NixOS · fpletz · Jul 28, 2024 · Jul 24, 2024 · Jul 24, 2024
diff --git a/...os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch b/...os-specific/linux/hostapd/0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch
diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix
@@ -2,7 +2,6 @@
   lib,
   stdenv,
   fetchurl,
-  fetchpatch,
   pkg-config,
   libnl,
   openssl,
@@ -12,11 +11,11 @@
 
 stdenv.mkDerivation rec {
   pname = "hostapd";
-  version = "2.10";
+  version = "2.11";
 
   src = fetchurl {
     url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
-    sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0=";
+    sha256 = "sha256-Kz+stjL9T2XjL0v4Kna0tyxQH5laT2LjMCGf567RdHo=";
   };
 
   nativeBuildInputs = [ pkg-config ];
@@ -29,53 +28,6 @@ stdenv.mkDerivation rec {
       url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch";
       sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00";
     })
-
-    # Backported security patches for CVE-2024-3596 (https://blastradius.fail),
-    # these can be removed when updating to 2.11.
-
-    # RADIUS: Allow Message-Authenticator attribute as the first attribute
-    (fetchpatch {
-      url = "https://w1.fi/cgit/hostap/patch/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46";
-      hash = "sha256-1jfSeVGL5tyZn8F2wpQ7KwaQaEKWsCOW/bavovMcdz4=";
-    })
-
-    # RADIUS server: Place Message-Authenticator attribute as the first one
-    (fetchpatch {
-      url = "https://w1.fi/cgit/hostap/patch/?id=54abb0d3cf35894e7d86e3f7555e95b106306803";
-      hash = "sha256-fVhQlOVETttVf1M9iKrXJrv7mxpxSjCt3w8kndRal08=";
-    })
-
-    # hostapd: Move Message-Authenticator attribute to be the first one in req
-    (fetchpatch {
-      url = "https://w1.fi/cgit/hostap/patch/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17";
-      hash = "sha256-3eoAkXhieO3f0R5PTlH6g5wcgo/aLQN6XcPSITGgciE=";
-    })
-
-    # RADIUS DAS: Move Message-Authenticator attribute to be the first one
-    (fetchpatch {
-      url = "https://w1.fi/cgit/hostap/patch/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf";
-      hash = "sha256-dcaghKbKNFVSN6ONNaFt1s0S35mkqox2aykiExEXyPQ=";
-    })
-
-    # Require Message-Authenticator in Access-Reject even without EAP-Message
-    (fetchpatch {
-      url = "https://w1.fi/cgit/hostap/patch/?id=934b0c3a45ce0726560ccefbd992a9d385c36385";
-      hash = "sha256-9GquP/+lsghF81nMhOuRwlSz/pEnmk+mSex8aM3/qdA=";
-    })
-
-    # RADIUS: Require Message-Authenticator attribute in MAC ACL cases
-    #(fetchpatch {
-    #  url = "https://w1.fi/cgit/hostap/patch/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1";
-    #  hash = "sha256-mW+PAeAkNcrlFPsjxLvZ/1Smq6H6KXq5Le3HuLA2KKw=";
-    #})
-    # Needed to be fixed to apply correctly:
-    ./0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch
-
-    # RADIUS: Check Message-Authenticator if it is present even if not required
-    (fetchpatch {
-      url = "https://w1.fi/cgit/hostap/patch/?id=f302d9f9646704cce745734af21d540baa0da65f";
-      hash = "sha256-6i0cq5YBm2w03yMrdYGaEqe1dTsmokZWOs4WPFX36qo=";
-    })
   ];
 
   outputs = [ "out" "man" ];
@@ -137,6 +89,7 @@ stdenv.mkDerivation rec {
     CONFIG_IEEE80211N=y
     CONFIG_IEEE80211AC=y
     CONFIG_IEEE80211AX=y
+    CONFIG_IEEE80211BE=y
   '' + lib.optionalString (sqlite != null) ''
     CONFIG_SQLITE=y
   '';

diff --git a/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch b/pkgs/os-specific/linux/wpa_supplicant/0001-Implement-read-only-mode-for-ssids.patch
diff --git a/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch b/pkgs/os-specific/linux/wpa_supplicant/Use-unique-IDs-for-networks-and-credentials.patch
diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -3,28 +3,19 @@
 , dbusSupport ? !stdenv.hostPlatform.isStatic, dbus
 , withReadline ? true, readline
 , withPcsclite ? !stdenv.hostPlatform.isStatic, pcsclite
-, readOnlyModeSSIDs ? false
 }:
 
 with lib;
 stdenv.mkDerivation rec {
-  version = "2.10";
+  version = "2.11";
 
   pname = "wpa_supplicant";
 
   src = fetchurl {
     url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
-    sha256 = "sha256-IN965RVLODA1X4q0JpEjqHr/3qWf50/pKSqR0Nfhey8=";
+    sha256 = "sha256-kS6gb3TjCo42+7aAZNbN/yGNjVkdsPxddd7myBrH/Ao=";
   };
 
-  patches = [
-    # Fix a bug when using two config files
-    ./Use-unique-IDs-for-networks-and-credentials.patch
-  ] ++ lib.optionals readOnlyModeSSIDs [
-    # Allow read-only networks
-    ./0001-Implement-read-only-mode-for-ssids.patch
-  ];
-
   # TODO: Patch epoll so that the dbus actually responds
   # TODO: Figure out how to get privsep working, currently getting SIGBUS
   extraConfig = ''
@@ -49,6 +40,7 @@ stdenv.mkDerivation rec {
     CONFIG_HT_OVERRIDES=y
     CONFIG_IEEE80211AC=y
     CONFIG_IEEE80211AX=y
+    CONFIG_IEEE80211BE=y
     CONFIG_IEEE80211N=y
     CONFIG_IEEE80211R=y
     CONFIG_IEEE80211W=y

diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
@@ -1494,6 +1494,7 @@ mapAliases ({
   wordpress6_1 = throw "'wordpress6_1' has been removed in favor of the latest version"; # Added 2023-10-10
   wordpress6_2 = throw "'wordpress6_2' has been removed in favor of the latest version"; # Added 2023-10-10
   wormhole-rs = magic-wormhole-rs; # Added 2022-05-30. preserve, reason: Arch package name, main binary name
+  wpa_supplicant_ro_ssids = lib.trivial.warn "Deprecated package: Please use wpa_supplicant instead. Read-only SSID patches are now upstream!" wpa_supplicant;
   wrapLisp_old = throw "Lisp packages have been redesigned. See 'lisp-modules' in the nixpkgs manual."; # Added 2024-05-07
   wmii_hg = wmii;
   wrapGAppsHook = wrapGAppsHook3; # Added 2024-03-26