[1/2] hostapd: Update to 2.10

Message ID 20220218171336.4024505-1-matthias.fischer@ipfire.org
State Accepted
Commit 6491a92335a15fa0e3a4df1fed24b40490eaf3cb
Headers
Series [1/2] hostapd: Update to 2.10 |

Commit Message

Matthias Fischer Feb. 18, 2022, 5:13 p.m. UTC
  For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

"2022-01-16 - v2.10
	* SAE changes
	  - improved protection against side channel attacks
	    [https://w1.fi/security/2022-1/]
	  - added option send SAE Confirm immediately (sae_config_immediate=1)
	    after SAE Commit
	  - added support for the hash-to-element mechanism (sae_pwe=1 or
	    sae_pwe=2)
	  - fixed PMKSA caching with OKC
	  - added support for SAE-PK
	* EAP-pwd changes
	  - improved protection against side channel attacks
	    [https://w1.fi/security/2022-1/]
	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
	  [https://w1.fi/security/2020-1/]
	* fixed PMF disconnection protection bypass
	  [https://w1.fi/security/2019-7/]
	* added support for using OpenSSL 3.0
	* fixed various issues in experimental support for EAP-TEAP server
	* added configuration (max_auth_rounds, max_auth_rounds_short) to
	  increase the maximum number of EAP message exchanges (mainly to
	  support cases with very large certificates) for the EAP server
	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
	* extended HE (IEEE 802.11ax) support, including 6 GHz support
	* removed obsolete IAPP functionality
	* fixed EAP-FAST server with TLS GCM/CCM ciphers
	* dropped support for libnl 1.1
	* added support for nl80211 control port for EAPOL frame TX/RX
	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
	  compatibility for these groups while the default group 19 remains
	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
	  a workaround for the group 20/21 backwards compatibility
	* added support for Beacon protection
	* added support for Extended Key ID for pairwise keys
	* removed WEP support from the default build (CONFIG_WEP=y can be used
	  to enable it, if really needed)
	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
	* added support for Transition Disable mechanism to allow the AP to
	  automatically disable transition mode to improve security
	* added support for PASN
	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
	* a large number of other fixes, cleanup, and extensions"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/hostapd                                   | 24 ++++++++-----------
 .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
 src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
 3 files changed, 15 insertions(+), 19 deletions(-)
  

Comments

Peter Müller Feb. 18, 2022, 5:52 p.m. UTC | #1
Hello Matthias,

thank you for submitting this.

> For details see:
> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
> 
> "2022-01-16 - v2.10
> 	* SAE changes
> 	  - improved protection against side channel attacks
> 	    [https://w1.fi/security/2022-1/]
> 	  - added option send SAE Confirm immediately (sae_config_immediate=1)
> 	    after SAE Commit
> 	  - added support for the hash-to-element mechanism (sae_pwe=1 or
> 	    sae_pwe=2)
> 	  - fixed PMKSA caching with OKC
> 	  - added support for SAE-PK
> 	* EAP-pwd changes
> 	  - improved protection against side channel attacks
> 	    [https://w1.fi/security/2022-1/]
> 	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
> 	  [https://w1.fi/security/2020-1/]
> 	* fixed PMF disconnection protection bypass
> 	  [https://w1.fi/security/2019-7/]
> 	* added support for using OpenSSL 3.0
> 	* fixed various issues in experimental support for EAP-TEAP server
> 	* added configuration (max_auth_rounds, max_auth_rounds_short) to
> 	  increase the maximum number of EAP message exchanges (mainly to
> 	  support cases with very large certificates) for the EAP server
> 	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
> 	* extended HE (IEEE 802.11ax) support, including 6 GHz support
> 	* removed obsolete IAPP functionality
> 	* fixed EAP-FAST server with TLS GCM/CCM ciphers
> 	* dropped support for libnl 1.1
> 	* added support for nl80211 control port for EAPOL frame TX/RX
> 	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
> 	  compatibility for these groups while the default group 19 remains
> 	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
> 	  a workaround for the group 20/21 backwards compatibility
> 	* added support for Beacon protection

Are there any plans on enabling this?

> 	* added support for Extended Key ID for pairwise keys
> 	* removed WEP support from the default build (CONFIG_WEP=y can be used
> 	  to enable it, if really needed)

_Another_ broken technology finally bites the dust. Yay!

Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

Thanks, and best regards,
Peter Müller

> 	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
> 	* added support for Transition Disable mechanism to allow the AP to
> 	  automatically disable transition mode to improve security
> 	* added support for PASN
> 	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
> 	* a large number of other fixes, cleanup, and extensions"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
>   lfs/hostapd                                   | 24 ++++++++-----------
>   .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
>   src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
>   3 files changed, 15 insertions(+), 19 deletions(-)
> 
> diff --git a/lfs/hostapd b/lfs/hostapd
> index cb2626bf3..f07d378be 100644
> --- a/lfs/hostapd
> +++ b/lfs/hostapd
> @@ -1,7 +1,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -24,22 +24,18 @@
>   
>   include Config
>   
> -SUMMARY    = Daemon for running a WPA capable Access Point
> +VER        = 2_10
>   
> -VER        = 581dfcc
> -
> -THISAPP    = hostapd-$(VER)
> -DL_FILE    = $(THISAPP).tar.gz
> +THISAPP    = hostap_$(VER)
> +DL_FILE    = $(THISAPP).tar.bz2
>   DL_FROM    = $(URL_IPFIRE)
> -DIR_APP    = $(DIR_SRC)/hostap-$(VER)
> +DIR_APP    = $(DIR_SRC)/$(THISAPP)
>   TARGET     = $(DIR_INFO)/$(THISAPP)
>   PROG       = hostapd
> -PAK_VER    = 58
> +PAK_VER    = 59
>   
>   DEPS       =
>   
> -SERVICES   = hostapd
> -
>   ###############################################################################
>   # Top-level Rules
>   ###############################################################################
> @@ -48,7 +44,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
>   
>   install : $(TARGET)
>   
> @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
>   
>   $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>   	@$(PREBUILD)
> -	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> +	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>   
>   	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>   	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
>   
>   	cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
>   	cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
> -	cd $(DIR_APP)/hostapd && make $(MAKETUNING)
> +	cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
>   	cd $(DIR_APP)/hostapd && make install
>   	install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
>   	# install initscript
> -	$(call INSTALL_INITSCRIPTS,$(SERVICES))
> +	$(call INSTALL_INITSCRIPT,hostapd)
>   	mkdir -p /var/ipfire/wlanap
>   	touch /var/ipfire/wlanap/settings
>   	cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> index 87aec005b..67d9d4f22 100644
> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
> @@ -1,8 +1,8 @@
>   diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
>   --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
>   +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
> -@@ -65,9 +65,9 @@
> - 			  struct wpa_group *group);
> +@@ -68,9 +68,9 @@
> + static int ieee80211w_kde_len(struct wpa_state_machine *sm);
>    static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
>    
>   -static const u32 eapol_key_timeout_first = 100; /* ms */
> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
> index 638b76f84..01a33d0d0 100644
> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch
> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
> @@ -1,6 +1,6 @@
>   --- a/hostapd/config_file.c
>   +++ b/hostapd/config_file.c
> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
>    		if (bss->ocv && !bss->ieee80211w)
>    			bss->ieee80211w = 1;
>    #endif /* CONFIG_OCV */
> @@ -13,7 +13,7 @@
>    	} else if (os_strcmp(buf, "ht_capab") == 0) {
>   --- a/src/ap/ap_config.h
>   +++ b/src/ap/ap_config.h
> -@@ -984,6 +984,8 @@ struct hostapd_config {
> +@@ -1014,6 +1014,8 @@ struct hostapd_config {
>    
>    	int ht_op_mode_fixed;
>    	u16 ht_capab;
> @@ -24,7 +24,7 @@
>    	int no_pri_sec_switch;
>   --- a/src/ap/hw_features.c
>   +++ b/src/ap/hw_features.c
> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
>    	int ret;
>    
>    	/* Check that HT40 is used and PRI / SEC switch is allowed */
  
Michael Tremer Feb. 20, 2022, 5:47 p.m. UTC | #2
Hello,

This patch should have not been merged.

> On 18 Feb 2022, at 17:52, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Matthias,
> 
> thank you for submitting this.
> 
>> For details see:
>> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
>> "2022-01-16 - v2.10
>> 	* SAE changes
>> 	  - improved protection against side channel attacks
>> 	    [https://w1.fi/security/2022-1/]
>> 	  - added option send SAE Confirm immediately (sae_config_immediate=1)
>> 	    after SAE Commit
>> 	  - added support for the hash-to-element mechanism (sae_pwe=1 or
>> 	    sae_pwe=2)
>> 	  - fixed PMKSA caching with OKC
>> 	  - added support for SAE-PK
>> 	* EAP-pwd changes
>> 	  - improved protection against side channel attacks
>> 	    [https://w1.fi/security/2022-1/]
>> 	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
>> 	  [https://w1.fi/security/2020-1/]
>> 	* fixed PMF disconnection protection bypass
>> 	  [https://w1.fi/security/2019-7/]
>> 	* added support for using OpenSSL 3.0
>> 	* fixed various issues in experimental support for EAP-TEAP server
>> 	* added configuration (max_auth_rounds, max_auth_rounds_short) to
>> 	  increase the maximum number of EAP message exchanges (mainly to
>> 	  support cases with very large certificates) for the EAP server
>> 	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
>> 	* extended HE (IEEE 802.11ax) support, including 6 GHz support
>> 	* removed obsolete IAPP functionality
>> 	* fixed EAP-FAST server with TLS GCM/CCM ciphers
>> 	* dropped support for libnl 1.1
>> 	* added support for nl80211 control port for EAPOL frame TX/RX
>> 	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
>> 	  compatibility for these groups while the default group 19 remains
>> 	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
>> 	  a workaround for the group 20/21 backwards compatibility
>> 	* added support for Beacon protection
> 
> Are there any plans on enabling this?
> 
>> 	* added support for Extended Key ID for pairwise keys
>> 	* removed WEP support from the default build (CONFIG_WEP=y can be used
>> 	  to enable it, if really needed)
> 
> _Another_ broken technology finally bites the dust. Yay!
> 
> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
> 
> Thanks, and best regards,
> Peter Müller
> 
>> 	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
>> 	* added support for Transition Disable mechanism to allow the AP to
>> 	  automatically disable transition mode to improve security
>> 	* added support for PASN
>> 	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
>> 	* a large number of other fixes, cleanup, and extensions"
>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
>> ---
>>  lfs/hostapd                                   | 24 ++++++++-----------
>>  .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
>>  src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
>>  3 files changed, 15 insertions(+), 19 deletions(-)
>> diff --git a/lfs/hostapd b/lfs/hostapd
>> index cb2626bf3..f07d378be 100644
>> --- a/lfs/hostapd
>> +++ b/lfs/hostapd
>> @@ -1,7 +1,7 @@
>>  ###############################################################################
>>  #                                                                             #
>>  # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
>>  #                                                                             #
>>  # This program is free software: you can redistribute it and/or modify        #
>>  # it under the terms of the GNU General Public License as published by        #
>> @@ -24,22 +24,18 @@
>>    include Config
>>  -SUMMARY    = Daemon for running a WPA capable Access Point
>> +VER        = 2_10
>>  -VER        = 581dfcc

This reverts changes from another patch which I assume wasn’t intended.

-Michael

>> -
>> -THISAPP    = hostapd-$(VER)
>> -DL_FILE    = $(THISAPP).tar.gz
>> +THISAPP    = hostap_$(VER)
>> +DL_FILE    = $(THISAPP).tar.bz2
>>  DL_FROM    = $(URL_IPFIRE)
>> -DIR_APP    = $(DIR_SRC)/hostap-$(VER)
>> +DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>  TARGET     = $(DIR_INFO)/$(THISAPP)
>>  PROG       = hostapd
>> -PAK_VER    = 58
>> +PAK_VER    = 59
>>    DEPS       =
>>  -SERVICES   = hostapd
>> -
>>  ###############################################################################
>>  # Top-level Rules
>>  ###############################################################################
>> @@ -48,7 +44,7 @@ objects = $(DL_FILE)
>>    $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>  -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
>> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
>>    install : $(TARGET)
>>  @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
>>    $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  	@$(PREBUILD)
>> -	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>> +	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>>    	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>>  	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
>>    	cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
>>  	cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
>> -	cd $(DIR_APP)/hostapd && make $(MAKETUNING)
>> +	cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
>>  	cd $(DIR_APP)/hostapd && make install
>>  	install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
>>  	# install initscript
>> -	$(call INSTALL_INITSCRIPTS,$(SERVICES))
>> +	$(call INSTALL_INITSCRIPT,hostapd)
>>  	mkdir -p /var/ipfire/wlanap
>>  	touch /var/ipfire/wlanap/settings
>>  	cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
>> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> index 87aec005b..67d9d4f22 100644
>> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> @@ -1,8 +1,8 @@
>>  diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
>>  --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
>>  +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
>> -@@ -65,9 +65,9 @@
>> - 			  struct wpa_group *group);
>> +@@ -68,9 +68,9 @@
>> + static int ieee80211w_kde_len(struct wpa_state_machine *sm);
>>   static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
>>     -static const u32 eapol_key_timeout_first = 100; /* ms */
>> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
>> index 638b76f84..01a33d0d0 100644
>> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch
>> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
>> @@ -1,6 +1,6 @@
>>  --- a/hostapd/config_file.c
>>  +++ b/hostapd/config_file.c
>> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
>> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
>>   		if (bss->ocv && !bss->ieee80211w)
>>   			bss->ieee80211w = 1;
>>   #endif /* CONFIG_OCV */
>> @@ -13,7 +13,7 @@
>>   	} else if (os_strcmp(buf, "ht_capab") == 0) {
>>  --- a/src/ap/ap_config.h
>>  +++ b/src/ap/ap_config.h
>> -@@ -984,6 +984,8 @@ struct hostapd_config {
>> +@@ -1014,6 +1014,8 @@ struct hostapd_config {
>>      	int ht_op_mode_fixed;
>>   	u16 ht_capab;
>> @@ -24,7 +24,7 @@
>>   	int no_pri_sec_switch;
>>  --- a/src/ap/hw_features.c
>>  +++ b/src/ap/hw_features.c
>> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
>> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
>>   	int ret;
>>      	/* Check that HT40 is used and PRI / SEC switch is allowed */
  
Michael Tremer Feb. 20, 2022, 5:48 p.m. UTC | #3
Hello,

> On 18 Feb 2022, at 17:52, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Matthias,
> 
> thank you for submitting this.
> 
>> For details see:
>> https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
>> "2022-01-16 - v2.10
>> 	* SAE changes
>> 	  - improved protection against side channel attacks
>> 	    [https://w1.fi/security/2022-1/]
>> 	  - added option send SAE Confirm immediately (sae_config_immediate=1)
>> 	    after SAE Commit
>> 	  - added support for the hash-to-element mechanism (sae_pwe=1 or
>> 	    sae_pwe=2)
>> 	  - fixed PMKSA caching with OKC
>> 	  - added support for SAE-PK
>> 	* EAP-pwd changes
>> 	  - improved protection against side channel attacks
>> 	    [https://w1.fi/security/2022-1/]
>> 	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
>> 	  [https://w1.fi/security/2020-1/]
>> 	* fixed PMF disconnection protection bypass
>> 	  [https://w1.fi/security/2019-7/]
>> 	* added support for using OpenSSL 3.0
>> 	* fixed various issues in experimental support for EAP-TEAP server
>> 	* added configuration (max_auth_rounds, max_auth_rounds_short) to
>> 	  increase the maximum number of EAP message exchanges (mainly to
>> 	  support cases with very large certificates) for the EAP server
>> 	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
>> 	* extended HE (IEEE 802.11ax) support, including 6 GHz support
>> 	* removed obsolete IAPP functionality
>> 	* fixed EAP-FAST server with TLS GCM/CCM ciphers
>> 	* dropped support for libnl 1.1
>> 	* added support for nl80211 control port for EAPOL frame TX/RX
>> 	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
>> 	  compatibility for these groups while the default group 19 remains
>> 	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
>> 	  a workaround for the group 20/21 backwards compatibility
>> 	* added support for Beacon protection
> 
> Are there any plans on enabling this?

I don’t know if there is any benefit from this and how compatible this is with older clients.

> 
>> 	* added support for Extended Key ID for pairwise keys
>> 	* removed WEP support from the default build (CONFIG_WEP=y can be used
>> 	  to enable it, if really needed)
> 
> _Another_ broken technology finally bites the dust. Yay!

We have WEP disabled for a long time now.

-Michael

> 
> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
> 
> Thanks, and best regards,
> Peter Müller
> 
>> 	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
>> 	* added support for Transition Disable mechanism to allow the AP to
>> 	  automatically disable transition mode to improve security
>> 	* added support for PASN
>> 	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
>> 	* a large number of other fixes, cleanup, and extensions"
>> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
>> ---
>>  lfs/hostapd                                   | 24 ++++++++-----------
>>  .../hostapd-2.9-increase_EAPOL-timeouts.patch |  4 ++--
>>  src/patches/hostapd/hostapd-2.9-noscan.patch  |  6 ++---
>>  3 files changed, 15 insertions(+), 19 deletions(-)
>> diff --git a/lfs/hostapd b/lfs/hostapd
>> index cb2626bf3..f07d378be 100644
>> --- a/lfs/hostapd
>> +++ b/lfs/hostapd
>> @@ -1,7 +1,7 @@
>>  ###############################################################################
>>  #                                                                             #
>>  # IPFire.org - A linux based firewall                                         #
>> -# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
>> +# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
>>  #                                                                             #
>>  # This program is free software: you can redistribute it and/or modify        #
>>  # it under the terms of the GNU General Public License as published by        #
>> @@ -24,22 +24,18 @@
>>    include Config
>>  -SUMMARY    = Daemon for running a WPA capable Access Point
>> +VER        = 2_10
>>  -VER        = 581dfcc
>> -
>> -THISAPP    = hostapd-$(VER)
>> -DL_FILE    = $(THISAPP).tar.gz
>> +THISAPP    = hostap_$(VER)
>> +DL_FILE    = $(THISAPP).tar.bz2
>>  DL_FROM    = $(URL_IPFIRE)
>> -DIR_APP    = $(DIR_SRC)/hostap-$(VER)
>> +DIR_APP    = $(DIR_SRC)/$(THISAPP)
>>  TARGET     = $(DIR_INFO)/$(THISAPP)
>>  PROG       = hostapd
>> -PAK_VER    = 58
>> +PAK_VER    = 59
>>    DEPS       =
>>  -SERVICES   = hostapd
>> -
>>  ###############################################################################
>>  # Top-level Rules
>>  ###############################################################################
>> @@ -48,7 +44,7 @@ objects = $(DL_FILE)
>>    $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>>  -$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
>> +$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
>>    install : $(TARGET)
>>  @@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
>>    $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  	@$(PREBUILD)
>> -	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>> +	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
>>    	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>>  	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
>>    	cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
>>  	cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
>> -	cd $(DIR_APP)/hostapd && make $(MAKETUNING)
>> +	cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
>>  	cd $(DIR_APP)/hostapd && make install
>>  	install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
>>  	# install initscript
>> -	$(call INSTALL_INITSCRIPTS,$(SERVICES))
>> +	$(call INSTALL_INITSCRIPT,hostapd)
>>  	mkdir -p /var/ipfire/wlanap
>>  	touch /var/ipfire/wlanap/settings
>>  	cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
>> diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> index 87aec005b..67d9d4f22 100644
>> --- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> +++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
>> @@ -1,8 +1,8 @@
>>  diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
>>  --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
>>  +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
>> -@@ -65,9 +65,9 @@
>> - 			  struct wpa_group *group);
>> +@@ -68,9 +68,9 @@
>> + static int ieee80211w_kde_len(struct wpa_state_machine *sm);
>>   static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
>>     -static const u32 eapol_key_timeout_first = 100; /* ms */
>> diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
>> index 638b76f84..01a33d0d0 100644
>> --- a/src/patches/hostapd/hostapd-2.9-noscan.patch
>> +++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
>> @@ -1,6 +1,6 @@
>>  --- a/hostapd/config_file.c
>>  +++ b/hostapd/config_file.c
>> -@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
>> +@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
>>   		if (bss->ocv && !bss->ieee80211w)
>>   			bss->ieee80211w = 1;
>>   #endif /* CONFIG_OCV */
>> @@ -13,7 +13,7 @@
>>   	} else if (os_strcmp(buf, "ht_capab") == 0) {
>>  --- a/src/ap/ap_config.h
>>  +++ b/src/ap/ap_config.h
>> -@@ -984,6 +984,8 @@ struct hostapd_config {
>> +@@ -1014,6 +1014,8 @@ struct hostapd_config {
>>      	int ht_op_mode_fixed;
>>   	u16 ht_capab;
>> @@ -24,7 +24,7 @@
>>   	int no_pri_sec_switch;
>>  --- a/src/ap/hw_features.c
>>  +++ b/src/ap/hw_features.c
>> -@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
>> +@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
>>   	int ret;
>>      	/* Check that HT40 is used and PRI / SEC switch is allowed */
  

Patch

diff --git a/lfs/hostapd b/lfs/hostapd
index cb2626bf3..f07d378be 100644
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -1,7 +1,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,22 +24,18 @@ 
 
 include Config
 
-SUMMARY    = Daemon for running a WPA capable Access Point 
+VER        = 2_10
 
-VER        = 581dfcc
-
-THISAPP    = hostapd-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
+THISAPP    = hostap_$(VER)
+DL_FILE    = $(THISAPP).tar.bz2
 DL_FROM    = $(URL_IPFIRE)
-DIR_APP    = $(DIR_SRC)/hostap-$(VER)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 58
+PAK_VER    = 59
 
 DEPS       =
 
-SERVICES   = hostapd
-
 ###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -48,7 +44,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
+$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
 
 install : $(TARGET)
 
@@ -80,18 +76,18 @@  $(subst %,%_MD5,$(objects)) :
 
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
-	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
 
 	cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
 	cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
-	cd $(DIR_APP)/hostapd && make $(MAKETUNING)
+	cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
 	cd $(DIR_APP)/hostapd && make install
 	install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
 	# install initscript
-	$(call INSTALL_INITSCRIPTS,$(SERVICES))
+	$(call INSTALL_INITSCRIPT,hostapd)
 	mkdir -p /var/ipfire/wlanap
 	touch /var/ipfire/wlanap/settings
 	cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf
diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
index 87aec005b..67d9d4f22 100644
--- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
+++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
@@ -1,8 +1,8 @@ 
 diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
 --- a/src/ap/wpa_auth.c	Wed Aug  7 15:25:25 2019
 +++ b/src/ap/wpa_auth.c	Fri Sep 20 17:35:23 2019
-@@ -65,9 +65,9 @@
- 			  struct wpa_group *group);
+@@ -68,9 +68,9 @@
+ static int ieee80211w_kde_len(struct wpa_state_machine *sm);
  static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
  
 -static const u32 eapol_key_timeout_first = 100; /* ms */
diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
index 638b76f84..01a33d0d0 100644
--- a/src/patches/hostapd/hostapd-2.9-noscan.patch
+++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
@@ -1,6 +1,6 @@ 
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
-@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
+@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
  		if (bss->ocv && !bss->ieee80211w)
  			bss->ieee80211w = 1;
  #endif /* CONFIG_OCV */
@@ -13,7 +13,7 @@ 
  	} else if (os_strcmp(buf, "ht_capab") == 0) {
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
-@@ -984,6 +984,8 @@ struct hostapd_config {
+@@ -1014,6 +1014,8 @@ struct hostapd_config {
  
  	int ht_op_mode_fixed;
  	u16 ht_capab;
@@ -24,7 +24,7 @@ 
  	int no_pri_sec_switch;
 --- a/src/ap/hw_features.c
 +++ b/src/ap/hw_features.c
-@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
+@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
  	int ret;
  
  	/* Check that HT40 is used and PRI / SEC switch is allowed */