dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #330386 from thillux/wpa_supplicant-2.11

Browse Source
This commit is contained in:
Franz Pletz 2024-07-29 01:19:47 +02:00 committed by GitHub
commit c3df41f44d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 7 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
pkgs/os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch
View File

@ -1,101 +0,0 @@
From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 17 Mar 2024 10:42:56 +0200
Subject: [PATCH 7/8] RADIUS: Require Message-Authenticator attribute in MAC
ACL cases
hostapd required Message-Authenticator attribute to be included in EAP
authentication cases, but that requirement was not in place for MAC ACL
cases. Start requiring Message-Authenticator attribute for MAC ACL by
default. Unlike the EAP case, this can still be disabled with
radius_require_message_authenticator=1 to maintain compatibility with
some RADIUS servers when used in a network where the connection to such
a server is secure.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
hostapd/config_file.c | 3 +++
hostapd/hostapd.conf | 11 +++++++++++
src/ap/ap_config.c | 1 +
src/ap/ap_config.h | 1 +
src/ap/ieee802_11_auth.c | 4 +++-
5 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 96c28aea2..3fb059770 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
#endif /* CONFIG_RADIUS_TLS */
} else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) {
bss->radius->retry_primary_interval = atoi(pos);
+ } else if (os_strcmp(buf,
+ "radius_require_message_authenticator") == 0) {
+ bss->radius_require_message_authenticator = atoi(pos);
} else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) {
bss->acct_interim_interval = atoi(pos);
} else if (os_strcmp(buf, "radius_request_cui") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index e3367b708..3f0e66beb 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1
# currently used secondary server is still working.
#radius_retry_primary_interval=600
+# Message-Authenticator attribute requirement for non-EAP cases
+# hostapd requires Message-Authenticator attribute to be included in all cases
+# where RADIUS is used for EAP authentication. This is also required for cases
+# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case
+# can be configured to not require this for compatibility with RADIUS servers
+# that do not include the attribute. This is not recommended due to potential
+# security concerns, but can be used as a temporary workaround in networks where
+# the connection to the RADIUS server is secure.
+# 0 = Do not require Message-Authenticator in MAC ACL response
+# 1 = Require Message-Authenticator in all authentication cases (default)
+#radius_require_message_authenticator=1
# Interim accounting update interval
# If this is set (larger than 0) and acct_server is configured, hostapd will
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 32b04ab35..0b5a16ef9 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
#endif /* CONFIG_IEEE80211R_AP */
bss->radius_das_time_window = 300;
+ bss->radius_require_message_authenticator = 1;
bss->anti_clogging_threshold = 5;
bss->sae_sync = 5;
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index fda937ecf..ced2181ab 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -309,6 +309,7 @@ struct hostapd_bss_config {
struct hostapd_ip_addr own_ip_addr;
char *nas_identifier;
struct hostapd_radius_servers *radius;
+ int radius_require_message_authenticator;
int acct_interim_interval;
int radius_request_cui;
struct hostapd_radius_attr *radius_auth_req_attr;
diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index cc38044d8..913a99597 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS "
"message (id=%d)", query->radius_id);
- if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) {
+ if (radius_msg_verify(
+ msg, shared_secret, shared_secret_len, req,
+ hapd->conf->radius_require_message_authenticator)) {
wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have "
"correct authenticator - dropped\n");
return RADIUS_RX_INVALID_AUTHENTICATOR;
--
2.45.1

53
pkgs/os-specific/linux/hostapd/default.nix
View File

@ -2,7 +2,6 @@
lib,
stdenv,
fetchurl,
fetchpatch,
pkg-config,
libnl,
openssl,
@ -12,11 +11,11 @@
stdenv.mkDerivation rec {
pname = "hostapd";
version = "2.10";
version = "2.11";
src = fetchurl {
url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0=";
sha256 = "sha256-Kz+stjL9T2XjL0v4Kna0tyxQH5laT2LjMCGf567RdHo=";
};
nativeBuildInputs = [ pkg-config ];
@ -29,53 +28,6 @@ stdenv.mkDerivation rec {
url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch";
sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00";
})
# Backported security patches for CVE-2024-3596 (https://blastradius.fail),
# these can be removed when updating to 2.11.
# RADIUS: Allow Message-Authenticator attribute as the first attribute
(fetchpatch {
url = "https://w1.fi/cgit/hostap/patch/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46";
hash = "sha256-1jfSeVGL5tyZn8F2wpQ7KwaQaEKWsCOW/bavovMcdz4=";
})
# RADIUS server: Place Message-Authenticator attribute as the first one
(fetchpatch {
url = "https://w1.fi/cgit/hostap/patch/?id=54abb0d3cf35894e7d86e3f7555e95b106306803";
hash = "sha256-fVhQlOVETttVf1M9iKrXJrv7mxpxSjCt3w8kndRal08=";
})
# hostapd: Move Message-Authenticator attribute to be the first one in req
(fetchpatch {
url = "https://w1.fi/cgit/hostap/patch/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17";
hash = "sha256-3eoAkXhieO3f0R5PTlH6g5wcgo/aLQN6XcPSITGgciE=";
})
# RADIUS DAS: Move Message-Authenticator attribute to be the first one
(fetchpatch {
url = "https://w1.fi/cgit/hostap/patch/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf";
hash = "sha256-dcaghKbKNFVSN6ONNaFt1s0S35mkqox2aykiExEXyPQ=";
})
# Require Message-Authenticator in Access-Reject even without EAP-Message
(fetchpatch {
url = "https://w1.fi/cgit/hostap/patch/?id=934b0c3a45ce0726560ccefbd992a9d385c36385";
hash = "sha256-9GquP/+lsghF81nMhOuRwlSz/pEnmk+mSex8aM3/qdA=";
})
# RADIUS: Require Message-Authenticator attribute in MAC ACL cases
#(fetchpatch {
# url = "https://w1.fi/cgit/hostap/patch/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1";
# hash = "sha256-mW+PAeAkNcrlFPsjxLvZ/1Smq6H6KXq5Le3HuLA2KKw=";
#})
# Needed to be fixed to apply correctly:
./0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch
# RADIUS: Check Message-Authenticator if it is present even if not required
(fetchpatch {
url = "https://w1.fi/cgit/hostap/patch/?id=f302d9f9646704cce745734af21d540baa0da65f";
hash = "sha256-6i0cq5YBm2w03yMrdYGaEqe1dTsmokZWOs4WPFX36qo=";
})
];
outputs = [ "out" "man" ];
@ -137,6 +89,7 @@ stdenv.mkDerivation rec {
CONFIG_IEEE80211N=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y
CONFIG_IEEE80211BE=y
'' + lib.optionalString (sqlite != null) ''
CONFIG_SQLITE=y
'';

130
pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
View File

@ -1,130 +0,0 @@
From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001
From: Maximilian Bosch <maximilian@mbosch.me>
Date: Fri, 19 Feb 2021 19:44:21 +0100
Subject: [PATCH] Implement read-only mode for ssids
With this change it's possible to define `network=`-sections in a second
config file specified via `-I` without having changes written to
`/etc/wpa_supplicant.conf`.
This is helpful on e.g. NixOS to allow both declarative (i.e. read-only)
and imperative (i.e. mutable) networks.
---
wpa_supplicant/config.h | 2 +-
wpa_supplicant/config_file.c | 5 +++--
wpa_supplicant/config_none.c | 2 +-
wpa_supplicant/config_ssid.h | 2 ++
wpa_supplicant/wpa_supplicant.c | 8 ++++----
5 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 6a297ecfe..adaf4d398 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var);
*
* Each configuration backend needs to implement this function.
*/
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp);
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro);
/**
* wpa_config_write - Write or update configuration data
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 77c326df5..d5ed051b9 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f,
#endif /* CONFIG_NO_CONFIG_BLOBS */
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
{
FILE *f;
char buf[512], *pos;
@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) {
if (os_strcmp(pos, "network={") == 0) {
ssid = wpa_config_read_network(f, &line, id++);
+ ssid->ro = ro;
if (ssid == NULL) {
wpa_printf(MSG_ERROR, "Line %d: failed to "
"parse network block.", line);
@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config)
}
for (ssid = config->ssid; ssid; ssid = ssid->next) {
- if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary)
+ if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro)
continue; /* do not save temporary networks */
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
!ssid->passphrase)
diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c
index 2aac28fa3..02191b425 100644
--- a/wpa_supplicant/config_none.c
+++ b/wpa_supplicant/config_none.c
@@ -17,7 +17,7 @@
#include "base64.h"
-struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro)
{
struct wpa_config *config;
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index d5c5c00a9..fd80c079c 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -93,6 +93,8 @@ struct wpa_ssid {
*/
int id;
+ int ro;
+
/**
* priority - Priority group
*
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 911d79d17..cb0cb99b1 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
if (wpa_s->confname == NULL)
return -1;
- conf = wpa_config_read(wpa_s->confname, NULL);
+ conf = wpa_config_read(wpa_s->confname, NULL, 0);
if (conf == NULL) {
wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration "
"file '%s' - exiting", wpa_s->confname);
return -1;
}
if (wpa_s->confanother &&
- !wpa_config_read(wpa_s->confanother, conf)) {
+ !wpa_config_read(wpa_s->confanother, conf, 1)) {
wpa_msg(wpa_s, MSG_ERROR,
"Failed to parse the configuration file '%s' - exiting",
wpa_s->confanother);
@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
#else /* CONFIG_BACKEND_FILE */
wpa_s->confname = os_strdup(iface->confname);
#endif /* CONFIG_BACKEND_FILE */
- wpa_s->conf = wpa_config_read(wpa_s->confname, NULL);
+ wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0);
if (wpa_s->conf == NULL) {
wpa_printf(MSG_ERROR, "Failed to read or parse "
"configuration '%s'.", wpa_s->confname);
@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s,
}
wpa_s->confanother = os_rel2abs_path(iface->confanother);
if (wpa_s->confanother &&
- !wpa_config_read(wpa_s->confanother, wpa_s->conf)) {
+ !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) {
wpa_printf(MSG_ERROR,
"Failed to read or parse configuration '%s'.",
wpa_s->confanother);
--
2.29.2

32
pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch
View File

@ -1,32 +0,0 @@
The id and cred_id variables are reset to 0 every time the
wpa_config_read function is called, which is fine as long as it is only
called once. However, this is not the case when using both the -c and -I
options to specify two config files.
This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646,
relies on the network IDs being unique (and increasing), and might get
into an infinite loop otherwise.
This is solved by simply making the variables static.
---
wpa_supplicant/config_file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 6db5010db..c996e3916 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp)
struct wpa_ssid *ssid, *tail, *head;
struct wpa_cred *cred, *cred_tail, *cred_head;
struct wpa_config *config;
- int id = 0;
- int cred_id = 0;
+ static int id = 0;
+ static int cred_id = 0;
if (name == NULL)
return NULL;
--
2.34.1

14
pkgs/os-specific/linux/wpa_supplicant/default.nix
View File

@ -3,28 +3,19 @@
, dbusSupport ? !stdenv.hostPlatform.isStatic, dbus
, withReadline ? true, readline
, withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite
, readOnlyModeSSIDs ? false
}:
with lib;
stdenv.mkDerivation rec {
version = "2.10";
version = "2.11";
pname = "wpa_supplicant";
src = fetchurl {
url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8=";
sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao=";
};
patches = [
# Fix a bug when using two config files
./Use-unique-IDs-for-networks-and-credentials.patch
] ++ lib.optionals readOnlyModeSSIDs [
# Allow read-only networks
./0001-Implement-read-only-mode-for-ssids.patch
];
# TODO: Patch epoll so that the dbus actually responds
# TODO: Figure out how to get privsep working, currently getting SIGBUS
extraConfig = ''
@ -49,6 +40,7 @@ stdenv.mkDerivation rec {
CONFIG_HT_OVERRIDES=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y
CONFIG_IEEE80211BE=y
CONFIG_IEEE80211N=y
CONFIG_IEEE80211R=y
CONFIG_IEEE80211W=y

1
pkgs/top-level/aliases.nix
View File

@ -1520,6 +1520,7 @@ mapAliases ({
wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10
wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10
wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name
wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant;
wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07
wmii_hg = wmii;
wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26

4
pkgs/top-level/all-packages.nix
View File

@ -27722,10 +27722,6 @@ with pkgs;
wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { };
wpa_supplicant_ro_ssids = wpa_supplicant.override {
readOnlyModeSSIDs = true;
};
wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { };
xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };