This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 772d3dbd6091b75fa10317c88c25c53ce466f825 (commit) via f51f8b130350b738747115ec9fccc9b50d7ec5e4 (commit) via 6491a92335a15fa0e3a4df1fed24b40490eaf3cb (commit) from 1bd6e152c40018054c9cad81000fcb7580153d90 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 772d3dbd6091b75fa10317c88c25c53ce466f825 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Feb 18 21:57:28 2022 +0000
Core Update 165: Ship wpa_supplicant
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit f51f8b130350b738747115ec9fccc9b50d7ec5e4 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Feb 18 18:13:35 2022 +0100
wpa_supplicant: Update to 2.10
For details see: https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
"2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2); this is currently disabled by default, but will likely get enabled by default in the future - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed P2P provision discovery processing of a specially constructed invalid frame [https://w1.fi/security/2021-1/] * fixed P2P group information processing of a specially constructed invalid frame [https://w1.fi/security/2020-2/] * fixed PMF disconnection protection bypass in AP mode [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * increased the maximum number of EAP message exchanges (mainly to support cases with very large certificates) * fixed various issues in experimental support for EAP-TEAP peer * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * a number of MKA/MACsec fixes and extensions * added support for SAE (WPA3-Personal) AP mode configuration * added P2P support for EDMG (IEEE 802.11ay) channels * fixed EAP-FAST peer with TLS GCM/CCM ciphers * improved throughput estimation and BSS selection * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * extended D-Bus interface * added support for PASN * added a file-based backend for external password storage to allow secret information to be moved away from the main configuration file without requiring external tools * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) * added support for SCS, MSCS, DSCP policy * changed driver interface selection to default to automatic fallback to other compiled in options * a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 6491a92335a15fa0e3a4df1fed24b40490eaf3cb Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Feb 18 18:13:34 2022 +0100
hostapd: Update to 2.10
For details see: https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
"2022-01-16 - v2.10 * SAE changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] - added option send SAE Confirm immediately (sae_config_immediate=1) after SAE Commit - added support for the hash-to-element mechanism (sae_pwe=1 or sae_pwe=2) - fixed PMKSA caching with OKC - added support for SAE-PK * EAP-pwd changes - improved protection against side channel attacks [https://w1.fi/security/2022-1/] * fixed WPS UPnP SUBSCRIBE handling of invalid operations [https://w1.fi/security/2020-1/] * fixed PMF disconnection protection bypass [https://w1.fi/security/2019-7/] * added support for using OpenSSL 3.0 * fixed various issues in experimental support for EAP-TEAP server * added configuration (max_auth_rounds, max_auth_rounds_short) to increase the maximum number of EAP message exchanges (mainly to support cases with very large certificates) for the EAP server * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) * extended HE (IEEE 802.11ax) support, including 6 GHz support * removed obsolete IAPP functionality * fixed EAP-FAST server with TLS GCM/CCM ciphers * dropped support for libnl 1.1 * added support for nl80211 control port for EAPOL frame TX/RX * fixed OWE key derivation with groups 20 and 21; this breaks backwards compatibility for these groups while the default group 19 remains backwards compatible; owe_ptk_workaround=1 can be used to enabled a a workaround for the group 20/21 backwards compatibility * added support for Beacon protection * added support for Extended Key ID for pairwise keys * removed WEP support from the default build (CONFIG_WEP=y can be used to enable it, if really needed) * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) * added support for Transition Disable mechanism to allow the AP to automatically disable transition mode to improve security * added support for PASN * added EAP-TLS server support for TLS 1.3 (disabled by default for now) * a large number of other fixes, cleanup, and extensions"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
Summary of changes: .../103 => core/165}/filelists/wpa_supplicant | 0 lfs/hostapd | 24 +++++++++------------- lfs/wpa_supplicant | 15 +++++++------- .../hostapd-2.9-increase_EAPOL-timeouts.patch | 4 ++-- src/patches/hostapd/hostapd-2.9-noscan.patch | 6 +++--- 5 files changed, 23 insertions(+), 26 deletions(-) copy config/rootfiles/{oldcore/103 => core/165}/filelists/wpa_supplicant (100%)
Difference in files: diff --git a/config/rootfiles/core/165/filelists/wpa_supplicant b/config/rootfiles/core/165/filelists/wpa_supplicant new file mode 120000 index 000000000..1d04c03c0 --- /dev/null +++ b/config/rootfiles/core/165/filelists/wpa_supplicant @@ -0,0 +1 @@ +../../../common/wpa_supplicant \ No newline at end of file diff --git a/lfs/hostapd b/lfs/hostapd index cb2626bf3..f07d378be 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,22 +24,18 @@
include Config
-SUMMARY = Daemon for running a WPA capable Access Point +VER = 2_10
-VER = 581dfcc - -THISAPP = hostapd-$(VER) -DL_FILE = $(THISAPP).tar.gz +THISAPP = hostap_$(VER) +DL_FILE = $(THISAPP).tar.bz2 DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 58 +PAK_VER = 59
DEPS =
-SERVICES = hostapd - ############################################################################### # Top-level Rules ############################################################################### @@ -48,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
install : $(TARGET)
@@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile - cd $(DIR_APP)/hostapd && make $(MAKETUNING) + cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP)/hostapd && make install install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd # install initscript - $(call INSTALL_INITSCRIPTS,$(SERVICES)) + $(call INSTALL_INITSCRIPT,hostapd) mkdir -p /var/ipfire/wlanap touch /var/ipfire/wlanap/settings cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf diff --git a/lfs/wpa_supplicant b/lfs/wpa_supplicant index c64b6aab4..ad9150611 100644 --- a/lfs/wpa_supplicant +++ b/lfs/wpa_supplicant @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,13 +24,14 @@
include Config
-VER = 581dfcc +VER = 2.10
THISAPP = wpa_supplicant-$(VER) -DL_FILE = hostapd-$(VER).tar.gz +DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/hostap-$(VER) +DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) +PROG = wpa_supplicant
############################################################################### # Top-level Rules @@ -40,7 +41,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd +$(DL_FILE)_MD5 = d26797fcb002898d4ee989179346e1cc
install : $(TARGET)
@@ -73,10 +74,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP)/wpa_supplicant && cp $(DIR_SRC)/config/wpa_supplicant/config ./.config cd $(DIR_APP)/wpa_supplicant && sed -e "s/wpa_cli\ dynamic_eap_methods/wpa_cli\ #dynamic_eap_methods/" -i Makefile cd $(DIR_APP)/wpa_supplicant && sed -e "s@/usr/local@/usr@g" -i Makefile - cd $(DIR_APP)/wpa_supplicant && make $(MAKETUNING) - cd $(DIR_APP)/wpa_supplicant && make install + cd $(DIR_APP)/wpa_supplicant && make && make install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch index 87aec005b..67d9d4f22 100644 --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch @@ -1,8 +1,8 @@ diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c Wed Aug 7 15:25:25 2019 +++ b/src/ap/wpa_auth.c Fri Sep 20 17:35:23 2019 -@@ -65,9 +65,9 @@ - struct wpa_group *group); +@@ -68,9 +68,9 @@ + static int ieee80211w_kde_len(struct wpa_state_machine *sm); static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
-static const u32 eapol_key_timeout_first = 100; /* ms */ diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch index 638b76f84..01a33d0d0 100644 --- a/src/patches/hostapd/hostapd-2.9-noscan.patch +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch @@ -1,6 +1,6 @@ --- a/hostapd/config_file.c +++ b/hostapd/config_file.c -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho if (bss->ocv && !bss->ieee80211w) bss->ieee80211w = 1; #endif /* CONFIG_OCV */ @@ -13,7 +13,7 @@ } else if (os_strcmp(buf, "ht_capab") == 0) { --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h -@@ -984,6 +984,8 @@ struct hostapd_config { +@@ -1014,6 +1014,8 @@ struct hostapd_config {
int ht_op_mode_fixed; u16 ht_capab; @@ -24,7 +24,7 @@ int no_pri_sec_switch; --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct int ret;
/* Check that HT40 is used and PRI / SEC switch is allowed */
hooks/post-receive -- IPFire 2.x development tree