wpa_supplicant/hostapd: 2.10 -> 2.11 #330386
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Result of 7 packages built:
|
ofborg
bot
added
10.rebuild-darwin: 1-10
10.rebuild-darwin: 1
10.rebuild-linux: 1-10
labels
oddlama
reviewed
Jul 27, 2024
thillux
force-pushed
the
wpa_supplicant-2.11
branch
from
6491ec3 to
b56c699
Compare
oddlama
reviewed
Jul 27, 2024
Upstream Changes: * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * HE/IEEE 802.11ax/Wi-Fi 6 - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * SAE: add support for fetching the password from a RADIUS server * support OpenSSL 3.0 API changes * support background radar detection and CAC with some additional drivers * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) * EAP-SIM/AKA: support IMSI privacy * improve 4-way handshake operations - use Secure=1 in message 3 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * extend PASN support for secure ranging * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible * improved ACS to cover additional channel types/bandwidths * extended Multiple BSSID support * fix beacon protection with FT protocol (incorrect BIGTK was provided) * support unsynchronized service discovery (USD) * add preliminary support for RADIUS/TLS * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) * fix SAE H2E rejected groups validation to avoid downgrade attacks * use stricter validation for some RADIUS messages * a large number of other fixes, cleanup, and extensions Changelog: http://w1.fi/cgit/hostap/tree/hostapd/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Signed-off-by: Markus Theil <[email protected]>
Upstream Changes: * Wi-Fi Easy Connect - add support for DPP release 3 - allow Configurator parameters to be provided during config exchange * MACsec - add support for GCM-AES-256 cipher suite - remove incorrect EAP Session-Id length constraint - add hardware offload support for additional drivers * HE/IEEE 802.11ax/Wi-Fi 6 - support BSS color updates - various fixes * EHT/IEEE 802.11be/Wi-Fi 7 - add preliminary support * support OpenSSL 3.0 API changes * improve EAP-TLS support for TLSv1.3 * EAP-SIM/AKA: support IMSI privacy * improve mitigation against DoS attacks when PMF is used * improve 4-way handshake operations - discard unencrypted EAPOL frames in additional cases - use Secure=1 in message 2 during PTK rekeying * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases to avoid interoperability issues * support new SAE AKM suites with variable length keys * support new AKM for 802.1X/EAP with SHA384 * improve cross-AKM roaming with driver-based SME/BSS selection * PASN - extend support for secure ranging - allow PASN implementation to be used with external programs for Wi-Fi Aware * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) - this is based on additional details being added in the IEEE 802.11 standard - the new implementation is not backwards compatible, but PMKSA caching with FT-EAP was, and still is, disabled by default * support a pregenerated MAC (mac_addr=3) as an alternative mechanism for using per-network random MAC addresses * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1) to improve security for still unfortunately common invalid configurations that do not set ca_cert * extend SCS support for QoS Characteristics * extend MSCS support * support unsynchronized service discovery (USD) * add support for explicit SSID protection in 4-way handshake (a mitigation for CVE-2023-52424; disabled by default for now, can be enabled with ssid_protection=1) - in addition, verify SSID after key setup when beacon protection is used * fix SAE H2E rejected groups validation to avoid downgrade attacks * a large number of other fixes, cleanup, and extensions Changelog: http://w1.fi/cgit/hostap/tree/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Signed-off-by: Markus Theil <[email protected]>
thillux
force-pushed
the
wpa_supplicant-2.11
branch
from
b56c699 to
238488d
Compare
SuperSandro2000
approved these changes
Jul 28, 2024
fpletz
approved these changes
Jul 28, 2024
|
It seems this come with an upstream regression on some chips: https://bugzilla.redhat.com/show_bug.cgi?id=2302577 We might want to revert upstream commit https://w1.fi/cgit/hostap/commit/?id=41638606054a09867fe3f9a2b5523aa4678cbfa5 until a proper fix land |
|
Can confirm What @LeSuisse Said - It seems to effect most if not all Broadcom chips so basically any Mac and lots of other computers besides. |
That's what #333475 does. |
|
This PR breaks wifi for please revert. |
JuneStepp
added a commit
to JuneStepp/nixpkgs
that referenced
this pull request
Jan 17, 2025
…works option The patch was removed in NixOS#330386.
nadiaholmquist
pushed a commit
to nadiaholmquist/nixpkgs
that referenced
this pull request
Feb 9, 2025
…works option The patch was removed in NixOS#330386.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
Please find the changelog per daemon below.
I kept privsep and epoll disabled, as they still do not work upstream.
Privsep does not support sending EAPOL frames over nl80211 control port, which would slow down network connection time significantly.
Changes for nixpkgs:
Questions for discussion
wpa_supplicant
to avoid interoperability issues
Wi-Fi Aware
standard
caching with FT-EAP was, and still is, disabled by default
for using per-network random MAC addresses
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
used
http://w1.fi/cgit/hostap/tree/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
hostapd
drivers
to avoid interoperability issues
standard
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
http://w1.fi/cgit/hostap/tree/hostapd/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.