dfcc
-THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59
DEPS =
-SERVICES = hostapd
- ############################################################################### # Top-level Rules ###############################################################################
@@ -48,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
install : $(TARGET)
@@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
- cd $(DIR_APP)/hostapd && make $(MAKETUNING)
- cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript
- $(call INSTALL_INITSCRIPTS,$(SERVICES))
- $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@
struct wpa_group *group);+@@ -68,9 +68,9 @@
static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
-static const u32 eapol_key_timeout_first = 100; /* ms */
diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config {
int ht_op_mode_fixed; u16 ht_capab;@@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret;
/* Check that HT40 is used and PRI / SEC switch is allowed */
Hello,
This patch should have not been merged.
On 18 Feb 2022, at 17:52, Peter Müller peter.mueller@ipfire.org wrote:
Hello Matthias,
thank you for submitting this.
For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog "2022-01-16 - v2.10
- SAE changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
- EAP-pwd changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/]
- fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/]
- added support for using OpenSSL 3.0
- fixed various issues in experimental support for EAP-TEAP server
- added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server
- added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
- extended HE (IEEE 802.11ax) support, including 6 GHz support
- removed obsolete IAPP functionality
- fixed EAP-FAST server with TLS GCM/CCM ciphers
- dropped support for libnl 1.1
- added support for nl80211 control port for EAPOL frame TX/RX
- fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility
- added support for Beacon protection
Are there any plans on enabling this?
- added support for Extended Key ID for pairwise keys
- removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed)
_Another_ broken technology finally bites the dust. Yay!
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Thanks, and best regards, Peter Müller
- added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
- added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security
- added support for PASN
- added EAP-TLS server support for TLS 1.3 (disabled by default for now)
- a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/hostapd | 24 ++++++++----------- .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@ include Config -SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10 -VER = 581dfcc
This reverts changes from another patch which I assume wasn’t intended.
-Michael
-THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59 DEPS = -SERVICES = hostapd
############################################################################### # Top-level Rules ############################################################################### @@ -48,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 install : $(TARGET) @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
- cd $(DIR_APP)/hostapd && make $(MAKETUNING)
- cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript
- $(call INSTALL_INITSCRIPTS,$(SERVICES))
- $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@
struct wpa_group *group);+@@ -68,9 +68,9 @@
- static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); -static const u32 eapol_key_timeout_first = 100; /* ms */
diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config { int ht_op_mode_fixed; u16 ht_capab; @@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret; /* Check that HT40 is used and PRI / SEC switch is allowed */
Hello,
On 18 Feb 2022, at 17:52, Peter Müller peter.mueller@ipfire.org wrote:
Hello Matthias,
thank you for submitting this.
For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog "2022-01-16 - v2.10
- SAE changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
- EAP-pwd changes
- improved protection against side channel attacks [https://w1.fi/security/2022-1/]
- fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/]
- fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/]
- added support for using OpenSSL 3.0
- fixed various issues in experimental support for EAP-TEAP server
- added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server
- added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
- extended HE (IEEE 802.11ax) support, including 6 GHz support
- removed obsolete IAPP functionality
- fixed EAP-FAST server with TLS GCM/CCM ciphers
- dropped support for libnl 1.1
- added support for nl80211 control port for EAPOL frame TX/RX
- fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility
- added support for Beacon protection
Are there any plans on enabling this?
I don’t know if there is any benefit from this and how compatible this is with older clients.
- added support for Extended Key ID for pairwise keys
- removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed)
_Another_ broken technology finally bites the dust. Yay!
We have WEP disabled for a long time now.
-Michael
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Thanks, and best regards, Peter Müller
- added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
- added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security
- added support for PASN
- added EAP-TLS server support for TLS 1.3 (disabled by default for now)
- a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/hostapd | 24 ++++++++----------- .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- src/patches/hostapd/hostapd-2.9-noscan.patch | 6 ++--- 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@ include Config -SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10 -VER = 581dfcc
-THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59 DEPS = -SERVICES = hostapd
############################################################################### # Top-level Rules ############################################################################### @@ -48,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37 install : $(TARGET) @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
- cd $(DIR_APP)/hostapd && make $(MAKETUNING)
- cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript
- $(call INSTALL_INITSCRIPTS,$(SERVICES))
- $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@
struct wpa_group *group);+@@ -68,9 +68,9 @@
- static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos); -static const u32 eapol_key_timeout_first = 100; /* ms */
diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config { int ht_op_mode_fixed; u16 ht_capab; @@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret; /* Check that HT40 is used and PRI / SEC switch is allowed */
-
Matthias Fischer -
Michael Tremer -
Peter Müller