tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom

hostapd: 2.10 -> 2.11

Upstream Changes:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* extend PASN support for secure ranging
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible
* improved ACS to cover additional channel types/bandwidths
* extended Multiple BSSID support
* fix beacon protection with FT protocol (incorrect BIGTK was provided)
* support unsynchronized service discovery (USD)
* add preliminary support for RADIUS/TLS
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* use stricter validation for some RADIUS messages
* a large number of other fixes, cleanup, and extensions

Changelog:
http://w1.fi/cgit/hostap/tree/hostapd/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af

Signed-off-by: Markus Theil <theil.markus@gmail.com>

Markus Theil 55d80185 f66cbf3e

+3 -151
unified split
-101
pkgs/os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch
··· 1 - From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 2 - From: Jouni Malinen <j@w1.fi> 3 - Date: Sun, 17 Mar 2024 10:42:56 +0200 4 - Subject: [PATCH 7/8] RADIUS: Require Message-Authenticator attribute in MAC 5 - ACL cases 6 - 7 - hostapd required Message-Authenticator attribute to be included in EAP 8 - authentication cases, but that requirement was not in place for MAC ACL 9 - cases. Start requiring Message-Authenticator attribute for MAC ACL by 10 - default. Unlike the EAP case, this can still be disabled with 11 - radius_require_message_authenticator=1 to maintain compatibility with 12 - some RADIUS servers when used in a network where the connection to such 13 - a server is secure. 14 - 15 - Signed-off-by: Jouni Malinen <j@w1.fi> 16 - --- 17 - hostapd/config_file.c | 3 +++ 18 - hostapd/hostapd.conf | 11 +++++++++++ 19 - src/ap/ap_config.c | 1 + 20 - src/ap/ap_config.h | 1 + 21 - src/ap/ieee802_11_auth.c | 4 +++- 22 - 5 files changed, 19 insertions(+), 1 deletion(-) 23 - 24 - diff --git a/hostapd/config_file.c b/hostapd/config_file.c 25 - index 96c28aea2..3fb059770 100644 26 - --- a/hostapd/config_file.c 27 - +++ b/hostapd/config_file.c 28 - @@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, 29 - #endif /* CONFIG_RADIUS_TLS */ 30 - } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) { 31 - bss->radius->retry_primary_interval = atoi(pos); 32 - + } else if (os_strcmp(buf, 33 - + "radius_require_message_authenticator") == 0) { 34 - + bss->radius_require_message_authenticator = atoi(pos); 35 - } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) { 36 - bss->acct_interim_interval = atoi(pos); 37 - } else if (os_strcmp(buf, "radius_request_cui") == 0) { 38 - diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf 39 - index e3367b708..3f0e66beb 100644 40 - --- a/hostapd/hostapd.conf 41 - +++ b/hostapd/hostapd.conf 42 - @@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1 43 - # currently used secondary server is still working. 44 - #radius_retry_primary_interval=600 45 - 46 - +# Message-Authenticator attribute requirement for non-EAP cases 47 - +# hostapd requires Message-Authenticator attribute to be included in all cases 48 - +# where RADIUS is used for EAP authentication. This is also required for cases 49 - +# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case 50 - +# can be configured to not require this for compatibility with RADIUS servers 51 - +# that do not include the attribute. This is not recommended due to potential 52 - +# security concerns, but can be used as a temporary workaround in networks where 53 - +# the connection to the RADIUS server is secure. 54 - +# 0 = Do not require Message-Authenticator in MAC ACL response 55 - +# 1 = Require Message-Authenticator in all authentication cases (default) 56 - +#radius_require_message_authenticator=1 57 - 58 - # Interim accounting update interval 59 - # If this is set (larger than 0) and acct_server is configured, hostapd will 60 - diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c 61 - index 32b04ab35..0b5a16ef9 100644 62 - --- a/src/ap/ap_config.c 63 - +++ b/src/ap/ap_config.c 64 - @@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) 65 - #endif /* CONFIG_IEEE80211R_AP */ 66 - 67 - bss->radius_das_time_window = 300; 68 - + bss->radius_require_message_authenticator = 1; 69 - 70 - bss->anti_clogging_threshold = 5; 71 - bss->sae_sync = 5; 72 - diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h 73 - index fda937ecf..ced2181ab 100644 74 - --- a/src/ap/ap_config.h 75 - +++ b/src/ap/ap_config.h 76 - @@ -309,6 +309,7 @@ struct hostapd_bss_config { 77 - struct hostapd_ip_addr own_ip_addr; 78 - char *nas_identifier; 79 - struct hostapd_radius_servers *radius; 80 - + int radius_require_message_authenticator; 81 - int acct_interim_interval; 82 - int radius_request_cui; 83 - struct hostapd_radius_attr *radius_auth_req_attr; 84 - diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c 85 - index cc38044d8..913a99597 100644 86 - --- a/src/ap/ieee802_11_auth.c 87 - +++ b/src/ap/ieee802_11_auth.c 88 - @@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, 89 - wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS " 90 - "message (id=%d)", query->radius_id); 91 - 92 - - if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { 93 - + if (radius_msg_verify( 94 - + msg, shared_secret, shared_secret_len, req, 95 - + hapd->conf->radius_require_message_authenticator)) { 96 - wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have " 97 - "correct authenticator - dropped\n"); 98 - return RADIUS_RX_INVALID_AUTHENTICATOR; 99 - -- 100 - 2.45.1 101 -
+3 -50
pkgs/os-specific/linux/hostapd/default.nix
··· 2 2 lib, 3 3 stdenv, 4 4 fetchurl, 5 - fetchpatch, 6 5 pkg-config, 7 6 libnl, 8 7 openssl, ··· 12 11 13 12 stdenv.mkDerivation rec { 14 13 pname = "hostapd"; 15 - version = "2.10"; 14 + version = "2.11"; 16 15 17 16 src = fetchurl { 18 17 url = "https://w1.fi/releases/${pname}-${version}.tar.gz"; 19 - sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0="; 18 + sha256 = "sha256-Kz+stjL9T2XjL0v4Kna0tyxQH5laT2LjMCGf567RdHo="; 20 19 }; 21 20 22 21 nativeBuildInputs = [ pkg-config ]; ··· 29 28 url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch"; 30 29 sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00"; 31 30 }) 32 - 33 - # Backported security patches for CVE-2024-3596 (https://blastradius.fail), 34 - # these can be removed when updating to 2.11. 35 - 36 - # RADIUS: Allow Message-Authenticator attribute as the first attribute 37 - (fetchpatch { 38 - url = "https://w1.fi/cgit/hostap/patch/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46"; 39 - hash = "sha256-1jfSeVGL5tyZn8F2wpQ7KwaQaEKWsCOW/bavovMcdz4="; 40 - }) 41 - 42 - # RADIUS server: Place Message-Authenticator attribute as the first one 43 - (fetchpatch { 44 - url = "https://w1.fi/cgit/hostap/patch/?id=54abb0d3cf35894e7d86e3f7555e95b106306803"; 45 - hash = "sha256-fVhQlOVETttVf1M9iKrXJrv7mxpxSjCt3w8kndRal08="; 46 - }) 47 - 48 - # hostapd: Move Message-Authenticator attribute to be the first one in req 49 - (fetchpatch { 50 - url = "https://w1.fi/cgit/hostap/patch/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17"; 51 - hash = "sha256-3eoAkXhieO3f0R5PTlH6g5wcgo/aLQN6XcPSITGgciE="; 52 - }) 53 - 54 - # RADIUS DAS: Move Message-Authenticator attribute to be the first one 55 - (fetchpatch { 56 - url = "https://w1.fi/cgit/hostap/patch/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf"; 57 - hash = "sha256-dcaghKbKNFVSN6ONNaFt1s0S35mkqox2aykiExEXyPQ="; 58 - }) 59 - 60 - # Require Message-Authenticator in Access-Reject even without EAP-Message 61 - (fetchpatch { 62 - url = "https://w1.fi/cgit/hostap/patch/?id=934b0c3a45ce0726560ccefbd992a9d385c36385"; 63 - hash = "sha256-9GquP/+lsghF81nMhOuRwlSz/pEnmk+mSex8aM3/qdA="; 64 - }) 65 - 66 - # RADIUS: Require Message-Authenticator attribute in MAC ACL cases 67 - #(fetchpatch { 68 - # url = "https://w1.fi/cgit/hostap/patch/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1"; 69 - # hash = "sha256-mW+PAeAkNcrlFPsjxLvZ/1Smq6H6KXq5Le3HuLA2KKw="; 70 - #}) 71 - # Needed to be fixed to apply correctly: 72 - ./0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch 73 - 74 - # RADIUS: Check Message-Authenticator if it is present even if not required 75 - (fetchpatch { 76 - url = "https://w1.fi/cgit/hostap/patch/?id=f302d9f9646704cce745734af21d540baa0da65f"; 77 - hash = "sha256-6i0cq5YBm2w03yMrdYGaEqe1dTsmokZWOs4WPFX36qo="; 78 - }) 79 31 ]; 80 32 81 33 outputs = [ "out" "man" ]; ··· 137 89 CONFIG_IEEE80211N=y 138 90 CONFIG_IEEE80211AC=y 139 91 CONFIG_IEEE80211AX=y 92 + CONFIG_IEEE80211BE=y 140 93 '' + lib.optionalString (sqlite != null) '' 141 94 CONFIG_SQLITE=y 142 95 '';