Re: [PATCH 1/2] hostapd: Update to 2.10

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 8236 bytes --]

Hello,

> On 18 Feb 2022, at 17:52, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Hello Matthias,
> 
> thank you for submitting this.
> 
>> For details see:
>> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
>> "2022-01-16 - v2.10
>> 	* SAE changes
>> 	  - improved protection against side channel attacks
>> 	    [https://w1.fi/security/2022-1/]
>> 	  - added option send SAE Confirm immediately (sae_config_immediate=1)
>> 	    after SAE Commit
>> 	  - added support for the hash-to-element mechanism (sae_pwe=1 or
>> 	    sae_pwe=2)
>> 	  - fixed PMKSA caching with OKC
>> 	  - added support for SAE-PK
>> 	* EAP-pwd changes
>> 	  - improved protection against side channel attacks
>> 	    [https://w1.fi/security/2022-1/]
>> 	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
>> 	  [https://w1.fi/security/2020-1/]
>> 	* fixed PMF disconnection protection bypass
>> 	  [https://w1.fi/security/2019-7/]
>> 	* added support for using OpenSSL 3.0
>> 	* fixed various issues in experimental support for EAP-TEAP server
>> 	* added configuration (max_auth_rounds, max_auth_rounds_short) to
>> 	  increase the maximum number of EAP message exchanges (mainly to
>> 	  support cases with very large certificates) for the EAP server
>> 	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
>> 	* extended HE (IEEE 802.11ax) support, including 6 GHz support
>> 	* removed obsolete IAPP functionality
>> 	* fixed EAP-FAST server with TLS GCM/CCM ciphers
>> 	* dropped support for libnl 1.1
>> 	* added support for nl80211 control port for EAPOL frame TX/RX
>> 	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
>> 	  compatibility for these groups while the default group 19 remains
>> 	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
>> 	  a workaround for the group 20/21 backwards compatibility
>> 	* added support for Beacon protection
> 
> Are there any plans on enabling this?

I don’t know if there is any benefit from this and how compatible this is with older clients.

> 
>> 	* added support for Extended Key ID for pairwise keys
>> 	* removed WEP support from the default build (CONFIG_WEP=y can be used
>> 	  to enable it, if really needed)
> 
> _Another_ broken technology finally bites the dust. Yay!

We have WEP disabled for a long time now.

-Michael

> 
> Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> 
> Thanks, and best regards,
> Peter Müller
> 
>> 	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
>> 	* added support for Transition Disable mechanism to allow the AP to
>> 	  automatically disable transition mode to improve security
>> 	* added support for PASN
>> 	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
>> 	* a large number of other fixes, cleanup, and extensions"
>> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
>> ---
>>  lfs/hostapd                                   | 24 ++++++++-----------
>>  .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
>>  src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
>>  3 files changed, 15 insertions(+), 19 deletions(-)
>> diff --git a/lfs/hostapd b/lfs/hostapd
>> index cb2626bf3..f07d378be 100644
>> --- a/lfs/hostapd
>> +++ b/lfs/hostapd
>> @@ -1,7 +1,7 @@
>>  ###############################################################################
>>  #                                                                             #
>>  # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
>> +# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
>>  #                                                                             #
>>  # This program is free software: you can redistribute it and/or modify        #
>>  # it under the terms of the GNU General Public License as published by        #
>> @@ -24,22 +24,18 @@
>>    include Config
>>  -SUMMARY    = Daemon for running a WPA capable Access Point
>> +VER        = 2_10
>>  -VER        = 581dfcc
>> -
>> -THISAPP    = hostapd-$(VER)
>> -DL_FILE    = $(THISAPP).tar.gz
>> +THISAPP    = hostap_$(VER)
>> +DL_FILE    = $(THISAPP).tar.bz2
>>  DL_FROM    = $(URL_IPFIRE)
>> -DIR_APP    = $(DIR_SRC)/hostap-$(VER)
>> +DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>  TARGET     = $(DIR_INFO)/$(THISAPP)
>>  PROG       = hostapd
>> -PAK_VER    = 58
>> +PAK_VER    = 59
>>    DEPS       =
>>  -SERVICES   = hostapd
>> -
>>  ###############################################################################
>>  # Top-level Rules
>>  ###############################################################################
>> @@ -48,7 +44,7 @@ objects = $(DL_FILE)
>>    $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>  -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
>> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
>>    install : $(TARGET)
>>  @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
>>    $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  	@$(PREBUILD)
>> -	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>> +	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>>    	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>>  	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
>>    	cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
>>  	cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr(a)g" -i Makefile
>> -	cd $(DIR_APP)/hostapd && make $(MAKETUNING)
>> +	cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
>>  	cd $(DIR_APP)/hostapd && make install
>>  	install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
>>  	# install initscript
>> -	$(call INSTALL_INITSCRIPTS,$(SERVICES))
>> +	$(call INSTALL_INITSCRIPT,hostapd)
>>  	mkdir -p /var/ipfire/wlanap
>>  	touch /var/ipfire/wlanap/settings
>>  	cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
>> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> index 87aec005b..67d9d4f22 100644
>> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> @@ -1,8 +1,8 @@
>>  diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
>>  --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
>>  +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
>> -@@ -65,9 +65,9 @@
>> - 			  struct wpa_group *group);
>> +@@ -68,9 +68,9 @@
>> + static int ieee80211w_kde_len(struct wpa_state_machine *sm);
>>   static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
>>     -static const u32 eapol_key_timeout_first = 100; /* ms */
>> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
>> index 638b76f84..01a33d0d0 100644
>> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch
>> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
>> @@ -1,6 +1,6 @@
>>  --- a/hostapd/config_file.c
>>  +++ b/hostapd/config_file.c
>> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
>> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
>>   		if (bss->ocv && !bss->ieee80211w)
>>   			bss->ieee80211w = 1;
>>   #endif /* CONFIG_OCV */
>> @@ -13,7 +13,7 @@
>>   	} else if (os_strcmp(buf, "ht_capab") == 0) {
>>  --- a/src/ap/ap_config.h
>>  +++ b/src/ap/ap_config.h
>> -@@ -984,6 +984,8 @@ struct hostapd_config {
>> +@@ -1014,6 +1014,8 @@ struct hostapd_config {
>>      	int ht_op_mode_fixed;
>>   	u16 ht_capab;
>> @@ -24,7 +24,7 @@
>>   	int no_pri_sec_switch;
>>  --- a/src/ap/hw_features.c
>>  +++ b/src/ap/hw_features.c
>> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
>> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
>>   	int ret;
>>      	/* Check that HT40 is used and PRI / SEC switch is allowed */