Re: [PATCH 1/2] hostapd: Update to 2.10

20 Feb 2022

Hello,
This patch should have not been merged.
...
On 18 Feb 2022, at 17:52, Peter Müller peter.mueller@ipfire.org wrote:
Hello Matthias,
thank you for submitting this.
...
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
"2022-01-16 - v2.10

SAE changes
improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
added option send SAE Confirm immediately (sae_config_immediate=1)
after SAE Commit
added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2)
fixed PMKSA caching with OKC
added support for SAE-PK


EAP-pwd changes
improved protection against side channel attacks
[https://w1.fi/security/2022-1/]


fixed WPS UPnP SUBSCRIBE handling of invalid operations
[https://w1.fi/security/2020-1/]
fixed PMF disconnection protection bypass
[https://w1.fi/security/2019-7/]
added support for using OpenSSL 3.0
fixed various issues in experimental support for EAP-TEAP server
added configuration (max_auth_rounds, max_auth_rounds_short) to
increase the maximum number of EAP message exchanges (mainly to
support cases with very large certificates) for the EAP server
added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
extended HE (IEEE 802.11ax) support, including 6 GHz support
removed obsolete IAPP functionality
fixed EAP-FAST server with TLS GCM/CCM ciphers
dropped support for libnl 1.1
added support for nl80211 control port for EAPOL frame TX/RX
fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible; owe_ptk_workaround=1 can be used to enabled a
a workaround for the group 20/21 backwards compatibility
added support for Beacon protection

Are there any plans on enabling this?
...

added support for Extended Key ID for pairwise keys
removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)

_Another_ broken technology finally bites the dust. Yay!
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Thanks, and best regards,
Peter Müller
...

added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
added support for PASN
added EAP-TLS server support for TLS 1.3 (disabled by default for now)
a large number of other fixes, cleanup, and extensions"

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/hostapd                                   | 24 ++++++++-----------
 .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
 src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
 3 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/lfs/hostapd b/lfs/hostapd
index cb2626bf3..f07d378be 100644
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  info@ipfire.org                     #
+# Copyright (C) 2007-2022  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,22 +24,18 @@
   include Config
 -SUMMARY    = Daemon for running a WPA capable Access Point
+VER        = 2_10
 -VER        = 581dfcc
This reverts changes from another patch which I assume wasn’t intended.
-Michael
...
...



-THISAPP    = hostapd-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
+THISAPP    = hostap_$(VER)
+DL_FILE    = $(THISAPP).tar.bz2
 DL_FROM    = $(URL_IPFIRE)
-DIR_APP    = $(DIR_SRC)/hostap-$(VER)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 58
+PAK_VER    = 59
   DEPS       =
 -SERVICES   = hostapd



###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -48,7 +44,7 @@ objects = $(DL_FILE)
   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
+$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
   install : $(TARGET)
 @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
   $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
   @$(PREBUILD)

@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)


@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile


cd $(DIR_APP)/hostapd && make $(MAKETUNING)


cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP)/hostapd && make install
install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
# install initscript


$(call INSTALL_INITSCRIPTS,$(SERVICES))


$(call INSTALL_INITSCRIPT,hostapd)
mkdir -p /var/ipfire/wlanap
touch /var/ipfire/wlanap/settings
cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf

diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
index 87aec005b..67d9d4f22 100644
--- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
+++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
@@ -1,8 +1,8 @@
 diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
 --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
 +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
-@@ -65,9 +65,9 @@

	  struct wpa_group *group);



+@@ -68,9 +68,9 @@

static int ieee80211w_kde_len(struct wpa_state_machine *sm);
static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
  -static const u32 eapol_key_timeout_first = 100; /* ms */

diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
index 638b76f84..01a33d0d0 100644
--- a/src/patches/hostapd/hostapd-2.9-noscan.patch
+++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
@@ -1,6 +1,6 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
-@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
+@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
   	if (bss->ocv && !bss->ieee80211w)
   		bss->ieee80211w = 1;
  #endif /* CONFIG_OCV */
@@ -13,7 +13,7 @@
   } else if (os_strcmp(buf, "ht_capab") == 0) {
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
-@@ -984,6 +984,8 @@ struct hostapd_config {
+@@ -1014,6 +1014,8 @@ struct hostapd_config {
     	int ht_op_mode_fixed;
   u16 ht_capab;
@@ -24,7 +24,7 @@
   int no_pri_sec_switch;
 --- a/src/ap/hw_features.c
 +++ b/src/ap/hw_features.c
-@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
+@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
   int ret;
     	/* Check that HT40 is used and PRI / SEC switch is allowed */

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Re: [PATCH 1/2] hostapd: Update to 2.10

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org