]> git.ipfire.org Git - people/mfischer/ipfire-2.x.git/commitdiff
projects / people / mfischer / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f516056)
hostapd: Update to version 2_11
authorAdolf Belka <adolf.belka@ipfire.org>
Wed, 7 Aug 2024 08:22:56 +0000 (10:22 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 7 Aug 2024 09:32:57 +0000 (09:32 +0000)
- Update from version 2_10 to 2_11
- Update of rootfile not required
- Update of patches to latest source tarball
- Changelog
    2_11
* Wi-Fi Easy Connect
  - add support for DPP release 3
  - allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
  - various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
  - add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
  drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
  - use Secure=1 in message 3 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
  to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* extend PASN support for secure ranging
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
  - this is based on additional details being added in the IEEE 802.11
    standard
  - the new implementation is not backwards compatible
* improved ACS to cover additional channel types/bandwidths
* extended Multiple BSSID support
* fix beacon protection with FT protocol (incorrect BIGTK was provided)
* support unsynchronized service discovery (USD)
* add preliminary support for RADIUS/TLS
* add support for explicit SSID protection in 4-way handshake
  (a mitigation for CVE-2023-52424; disabled by default for now, can be
  enabled with ssid_protection=1)
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* use stricter validation for some RADIUS messages
* a large number of other fixes, cleanup, and extensions

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
lfs/hostapd patch | blob | blame | history
src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch [moved from src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch with 61% similarity] patch | blob | blame | history
src/patches/hostapd/hostapd-2.11-noscan.patch [moved from src/patches/hostapd/hostapd-2.9-noscan.patch with 56% similarity] patch | blob | blame | history

diff --git a/lfs/hostapd b/lfs/hostapd
index 5db99891d3d1dc9a92f2bde0ba522cfad95cd1e7..2efa5a605c029175e330fcbdad3695f4b3410808 100644 (file)
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2023  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -25,7 +25,7 @@
 include Config
 
 SUMMARY    = Daemon for running a WPA capable Access Point
-VER        = 2_10
+VER        = 2_11
 
 THISAPP    = hostap_$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -33,7 +33,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 63
+PAK_VER    = 64
 
 DEPS       =
 
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = de474630835a1208ce456d3151759cd3411dc63b2470de7144117634d4985aba1c878fd2cc2388cf6226bc0674eb2bf48cc4b4491f85f3461966b0278f75ea1e
+$(DL_FILE)_BLAKE2 = de98a3634ff937b0068329219e4fa5dece34c9eeb27fa81a9e7de689d5dd2936ceb0ea43923a0e994e0a7bfcd71709b5f739df2f3efdd7c6ec5c765171711a19
 
 install : $(TARGET)
 
@@ -81,8 +81,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.11-noscan.patch
 
        cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
        cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
similarity index 61%
rename from src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
rename to src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
index 67d9d4f22abc5cf2902b0778c0a73d4a869164cb..d6f04cd123dfc9953657098055528a012968ac3c 100644 (file)
--- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
+++ b/src/patches/hostapd/hostapd-2.11-increase_EAPOL-timeouts.patch
@@ -1,9 +1,8 @@
-diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
---- a/src/ap/wpa_auth.c        Wed Aug  7 15:25:25 2019
-+++ b/src/ap/wpa_auth.c        Fri Sep 20 17:35:23 2019
-@@ -68,9 +68,9 @@
- static int ieee80211w_kde_len(struct wpa_state_machine *sm);
- static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
+--- hostap_2_11/src/ap/wpa_auth.c.orig 2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/wpa_auth.c      2024-08-06 12:51:22.849029559 +0200
+@@ -75,9 +75,9 @@
+                                struct wpa_group *group);
  
 -static const u32 eapol_key_timeout_first = 100; /* ms */
 -static const u32 eapol_key_timeout_subseq = 1000; /* ms */
diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.11-noscan.patch
similarity index 56%
rename from src/patches/hostapd/hostapd-2.9-noscan.patch
rename to src/patches/hostapd/hostapd-2.11-noscan.patch
index 01a33d0d035b1880244c26b3a2f1d6e93ff32eb6..ba3a714194cd17dedced679d774c8cb03939926e 100644 (file)
--- a/src/patches/hostapd/hostapd-2.9-noscan.patch
+++ b/src/patches/hostapd/hostapd-2.11-noscan.patch
@@ -1,6 +1,7 @@
---- a/hostapd/config_file.c
-+++ b/hostapd/config_file.c
-@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
+diff -Naur hostap_2_11.orig/hostapd/config_file.c hostap_2_11/hostapd/config_file.c
+--- hostap_2_11.orig/hostapd/config_file.c     2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/hostapd/config_file.c  2024-08-06 12:55:53.750009117 +0200
+@@ -3678,6 +3678,10 @@
                if (bss->ocv && !bss->ieee80211w)
                        bss->ieee80211w = 1;
  #endif /* CONFIG_OCV */
@@ -11,9 +12,10 @@
        } else if (os_strcmp(buf, "ieee80211n") == 0) {
                conf->ieee80211n = atoi(pos);
        } else if (os_strcmp(buf, "ht_capab") == 0) {
---- a/src/ap/ap_config.h
-+++ b/src/ap/ap_config.h
-@@ -1014,6 +1014,8 @@ struct hostapd_config {
+diff -Naur hostap_2_11.orig/src/ap/ap_config.h hostap_2_11/src/ap/ap_config.h
+--- hostap_2_11.orig/src/ap/ap_config.h        2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/ap_config.h     2024-08-06 12:57:06.779631503 +0200
+@@ -1108,6 +1108,8 @@
  
        int ht_op_mode_fixed;
        u16 ht_capab;
@@ -22,9 +24,10 @@
        int ieee80211n;
        int secondary_channel;
        int no_pri_sec_switch;
---- a/src/ap/hw_features.c
-+++ b/src/ap/hw_features.c
-@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
+diff -Naur hostap_2_11.orig/src/ap/hw_features.c hostap_2_11/src/ap/hw_features.c
+--- hostap_2_11.orig/src/ap/hw_features.c      2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/hw_features.c   2024-08-06 12:58:29.122962573 +0200
+@@ -551,7 +551,8 @@
        int ret;
  
        /* Check that HT40 is used and PRI / SEC switch is allowed */
@@ -34,9 +37,10 @@
                return 0;
  
        hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
---- a/src/ap/ieee802_11_ht.c
-+++ b/src/ap/ieee802_11_ht.c
-@@ -230,6 +230,9 @@ void hostapd_2040_coex_action(struct hos
+diff -Naur hostap_2_11.orig/src/ap/ieee802_11_ht.c hostap_2_11/src/ap/ieee802_11_ht.c
+--- hostap_2_11.orig/src/ap/ieee802_11_ht.c    2024-07-20 20:04:37.000000000 +0200
++++ hostap_2_11/src/ap/ieee802_11_ht.c 2024-08-06 13:00:31.237899938 +0200
+@@ -230,6 +230,9 @@
                return;
        }
  
@@ -46,7 +50,7 @@
        if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie)) {
                wpa_printf(MSG_DEBUG,
                           "Ignore too short 20/40 BSS Coexistence Management frame");
-@@ -390,6 +393,9 @@ void ht40_intolerant_add(struct hostapd_
+@@ -390,6 +393,9 @@
        if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
                return;
  
Matthias' tree of IPFire 2.x