ProHoster > Blog > internet nhau > Kuburitswa kwe hostapd uye wpa_supplicant 2.10

Kuburitswa kwe hostapd uye wpa_supplicant 2.10

Mushure megore nehafu yebudiriro, kuburitswa kwehostapd/wpa_supplicant 2.10 kwakagadzirirwa, seti yekutsigira isina waya protocol IEEE 802.1X, WPA, WPA2, WPA3 uye EAP, inosanganisira wpa_supplicant application yekubatanidza kune isina waya network. semutengi uye iyo hostapd yekumashure maitiro ekupa mashandiro enzvimbo yekuwana uye sevha yekusimbisa, kusanganisira zvinhu zvakaita seWPA Authenticator, RADIUS yekusimbisa mutengi / server, EAP server. Iyo kodhi kodhi yeprojekiti yakagoverwa pasi peiyo BSD rezinesi.

Pamusoro pekuchinja kwekushanda, iyo vhezheni itsva inovharira mutsva wedivi-chiteshi kurwisa vector inobata iyo SAE (Simultaneous Authentication of Equals) yekubatanidza nzira yekukurukurirana uye EAP-pwd protocol. Anorwisa anokwanisa kuita kodhi isina kurongeka pane sisitimu yemushandisi inobatanidza kune isina waya network anogona, nekutarisa chiitiko pane sisitimu, kuwana ruzivo nezve password maitiro uye oashandisa kurerutsa password yekufungidzira muoffline mode. Dambudziko rinokonzerwa nekudonha kuburikidza neyechitatu-bato nzira yeruzivo nezve hunhu hwepassword, iyo inobvumira, zvichibva pane isina kunanga data, senge shanduko yekunonoka panguva yekushanda, kujekesa iko kurongeka kwesarudzo yezvikamu zvepassword mu. nzira yekuisarudza.

Kusiyana nenyaya dzakafanana dzakagadziriswa muna 2019, kusagadzikana kutsva kunokonzerwa nenyaya yekuti ekunze cryptographic primitives inoshandiswa mu crypto_ec_point_solve_y_coord () basa haina kupa inogara nguva yekuuraya, zvisinei nemhando yedata riri kugadziriswa. Zvichienderana nekuongororwa kwemaitiro e processor cache, munhu anorwisa akakwanisa kumhanyisa kodhi isina kurongeka pane imwechete processor core aigona kuwana ruzivo nezve kufambira mberi kwepassword mashandiro muSAE/EAP-pwd. Dambudziko rinobata ese mavhezheni ewpa_supplicant uye hostapd akaunganidzwa nerutsigiro rweSAE (CONFIG_SAE=y) uye EAP-pwd (CONFIG_EAP_PWD=y).

Dzimwe shanduko mune zvitsva zvinoburitswa zve hostapd uye wpa_supplicant:

  • Yakawedzera kugona kuvaka neiyo OpenSSL 3.0 cryptographic library.
  • Iyo Beacon Dziviriro nzira yakatsanangurwa muWPA3 yakatarwa yekuvandudza yaitwa, yakagadzirirwa kuchengetedza kubva kune inoshanda kurwiswa kune isina waya network inoshandura shanduko mumaBeacon mafuremu.
  • Yakawedzerwa tsigiro yeDPP 2 (Wi-Fi Device Provisioning Protocol), iyo inotsanangura iyo yeruzhinji kiyi yechokwadi nzira inoshandiswa muWPA3 chiyero chekugadzirisa zviri nyore zvemidziyo isina pa-screen interface. Setup inoitwa uchishandisa imwe yakawedzera dhizaini yatobatanidzwa kune isina waya network. Semuenzaniso, ma paramita emudziyo weIoT asina skrini anogona kusetwa kubva kune smartphone zvichibva pamufananidzo weQR kodhi yakadhindwa pane iyo kesi;
  • Yakawedzera tsigiro yeAkawedzera Key ID (IEEE 802.11-2016).
  • Tsigiro yeSAE-PK (SAE Public Key) yekuchengetedza nzira yakawedzerwa pakuitwa kweiyo SAE yekubatanidza nzira yekutaurirana. Nzira yekutumira pakarepo simbiso inoshandiswa, inogoneswa ne "sae_config_immediate=1" sarudzo, pamwe nehash-to-element mechanism, inogoneswa kana sae_pwe parameter yaiswa ku1 kana 2.
  • Kuitwa kweEAP-TLS kwakawedzera rutsigiro rweTLS 1.3 (yakaremara nekusarudzika).
  • Yakawedzera marongero matsva (max_auth_rounds, max_auth_rounds_short) kuti uchinje miganhu pahuwandu hweEAP meseji panguva yekusimbisa maitiro (shanduko mumiganho inogona kudiwa kana uchishandisa zvitupa zvakakura kwazvo).
  • Yakawedzera tsigiro yePASN (Pre Association Security Negotiation) nzira yekumisikidza yakachengeteka yekubatanidza uye kuchengetedza kuchinjana kwemafuremu ekudzora panguva yekutanga yekubatanidza.
  • Iyo Transition Disable mechanism yave kushandiswa, iyo inokutendera kuti udzime otomatiki nzira yekutenderera, iyo inokutendera kuti uchinje pakati penzvimbo dzekuwana paunenge uchifamba, kuti uwedzere kuchengetedzeka.
  • Tsigiro yeWEP protocol haina kubatanidzwa kubva kune yakasarudzika kuvaka (kuvaka patsva neCONFIG_WEP=y sarudzo inodiwa kudzorera rutsigiro rweWEP). Yakabviswa legacy mashandiro ane chekuita neInter-Access Point Protocol (IAPP). Tsigiro ye libnl 1.1 yakamiswa. Yakawedzerwa kuvaka sarudzo CONFIG_NO_TKIP=y yekuvaka pasina TKIP rutsigiro.
  • Yakagadziriswa kusasimba mukuita kweUPnP (CVE-2020-12695), muP2P/Wi-Fi Direct handler (CVE-2021-27803) uye muPMF kudzivirira michina (CVE-2019-16275).
  • Hostapd-chaiyo shanduko dzinosanganisira yakawedzera rutsigiro rweHEW (Yakakwirira-Kushanda Wireless, IEEE 802.11ax) isina waya network, kusanganisira kugona kushandisa 6 GHz frequency renji.
  • Shanduko dzakananga kune wpa_supplicant:
    • Yakawedzera tsigiro yekuwana poindi modhi marongero eSAE (WPA3-Personal).
    • P802.11P modhi rutsigiro inoshandiswa kune EDMG chiteshi (IEEE 2ay).
    • Kuvandudzwa kwekufungidzira uye kusarudzwa kweBSS.
    • Iyo yekudzora interface kuburikidza neD-Bhazi yakawedzerwa.
    • Imwe backend yakawedzerwa yekuchengetedza mapassword mune imwe faira, ichikubvumidza kuti ubvise ruzivo rwakadzama kubva kune huru yekumisikidza faira.
    • Yakawedzera mitemo mitsva yeSCS, MSCS uye DSCP.

Source: opennet.ru

Voeg