ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kwe-hostapd kunye ne-wpa_supplicant 2.10

Ukukhutshwa kwe-hostapd kunye ne-wpa_supplicant 2.10

Emva konyaka kunye nesiqingatha sophuhliso, ukukhululwa kwe-hostapd/wpa_supplicant 2.10 kulungiselelwe, isethi yokuqhuba i-IEEE 802.1X, WPA, WPA2, WPA3 kunye ne-EAP protocol ezingenazintambo, ezibandakanya i-wpa_supplicant yesicelo sokuxhuma kwinethiwekhi engenazintambo. njengomxhasi kunye nenkqubo yangasemva yehostapd yokuqhuba indawo yofikelelo kunye nomncedisi woqinisekiso, ukuquka amacandelo afana neWPA yoQinisekiso, uqinisekiso lweRADIUS umxhasi/umncedisi, umncedisi we EAP. Ikhowudi yomthombo weprojekthi ihanjiswa phantsi kwelayisensi ye-BSD.

Ukongeza kwiinguqu zokusebenza, uguqulelo olutsha luvimba i-vector yecala elitsha lokuhlaselwa kwecala elichaphazela i-SAE (i-Simultaneous Authentication of Equals) indlela yokunxibelelana kunye ne-EAP-pwd protocol. Umhlaseli okwaziyo ukwenza ikhowudi engafanelekanga kwinkqubo yomsebenzisi odibanisa kwinethiwekhi engenazintambo, ngokubeka iliso kumsebenzi wesistim, afumane ulwazi malunga neempawu zephasiwedi kwaye azisebenzise ukwenza lula ukuqagela kwephasiwedi kwimodi engaxhunyiwe kwi-intanethi. Ingxaki ibangelwa ukuvuza ngokusebenzisa iziteshi zomntu wesithathu zolwazi malunga neempawu zephasiwedi, evumela, ngokusekelwe kwidatha engathanga ngqo, njengokutshintsha kokulibaziseka ngexesha lokusebenza, ukucacisa ukuchaneka kokukhethwa kweengxenye zephasiwedi kwi-password. inkqubo yokuyikhetha.

Ngokungafaniyo nemiba efanayo elungiswe ngo-2019, ubuthathaka obutsha bubangelwa yinto yokuba i-cryptographic primitives yangaphandle esetyenziswe kwi-crypto_ec_point_solve_y_coord () umsebenzi ayizange ibonelele ixesha lokuqhuba rhoqo, kungakhathaliseki ukuba luhlobo luni lwedatha. Ngokusekwe kuhlalutyo lokuziphatha kwe-cache yeprosesa, umhlaseli owayenakho ukuqhuba ikhowudi engafanelekanga kwi-core processor core unokufumana ulwazi malunga nenkqubela phambili yokusebenza kwephasiwedi kwi-SAE/EAP-pwd. Ingxaki ichaphazela zonke iinguqulelo ze-wpa_supplicant kunye ne-hostapd ehlanganiswe ngenkxaso ye-SAE (CONFIG_SAE=y) kunye ne-EAP-pwd (CONFIG_EAP_PWD=y).

Olunye utshintsho kukhupho olutsha lwe-hostapd kunye ne-wpa_supplicant:

  • Yongezwe isakhono sokwakha nge-OpenSSL 3.0 yelayibrari ye-cryptographic.
  • Indlela yoKhuseleko lweBeacon ecetywayo kuhlaziyo lwengcaciso ye-WPA3 iphunyeziwe, eyilelwe ukukhusela kuhlaselo olusebenzayo kuthungelwano olungenazingcingo olulawula utshintsho kwizakhelo zeBeacon.
  • Inkxaso eyongeziweyo ye-DPP 2 (iProtocol yokuBonelelwa kweSixhobo seWi-Fi), echaza indlela yokuqinisekisa isitshixo sikawonke-wonke esetyenziswa kumgangatho we-WPA3 woqwalaselo olulula lwezixhobo ngaphandle kojongano lwesikrini. Ukuseta kwenziwa kusetyenziswa esinye isixhobo esiphucuke ngakumbi esele siqhagamshelwe kwinethiwekhi engenazingcingo. Ngokomzekelo, iiparamitha zesixhobo se-IoT ngaphandle kwesikrini sinokusetwa kwi-smartphone esekelwe kwi-snapshot yekhowudi ye-QR eprintwe kwimeko;
  • Inkxaso eyongeziweyo ye-ID ye-ID eyongezelelweyo (IEEE 802.11-2016).
  • Inkxaso yendlela yokhuseleko ye-SAE-PK (i-SAE Public Key) yongezwa ekuphunyezweni kwendlela yothethathethwano loqhagamshelwano lwe-SAE. Imowudi yokuthumela ngoko nangoko isiqinisekiso iphunyeziwe, inikwe amandla ngo "sae_config_immediate=1" ukhetho, kunye ne-hash-to-element mechanism, yenziwe xa iparamitha ye-sae_pwe imiselwe ku-1 okanye ku-2.
  • Ukuphunyezwa kwe-EAP-TLS yongeze inkxaso ye-TLS 1.3 (ikhutshazwe ngokungagqibekanga).
  • Useto olutsha olongeziweyo (max_auth_rounds, max_auth_rounds_short) ukutshintsha imida kwinani lemiyalezo ye-EAP ngexesha lenkqubo yoqinisekiso (utshintsho kwimida lunokufuneka xa kusetyenziswa izatifikethi ezinkulu kakhulu).
  • Inkxaso eyongeziweyo ye-PASN (i-Pre Association Security Negotiation) indlela yokuseka uqhagamshelo olukhuselekileyo kunye nokukhusela utshintshiselwano lwezakhelo zolawulo kwinqanaba loqhagamshelwano lwangaphambili.
  • Indlela yokuKhubaza iTransition iphunyeziwe, ekuvumela ukuba uvale ngokuzenzekelayo imo yokuzula, ekuvumela ukuba utshintshe phakathi kweendawo zofikelelo njengoko ushukuma, ukomeleza ukhuseleko.
  • Inkxaso yenkqubo yeWEP ayiqukwanga kulwakhiwo olungagqibekanga (ukwakha ngokutsha ngeCONFIG_WEP=y ukhetho luyafuneka ukubuyisela inkxaso yeWEP). Isusiwe ukusebenza kwelifa elinxulumene ne-Inter-Access Point Protocol (IAPP). Inkxaso ye-libnl 1.1 iyekisiwe. Inketho yokwakha eyongeziweyo CONFIG_NO_TKIP=y yolwakhiwo ngaphandle kwenkxaso ye-TKIP.
  • Ubuthathaka obusisigxina ekuphunyezweni kwe-UPnP (CVE-2020-12695), kwi-P2P / Wi-Fi Direct handler (CVE-2021-27803) kunye nendlela yokukhusela i-PMF (CVE-2019-16275).
  • Utshintsho oluthile lwe-Hostapd lubandakanya inkxaso eyandisiweyo ye-HEW (i-High-Efficiency Wireless, i-IEEE 802.11ax) iinethiwekhi ezingenazintambo, kuquka ukukwazi ukusebenzisa i-6 GHz uluhlu lwamaza.
  • Utshintsho oluthile kwi-wpa_supplicant:
    • Inkxaso eyongeziweyo yokusetwa kwendlela yofikelelo ye-SAE (WPA3-Personal).
    • Inkxaso yemodi ye-P802.11P iphunyezwe kumajelo e-EDMG (IEEE 2ay).
    • Ukuphuculwa koqikelelo lwemveliso kunye nokukhetha kweBSS.
    • Ujongano lolawulo nge-D-Bus lwandisiwe.
    • I-backend entsha yongeziwe yokugcina amagama ayimfihlo kwifayile eyahlukileyo, ikuvumela ukuba ususe ulwazi olubuthathaka kwifayile yoqwalaselo engundoqo.
    • Kongezwe imigaqo-nkqubo emitsha ye-SCS, i-MSCS ne-DSCP.

umthombo: opennet.ru

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster