Re: [PATCH 1/2] hostapd: Update to 2.10

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7928 bytes --]

Hello Matthias,

thank you for submitting this.

> For details see:
> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
> 
> "2022-01-16 - v2.10
> 	* SAE changes
> 	  - improved protection against side channel attacks
> 	    [https://w1.fi/security/2022-1/]
> 	  - added option send SAE Confirm immediately (sae_config_immediate=1)
> 	    after SAE Commit
> 	  - added support for the hash-to-element mechanism (sae_pwe=1 or
> 	    sae_pwe=2)
> 	  - fixed PMKSA caching with OKC
> 	  - added support for SAE-PK
> 	* EAP-pwd changes
> 	  - improved protection against side channel attacks
> 	    [https://w1.fi/security/2022-1/]
> 	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
> 	  [https://w1.fi/security/2020-1/]
> 	* fixed PMF disconnection protection bypass
> 	  [https://w1.fi/security/2019-7/]
> 	* added support for using OpenSSL 3.0
> 	* fixed various issues in experimental support for EAP-TEAP server
> 	* added configuration (max_auth_rounds, max_auth_rounds_short) to
> 	  increase the maximum number of EAP message exchanges (mainly to
> 	  support cases with very large certificates) for the EAP server
> 	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
> 	* extended HE (IEEE 802.11ax) support, including 6 GHz support
> 	* removed obsolete IAPP functionality
> 	* fixed EAP-FAST server with TLS GCM/CCM ciphers
> 	* dropped support for libnl 1.1
> 	* added support for nl80211 control port for EAPOL frame TX/RX
> 	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
> 	  compatibility for these groups while the default group 19 remains
> 	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
> 	  a workaround for the group 20/21 backwards compatibility
> 	* added support for Beacon protection

Are there any plans on enabling this?

> 	* added support for Extended Key ID for pairwise keys
> 	* removed WEP support from the default build (CONFIG_WEP=y can be used
> 	  to enable it, if really needed)

_Another_ broken technology finally bites the dust. Yay!

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

Thanks, and best regards,
Peter Müller

> 	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
> 	* added support for Transition Disable mechanism to allow the AP to
> 	  automatically disable transition mode to improve security
> 	* added support for PASN
> 	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
> 	* a large number of other fixes, cleanup, and extensions"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>   lfs/hostapd                                   | 24 ++++++++-----------
>   .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
>   src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
>   3 files changed, 15 insertions(+), 19 deletions(-)
> 
> diff --git a/lfs/hostapd b/lfs/hostapd
> index cb2626bf3..f07d378be 100644
> --- a/lfs/hostapd
> +++ b/lfs/hostapd
> @@ -1,7 +1,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2021  IPFire Team  <info(a)ipfire.org>                     #
> +# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -24,22 +24,18 @@
>   
>   include Config
>   
> -SUMMARY    = Daemon for running a WPA capable Access Point
> +VER        = 2_10
>   
> -VER        = 581dfcc
> -
> -THISAPP    = hostapd-$(VER)
> -DL_FILE    = $(THISAPP).tar.gz
> +THISAPP    = hostap_$(VER)
> +DL_FILE    = $(THISAPP).tar.bz2
>   DL_FROM    = $(URL_IPFIRE)
> -DIR_APP    = $(DIR_SRC)/hostap-$(VER)
> +DIR_APP    = $(DIR_SRC)/$(THISAPP)
>   TARGET     = $(DIR_INFO)/$(THISAPP)
>   PROG       = hostapd
> -PAK_VER    = 58
> +PAK_VER    = 59
>   
>   DEPS       =
>   
> -SERVICES   = hostapd
> -
>   ###############################################################################
>   # Top-level Rules
>   ###############################################################################
> @@ -48,7 +44,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
>   
>   install : $(TARGET)
>   
> @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
>   
>   $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>   	@$(PREBUILD)
> -	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> +	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>   
>   	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>   	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
>   
>   	cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
>   	cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr(a)g" -i Makefile
> -	cd $(DIR_APP)/hostapd && make $(MAKETUNING)
> +	cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
>   	cd $(DIR_APP)/hostapd && make install
>   	install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
>   	# install initscript
> -	$(call INSTALL_INITSCRIPTS,$(SERVICES))
> +	$(call INSTALL_INITSCRIPT,hostapd)
>   	mkdir -p /var/ipfire/wlanap
>   	touch /var/ipfire/wlanap/settings
>   	cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> index 87aec005b..67d9d4f22 100644
> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> @@ -1,8 +1,8 @@
>   diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
>   --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
>   +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
> -@@ -65,9 +65,9 @@
> - 			  struct wpa_group *group);
> +@@ -68,9 +68,9 @@
> + static int ieee80211w_kde_len(struct wpa_state_machine *sm);
>    static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
>    
>   -static const u32 eapol_key_timeout_first = 100; /* ms */
> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
> index 638b76f84..01a33d0d0 100644
> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch
> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
> @@ -1,6 +1,6 @@
>   --- a/hostapd/config_file.c
>   +++ b/hostapd/config_file.c
> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
>    		if (bss->ocv && !bss->ieee80211w)
>    			bss->ieee80211w = 1;
>    #endif /* CONFIG_OCV */
> @@ -13,7 +13,7 @@
>    	} else if (os_strcmp(buf, "ht_capab") == 0) {
>   --- a/src/ap/ap_config.h
>   +++ b/src/ap/ap_config.h
> -@@ -984,6 +984,8 @@ struct hostapd_config {
> +@@ -1014,6 +1014,8 @@ struct hostapd_config {
>    
>    	int ht_op_mode_fixed;
>    	u16 ht_capab;
> @@ -24,7 +24,7 @@
>    	int no_pri_sec_switch;
>   --- a/src/ap/hw_features.c
>   +++ b/src/ap/hw_features.c
> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
>    	int ret;
>    
>    	/* Check that HT40 is used and PRI / SEC switch is allowed */