I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ukukhishwa kwe-hostapd kanye ne-wpa_supplicant 2.10

Ukukhishwa kwe-hostapd kanye ne-wpa_supplicant 2.10

Ngemuva konyaka nengxenye yentuthuko, ukukhululwa kwe-hostapd/wpa_supplicant 2.10 sekulungisiwe, isethi yokusebenzisa i-IEEE 802.1X, WPA, WPA2, WPA3 kanye ne-EAP yamaphrothokholi angenawaya, ahlanganisa uhlelo lokusebenza lwe-wpa_supplicant lokuxhuma kunethiwekhi engenantambo. njengeklayenti kanye nenqubo yangemuva ye-hostapd yokusebenzisa indawo yokufinyelela kanye neseva yokuqinisekisa, okuhlanganisa izingxenye ezifana ne-WPA Authenticator, iklayenti/iseva yokuqinisekisa ye-RADIUS, iseva ye-EAP. Ikhodi yomthombo yephrojekthi isatshalaliswa ngaphansi kwelayisensi ye-BSD.

Ngokungeziwe ezinguqukweni zokusebenza, inguqulo entsha ivimba i-vector entsha yokuhlasela yesiteshi esiseceleni ethinta indlela yengxoxo yoxhumano lwe-SAE (Simultaneous Authentication of Equals) kanye nephrothokholi ye-EAP-pwd. Umhlaseli onekhono lokwenza ikhodi engalungile kusistimu yomsebenzisi oxhuma kunethiwekhi engenantambo, ngokuqapha umsebenzi kusistimu, angathola ulwazi mayelana nezici zephasiwedi futhi alisebenzisele ukwenza lula ukuqagela iphasiwedi kumodi engaxhunyiwe ku-inthanethi. Inkinga ibangelwa ukuvuza ngokusebenzisa iziteshi zezinkampani zangaphandle zolwazi mayelana nezici zephasiwedi, evumela, ngokusekelwe kudatha engaqondile, njengokushintsha ukubambezeleka ngesikhathi sokusebenza, ukucacisa ukunemba kokukhethwa kwezingxenye zephasiwedi ku. inqubo yokuyikhetha.

Ngokungafani nezindaba ezifanayo ezilungiswe ngo-2019, ubungozi obusha bubangelwa ukuthi izinto zokuqala eziyimfihlo ezisetshenziswa emsebenzini we-crypto_ec_point_solve_y_coord() azizange zinikeze isikhathi sokwenza esingaguquki, ngokunganaki imvelo yedatha ecutshungulwayo. Ngokusekelwe ekuhlaziyweni kokuziphatha kwenqolobane yokucubungula, umhlaseli okwazile ukusebenzisa ikhodi engenanjongo kumongo wokucubungula ofanayo angathola ulwazi mayelana nokuqhubeka kokusebenza kwephasiwedi ku-SAE/EAP-pwd. Inkinga ithinta zonke izinguqulo ze-wpa_supplicant ne-hostapd ehlanganiswe ngokusekelwa kwe-SAE (CONFIG_SAE=y) kanye ne-EAP-pwd (CONFIG_EAP_PWD=y).

Ezinye izinguquko ekukhishweni okusha kwe-hostapd kanye ne-wpa_supplicant:

  • Kwengezwe ikhono lokwakha ngelabhulali ye-cryptographic ye-OpenSSL 3.0.
  • Indlela Yokuvikela Ibhikhoni ehlongozwayo ekubuyekezweni kokucaciswa kwe-WPA3 isetshenzisiwe, iklanyelwe ukuvikela ekuhlaselweni okusebenzayo kunethiwekhi engenazintambo ezishintsha izinguquko kumafreyimu e-Beacon.
  • Usekelo olungeziwe lwe-DPP 2 (I-Wi-Fi Device Provisioning Protocol), echaza indlela yokuqinisekisa ukhiye osesidlangalaleni esetshenziswa kuzinga le-WPA3 lokucushwa okwenziwe lula kwamadivayisi ngaphandle kwesixhumi esibonakalayo esisesikrinini. Ukusetha kwenziwa kusetshenziswa enye idivayisi ethuthuke kakhulu esivele ixhunywe kunethiwekhi engenantambo. Isibonelo, amapharamitha wedivayisi ye-IoT ngaphandle kwesikrini angasethwa kusukela ku-smartphone ngokusekelwe kusifinyezo sekhodi ye-QR ephrintiwe kukesi;
  • Usekelo olungeziwe lwe-ID Yokhiye Owengeziwe (IEEE 802.11-2016).
  • Ukusekelwa kwendlela yokuphepha ye-SAE-PK (SAE Public Key) yengeziwe ekusetshenzisweni kwendlela yezingxoxo zokuxhumanisa i-SAE. Imodi yokuqinisekisa ukuthumela ngokushesha isetshenziswa, inikwe amandla inketho ethi β€œsae_config_immediate=1”, kanye nendlela ye-hash-to-element, enikwe amandla uma ipharamitha ye-sae_pwe isethelwe ku-1 noma 2.
  • Ukuqaliswa kwe-EAP-TLS kungeze usekelo lwe-TLS 1.3 (ikhutshazwe ngokuzenzakalela).
  • Kungezwe izilungiselelo ezintsha (max_auth_rounds, max_auth_rounds_short) ukuze uguqule imikhawulo enanini lemilayezo ye-EAP phakathi nenqubo yokuqinisekisa (izinguquko emikhawulweni zingadingeka uma kusetshenziswa izitifiketi ezinkulu kakhulu).
  • Ukwesekwa okwengeziwe kwendlela ye-PASN (Pre Association Security Negotiation) yokusungula ukuxhumana okuphephile nokuvikela ukushintshaniswa kwamafreyimu okulawula ngesikhathi sokuxhuma kwangaphambilini.
  • I-Transition Disable mechanism isetshenzisiwe, ekuvumela ukuthi ukhubaze ngokuzenzakalelayo imodi yokuzula, ekuvumela ukuthi ushintshe phakathi kwezindawo zokufinyelela lapho uhamba, ukuze uthuthukise ukuphepha.
  • Ukusekelwa kwephrothokholi ye-WEP akufakiwe ekwakhiweni okuzenzakalelayo (ukwakha kabusha ngenketho ye-CONFIG_WEP=y kuyadingeka ukuze ubuyisele ukwesekwa kwe-WEP). Kukhishwe ukusebenza kwefa okuhlobene ne-Inter-Access Point Protocol (IAPP). Ukusekelwa kwe-libnl 1.1 kunqanyuliwe. Inketho yokwakha eyengeziwe CONFIG_NO_TKIP=y yokwakha ngaphandle kosekelo lwe-TKIP.
  • Ubungozi obulungisiwe ekusetshenzisweni kwe-UPnP (CVE-2020-12695), kusibambi esiqondile se-P2P/Wi-Fi (CVE-2021-27803) kanye nendlela yokuvikela ye-PMF (CVE-2019-16275).
  • Izinguquko eziqondene ne-Hostapd zifaka phakathi ukwesekwa okunwetshiwe kwamanethiwekhi angenantambo we-HEW (High-Efficiency Wireless, IEEE 802.11ax), okuhlanganisa nekhono lokusebenzisa i-6 GHz frequency range.
  • Izinguquko eziqondene ne-wpa_supplicant:
    • Ukwesekwa okwengeziwe kwezilungiselelo zemodi yephoyinti lokufinyelela ye-SAE (WPA3-Personal).
    • Ukusekelwa kwemodi ye-P802.11P kusetshenziswa iziteshi ze-EDMG (IEEE 2ay).
    • Ukuqagela kokuphuma okuthuthukisiwe nokukhetha kwe-BSS.
    • Isixhumi esibonakalayo sokulawula nge-D-Bus sinwetshiwe.
    • I-backend entsha yengeziwe yokugcina amaphasiwedi efayeleni elihlukile, okukuvumela ukuthi ususe imininingwane ebucayi efayeleni eliyinhloko lokumisa.
    • Kwengezwe izinqubomgomo ezintsha ze-SCS, i-MSCS ne-DSCP.

Source: opennet.ru

Engeza amazwana