diff --git a/pkgs/os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch b/pkgs/os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch deleted file mode 100644 index e895e47925679..0000000000000 --- a/pkgs/os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sun, 17 Mar 2024 10:42:56 +0200 -Subject: [PATCH 7/8] RADIUS: Require Message-Authenticator attribute in MAC - ACL cases - -hostapd required Message-Authenticator attribute to be included in EAP -authentication cases, but that requirement was not in place for MAC ACL -cases. Start requiring Message-Authenticator attribute for MAC ACL by -default. Unlike the EAP case, this can still be disabled with -radius_require_message_authenticator=1 to maintain compatibility with -some RADIUS servers when used in a network where the connection to such -a server is secure. - -Signed-off-by: Jouni Malinen ---- - hostapd/config_file.c | 3 +++ - hostapd/hostapd.conf | 11 +++++++++++ - src/ap/ap_config.c | 1 + - src/ap/ap_config.h | 1 + - src/ap/ieee802_11_auth.c | 4 +++- - 5 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/hostapd/config_file.c b/hostapd/config_file.c -index 96c28aea2..3fb059770 100644 ---- a/hostapd/config_file.c -+++ b/hostapd/config_file.c -@@ -2988,6 +2988,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, - #endif /* CONFIG_RADIUS_TLS */ - } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) { - bss->radius->retry_primary_interval = atoi(pos); -+ } else if (os_strcmp(buf, -+ "radius_require_message_authenticator") == 0) { -+ bss->radius_require_message_authenticator = atoi(pos); - } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) { - bss->acct_interim_interval = atoi(pos); - } else if (os_strcmp(buf, "radius_request_cui") == 0) { -diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf -index e3367b708..3f0e66beb 100644 ---- a/hostapd/hostapd.conf -+++ b/hostapd/hostapd.conf -@@ -1620,6 +1620,17 @@ own_ip_addr=127.0.0.1 - # currently used secondary server is still working. - #radius_retry_primary_interval=600 - -+# Message-Authenticator attribute requirement for non-EAP cases -+# hostapd requires Message-Authenticator attribute to be included in all cases -+# where RADIUS is used for EAP authentication. This is also required for cases -+# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case -+# can be configured to not require this for compatibility with RADIUS servers -+# that do not include the attribute. This is not recommended due to potential -+# security concerns, but can be used as a temporary workaround in networks where -+# the connection to the RADIUS server is secure. -+# 0 = Do not require Message-Authenticator in MAC ACL response -+# 1 = Require Message-Authenticator in all authentication cases (default) -+#radius_require_message_authenticator=1 - - # Interim accounting update interval - # If this is set (larger than 0) and acct_server is configured, hostapd will -diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c -index 32b04ab35..0b5a16ef9 100644 ---- a/src/ap/ap_config.c -+++ b/src/ap/ap_config.c -@@ -122,6 +122,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) - #endif /* CONFIG_IEEE80211R_AP */ - - bss->radius_das_time_window = 300; -+ bss->radius_require_message_authenticator = 1; - - bss->anti_clogging_threshold = 5; - bss->sae_sync = 5; -diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h -index fda937ecf..ced2181ab 100644 ---- a/src/ap/ap_config.h -+++ b/src/ap/ap_config.h -@@ -309,6 +309,7 @@ struct hostapd_bss_config { - struct hostapd_ip_addr own_ip_addr; - char *nas_identifier; - struct hostapd_radius_servers *radius; -+ int radius_require_message_authenticator; - int acct_interim_interval; - int radius_request_cui; - struct hostapd_radius_attr *radius_auth_req_attr; -diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c -index cc38044d8..913a99597 100644 ---- a/src/ap/ieee802_11_auth.c -+++ b/src/ap/ieee802_11_auth.c -@@ -508,7 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, - wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS " - "message (id=%d)", query->radius_id); - -- if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { -+ if (radius_msg_verify( -+ msg, shared_secret, shared_secret_len, req, -+ hapd->conf->radius_require_message_authenticator)) { - wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have " - "correct authenticator - dropped\n"); - return RADIUS_RX_INVALID_AUTHENTICATOR; --- -2.45.1 - diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix index 5988dc0436dcb..10abb04f776fc 100644 --- a/pkgs/os-specific/linux/hostapd/default.nix +++ b/pkgs/os-specific/linux/hostapd/default.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchurl, - fetchpatch, pkg-config, libnl, openssl, @@ -12,11 +11,11 @@ stdenv.mkDerivation rec { pname = "hostapd"; - version = "2.10"; + version = "2.11"; src = fetchurl { url = "https://w1.fi/releases/${pname}-${version}.tar.gz"; - sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0="; + sha256 = "sha256-Kz+stjL9T2XjL0v4Kna0tyxQH5laT2LjMCGf567RdHo="; }; nativeBuildInputs = [ pkg-config ]; @@ -29,53 +28,6 @@ stdenv.mkDerivation rec { url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch"; sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00"; }) - - # Backported security patches for CVE-2024-3596 (https://blastradius.fail), - # these can be removed when updating to 2.11. - - # RADIUS: Allow Message-Authenticator attribute as the first attribute - (fetchpatch { - url = "https://w1.fi/cgit/hostap/patch/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46"; - hash = "sha256-1jfSeVGL5tyZn8F2wpQ7KwaQaEKWsCOW/bavovMcdz4="; - }) - - # RADIUS server: Place Message-Authenticator attribute as the first one - (fetchpatch { - url = "https://w1.fi/cgit/hostap/patch/?id=54abb0d3cf35894e7d86e3f7555e95b106306803"; - hash = "sha256-fVhQlOVETttVf1M9iKrXJrv7mxpxSjCt3w8kndRal08="; - }) - - # hostapd: Move Message-Authenticator attribute to be the first one in req - (fetchpatch { - url = "https://w1.fi/cgit/hostap/patch/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17"; - hash = "sha256-3eoAkXhieO3f0R5PTlH6g5wcgo/aLQN6XcPSITGgciE="; - }) - - # RADIUS DAS: Move Message-Authenticator attribute to be the first one - (fetchpatch { - url = "https://w1.fi/cgit/hostap/patch/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf"; - hash = "sha256-dcaghKbKNFVSN6ONNaFt1s0S35mkqox2aykiExEXyPQ="; - }) - - # Require Message-Authenticator in Access-Reject even without EAP-Message - (fetchpatch { - url = "https://w1.fi/cgit/hostap/patch/?id=934b0c3a45ce0726560ccefbd992a9d385c36385"; - hash = "sha256-9GquP/+lsghF81nMhOuRwlSz/pEnmk+mSex8aM3/qdA="; - }) - - # RADIUS: Require Message-Authenticator attribute in MAC ACL cases - #(fetchpatch { - # url = "https://w1.fi/cgit/hostap/patch/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1"; - # hash = "sha256-mW+PAeAkNcrlFPsjxLvZ/1Smq6H6KXq5Le3HuLA2KKw="; - #}) - # Needed to be fixed to apply correctly: - ./0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch - - # RADIUS: Check Message-Authenticator if it is present even if not required - (fetchpatch { - url = "https://w1.fi/cgit/hostap/patch/?id=f302d9f9646704cce745734af21d540baa0da65f"; - hash = "sha256-6i0cq5YBm2w03yMrdYGaEqe1dTsmokZWOs4WPFX36qo="; - }) ]; outputs = [ "out" "man" ]; @@ -137,6 +89,7 @@ stdenv.mkDerivation rec { CONFIG_IEEE80211N=y CONFIG_IEEE80211AC=y CONFIG_IEEE80211AX=y + CONFIG_IEEE80211BE=y '' + lib.optionalString (sqlite != null) '' CONFIG_SQLITE=y ''; diff --git a/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch b/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch deleted file mode 100644 index d459de8a7f39e..0000000000000 --- a/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 99ae610f0ae3608a12c864caedf396f14e68327d Mon Sep 17 00:00:00 2001 -From: Maximilian Bosch -Date: Fri, 19 Feb 2021 19:44:21 +0100 -Subject: [PATCH] Implement read-only mode for ssids - -With this change it's possible to define `network=`-sections in a second -config file specified via `-I` without having changes written to -`/etc/wpa_supplicant.conf`. - -This is helpful on e.g. NixOS to allow both declarative (i.e. read-only) -and imperative (i.e. mutable) networks. ---- - wpa_supplicant/config.h | 2 +- - wpa_supplicant/config_file.c | 5 +++-- - wpa_supplicant/config_none.c | 2 +- - wpa_supplicant/config_ssid.h | 2 ++ - wpa_supplicant/wpa_supplicant.c | 8 ++++---- - 5 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h -index 6a297ecfe..adaf4d398 100644 ---- a/wpa_supplicant/config.h -+++ b/wpa_supplicant/config.h -@@ -1614,7 +1614,7 @@ const char * wpa_config_get_global_field_name(unsigned int i, int *no_var); - * - * Each configuration backend needs to implement this function. - */ --struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp); -+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro); - - /** - * wpa_config_write - Write or update configuration data -diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c -index 77c326df5..d5ed051b9 100644 ---- a/wpa_supplicant/config_file.c -+++ b/wpa_supplicant/config_file.c -@@ -373,7 +373,7 @@ static int wpa_config_process_blob(struct wpa_config *config, FILE *f, - #endif /* CONFIG_NO_CONFIG_BLOBS */ - - --struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) -+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro) - { - FILE *f; - char buf[512], *pos; -@@ -415,6 +415,7 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) - while (wpa_config_get_line(buf, sizeof(buf), f, &line, &pos)) { - if (os_strcmp(pos, "network={") == 0) { - ssid = wpa_config_read_network(f, &line, id++); -+ ssid->ro = ro; - if (ssid == NULL) { - wpa_printf(MSG_ERROR, "Line %d: failed to " - "parse network block.", line); -@@ -1591,7 +1592,7 @@ int wpa_config_write(const char *name, struct wpa_config *config) - } - - for (ssid = config->ssid; ssid; ssid = ssid->next) { -- if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary) -+ if (ssid->key_mgmt == WPA_KEY_MGMT_WPS || ssid->temporary || ssid->ro) - continue; /* do not save temporary networks */ - if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set && - !ssid->passphrase) -diff --git a/wpa_supplicant/config_none.c b/wpa_supplicant/config_none.c -index 2aac28fa3..02191b425 100644 ---- a/wpa_supplicant/config_none.c -+++ b/wpa_supplicant/config_none.c -@@ -17,7 +17,7 @@ - #include "base64.h" - - --struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) -+struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp, int ro) - { - struct wpa_config *config; - -diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h -index d5c5c00a9..fd80c079c 100644 ---- a/wpa_supplicant/config_ssid.h -+++ b/wpa_supplicant/config_ssid.h -@@ -93,6 +93,8 @@ struct wpa_ssid { - */ - int id; - -+ int ro; -+ - /** - * priority - Priority group - * -diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c -index 911d79d17..cb0cb99b1 100644 ---- a/wpa_supplicant/wpa_supplicant.c -+++ b/wpa_supplicant/wpa_supplicant.c -@@ -1052,14 +1052,14 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s) - - if (wpa_s->confname == NULL) - return -1; -- conf = wpa_config_read(wpa_s->confname, NULL); -+ conf = wpa_config_read(wpa_s->confname, NULL, 0); - if (conf == NULL) { - wpa_msg(wpa_s, MSG_ERROR, "Failed to parse the configuration " - "file '%s' - exiting", wpa_s->confname); - return -1; - } - if (wpa_s->confanother && -- !wpa_config_read(wpa_s->confanother, conf)) { -+ !wpa_config_read(wpa_s->confanother, conf, 1)) { - wpa_msg(wpa_s, MSG_ERROR, - "Failed to parse the configuration file '%s' - exiting", - wpa_s->confanother); -@@ -5638,7 +5638,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, - #else /* CONFIG_BACKEND_FILE */ - wpa_s->confname = os_strdup(iface->confname); - #endif /* CONFIG_BACKEND_FILE */ -- wpa_s->conf = wpa_config_read(wpa_s->confname, NULL); -+ wpa_s->conf = wpa_config_read(wpa_s->confname, NULL, 0); - if (wpa_s->conf == NULL) { - wpa_printf(MSG_ERROR, "Failed to read or parse " - "configuration '%s'.", wpa_s->confname); -@@ -5646,7 +5646,7 @@ static int wpa_supplicant_init_iface(struct wpa_supplicant *wpa_s, - } - wpa_s->confanother = os_rel2abs_path(iface->confanother); - if (wpa_s->confanother && -- !wpa_config_read(wpa_s->confanother, wpa_s->conf)) { -+ !wpa_config_read(wpa_s->confanother, wpa_s->conf, 1)) { - wpa_printf(MSG_ERROR, - "Failed to read or parse configuration '%s'.", - wpa_s->confanother); --- -2.29.2 - diff --git a/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch b/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch deleted file mode 100644 index 09e5b3673ac48..0000000000000 --- a/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch +++ /dev/null @@ -1,32 +0,0 @@ -The id and cred_id variables are reset to 0 every time the -wpa_config_read function is called, which is fine as long as it is only -called once. However, this is not the case when using both the -c and -I -options to specify two config files. - -This is a problem because the GUI, since eadfeb0e93748eb396ae62012b92d21a7f533646, -relies on the network IDs being unique (and increasing), and might get -into an infinite loop otherwise. - -This is solved by simply making the variables static. ---- - wpa_supplicant/config_file.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c -index 6db5010db..c996e3916 100644 ---- a/wpa_supplicant/config_file.c -+++ b/wpa_supplicant/config_file.c -@@ -297,8 +297,8 @@ struct wpa_config * wpa_config_read(const char *name, struct wpa_config *cfgp) - struct wpa_ssid *ssid, *tail, *head; - struct wpa_cred *cred, *cred_tail, *cred_head; - struct wpa_config *config; -- int id = 0; -- int cred_id = 0; -+ static int id = 0; -+ static int cred_id = 0; - - if (name == NULL) - return NULL; --- -2.34.1 - diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix index e63bbd7a3fc0c..f163978b95122 100644 --- a/pkgs/os-specific/linux/wpa_supplicant/default.nix +++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix @@ -3,28 +3,19 @@ , dbusSupport ? !stdenv.hostPlatform.isStatic, dbus , withReadline ? true, readline , withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite -, readOnlyModeSSIDs ? false }: with lib; stdenv.mkDerivation rec { - version = "2.10"; + version = "2.11"; pname = "wpa_supplicant"; src = fetchurl { url = "https://w1.fi/releases/${pname}-${version}.tar.gz"; - sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8="; + sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao="; }; - patches = [ - # Fix a bug when using two config files - ./Use-unique-IDs-for-networks-and-credentials.patch - ] ++ lib.optionals readOnlyModeSSIDs [ - # Allow read-only networks - ./0001-Implement-read-only-mode-for-ssids.patch - ]; - # TODO: Patch epoll so that the dbus actually responds # TODO: Figure out how to get privsep working, currently getting SIGBUS extraConfig = '' @@ -49,6 +40,7 @@ stdenv.mkDerivation rec { CONFIG_HT_OVERRIDES=y CONFIG_IEEE80211AC=y CONFIG_IEEE80211AX=y + CONFIG_IEEE80211BE=y CONFIG_IEEE80211N=y CONFIG_IEEE80211R=y CONFIG_IEEE80211W=y diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index c657e766e71c4..446a52b7d4a2a 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1494,6 +1494,7 @@ mapAliases ({ wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10 wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10 wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name + wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant; wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07 wmii_hg = wmii; wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9dbd514738767..efaa79c6825eb 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -27763,10 +27763,6 @@ with pkgs; wpa_supplicant = callPackage ../os-specific/linux/wpa_supplicant { }; - wpa_supplicant_ro_ssids = wpa_supplicant.override { - readOnlyModeSSIDs = true; - }; - wpa_supplicant_gui = libsForQt5.callPackage ../os-specific/linux/wpa_supplicant/gui.nix { }; xf86_input_cmt = callPackage ../os-specific/linux/xf86-input-cmt { };