[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 6c6959694ac55969e320e30247a799f6acc9accc - IPFire-SCM

7 Aug 2024

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  6c6959694ac55969e320e30247a799f6acc9accc (commit)
      from  f5160566b202677ffee1423aadc2ce7d87c03114 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 6c6959694ac55969e320e30247a799f6acc9accc
Author: Adolf Belka adolf.belka@ipfire.org
Date:   Wed Aug 7 10:22:56 2024 +0200
hostapd: Update to version 2_11
- Update from version 2_10 to 2_11
    - Update of rootfile not required
    - Update of patches to latest source tarball
    - Changelog
        2_11
    	* Wi-Fi Easy Connect
    	  - add support for DPP release 3
    	  - allow Configurator parameters to be provided during config exchange
    	* HE/IEEE 802.11ax/Wi-Fi 6
    	  - various fixes
    	* EHT/IEEE 802.11be/Wi-Fi 7
    	  - add preliminary support
    	* SAE: add support for fetching the password from a RADIUS server
    	* support OpenSSL 3.0 API changes
    	* support background radar detection and CAC with some additional
    	  drivers
    	* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
    	* EAP-SIM/AKA: support IMSI privacy
    	* improve 4-way handshake operations
    	  - use Secure=1 in message 3 during PTK rekeying
    	* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
    	  to avoid interoperability issues
    	* support new SAE AKM suites with variable length keys
    	* support new AKM for 802.1X/EAP with SHA384
    	* extend PASN support for secure ranging
    	* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
    	  - this is based on additional details being added in the IEEE 802.11
    	    standard
    	  - the new implementation is not backwards compatible
    	* improved ACS to cover additional channel types/bandwidths
    	* extended Multiple BSSID support
    	* fix beacon protection with FT protocol (incorrect BIGTK was provided)
    	* support unsynchronized service discovery (USD)
    	* add preliminary support for RADIUS/TLS
    	* add support for explicit SSID protection in 4-way handshake
    	  (a mitigation for CVE-2023-52424; disabled by default for now, can be
    	  enabled with ssid_protection=1)
    	* fix SAE H2E rejected groups validation to avoid downgrade attacks
    	* use stricter validation for some RADIUS messages
    	* a large number of other fixes, cleanup, and extensions
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 lfs/hostapd                                        | 12 ++++-----
 ... => hostapd-2.11-increase_EAPOL-timeouts.patch} | 11 ++++----
 ...-2.9-noscan.patch => hostapd-2.11-noscan.patch} | 30 ++++++++++++----------
 3 files changed, 28 insertions(+), 25 deletions(-)
 rename src/patches/hostapd/{hostapd-2.9-increase_EAPOL-timeouts.patch => hostapd-2.11-increase_EAPOL-timeouts.patch} (61%)
 rename src/patches/hostapd/{hostapd-2.9-noscan.patch => hostapd-2.11-noscan.patch} (56%)
Difference in files:

diff --git a/lfs/hostapd b/lfs/hostapd
index 5db99891d3..2efa5a605c 100644
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2023  IPFire Team  info@ipfire.org                     #
+# Copyright (C) 2007-2024  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -25,7 +25,7 @@
 include Config
SUMMARY    = Daemon for running a WPA capable Access Point
-VER        = 2_10
+VER        = 2_11
THISAPP    = hostap_$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -33,7 +33,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 63
+PAK_VER    = 64
DEPS       =
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = de474630835a1208ce456d3151759cd3411dc63b2470de7144117634d4985aba1c878fd2cc2388cf6226bc0674eb2bf48cc4b4491f85f3461966b0278f75ea1e
+$(DL_FILE)_BLAKE2 = de98a3634ff937b0068329219e4fa5dece34c9eeb27fa81a9e7de689d5dd2936ceb0ea43923a0e994e0a7bfcd71709b5f739df2f3efdd7c6ec5c765171711a19
install : $(TARGET)
@@ -81,8 +81,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
    cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
similarity index 61%
rename from src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
rename to src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
index 67d9d4f22a..d6f04cd123 100644
--- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
+++ b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
@@ -1,9 +1,8 @@
-diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
---- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
-+++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
-@@ -68,9 +68,9 @@
- static int ieee80211w_kde_len(struct wpa_state_machine *sm);
- static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
+--- hostap_2_11/src/ap/wpa_auth.c.orig	2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/wpa_auth.c	2024-08-06 12:51:22.849029559 +0200
+@@ -75,9 +75,9 @@
+ 				 struct wpa_group *group);
+
-static const u32 eapol_key_timeout_first = 100; /* ms */
 -static const u32 eapol_key_timeout_subseq = 1000; /* ms */
diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.11-noscan.patch
similarity index 56%
rename from src/patches/hostapd/hostapd-2.9-noscan.patch
rename to src/patches/hostapd/hostapd-2.11-noscan.patch
index 01a33d0d03..ba3a714194 100644
--- a/src/patches/hostapd/hostapd-2.9-noscan.patch
+++ b/src/patches/hostapd/hostapd-2.11-noscan.patch
@@ -1,6 +1,7 @@
---- a/hostapd/config_file.c
-+++ b/hostapd/config_file.c
-@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
+diff -Naur hostap_2_11.orig/hostapd/config_file.c hostap_2_11/hostapd/config_file.c
+--- hostap_2_11.orig/hostapd/config_file.c	2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/hostapd/config_file.c	2024-08-06 12:55:53.750009117 +0200
+@@ -3678,6 +3678,10 @@
    	if (bss->ocv && !bss->ieee80211w)
    		bss->ieee80211w = 1;
  #endif /* CONFIG_OCV */
@@ -11,9 +12,10 @@
    } else if (os_strcmp(buf, "ieee80211n") == 0) {
    	conf->ieee80211n = atoi(pos);
    } else if (os_strcmp(buf, "ht_capab") == 0) {
---- a/src/ap/ap_config.h
-+++ b/src/ap/ap_config.h
-@@ -1014,6 +1014,8 @@ struct hostapd_config {
+diff -Naur hostap_2_11.orig/src/ap/ap_config.h hostap_2_11/src/ap/ap_config.h
+--- hostap_2_11.orig/src/ap/ap_config.h	2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/ap_config.h	2024-08-06 12:57:06.779631503 +0200
+@@ -1108,6 +1108,8 @@
int ht_op_mode_fixed;
    u16 ht_capab;
@@ -22,9 +24,10 @@
    int ieee80211n;
    int secondary_channel;
    int no_pri_sec_switch;
---- a/src/ap/hw_features.c
-+++ b/src/ap/hw_features.c
-@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
+diff -Naur hostap_2_11.orig/src/ap/hw_features.c hostap_2_11/src/ap/hw_features.c
+--- hostap_2_11.orig/src/ap/hw_features.c	2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/hw_features.c	2024-08-06 12:58:29.122962573 +0200
+@@ -551,7 +551,8 @@
    int ret;
/* Check that HT40 is used and PRI / SEC switch is allowed */
@@ -34,9 +37,10 @@
    	return 0;
hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
---- a/src/ap/ieee802_11_ht.c
-+++ b/src/ap/ieee802_11_ht.c
-@@ -230,6 +230,9 @@ void hostapd_2040_coex_action(struct hos
+diff -Naur hostap_2_11.orig/src/ap/ieee802_11_ht.c hostap_2_11/src/ap/ieee802_11_ht.c
+--- hostap_2_11.orig/src/ap/ieee802_11_ht.c	2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/ieee802_11_ht.c	2024-08-06 13:00:31.237899938 +0200
+@@ -230,6 +230,9 @@
    	return;
    }
@@ -46,7 +50,7 @@
    if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
    	wpa_printf(MSG_DEBUG,
    		   "Ignore too short 20/40 BSS Coexistence Management frame");
-@@ -390,6 +393,9 @@ void ht40_intolerant_add(struct hostapd_
+@@ -390,6 +393,9 @@
    if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
    	return;
hooks/post-receive
--
IPFire 2.x development tree

    