hostapd: Update to 2.10

For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

"2022-01-16 - v2.10
	* SAE changes
	  - improved protection against side channel attacks
	    [https://w1.fi/security/2022-1/]
	  - added option send SAE Confirm immediately (sae_config_immediate=1)
	    after SAE Commit
	  - added support for the hash-to-element mechanism (sae_pwe=1 or
	    sae_pwe=2)
	  - fixed PMKSA caching with OKC
	  - added support for SAE-PK
	* EAP-pwd changes
	  - improved protection against side channel attacks
	    [https://w1.fi/security/2022-1/]
	* fixed WPS UPnP SUBSCRIBE handling of invalid operations
	  [https://w1.fi/security/2020-1/]
	* fixed PMF disconnection protection bypass
	  [https://w1.fi/security/2019-7/]
	* added support for using OpenSSL 3.0
	* fixed various issues in experimental support for EAP-TEAP server
	* added configuration (max_auth_rounds, max_auth_rounds_short) to
	  increase the maximum number of EAP message exchanges (mainly to
	  support cases with very large certificates) for the EAP server
	* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
	* extended HE (IEEE 802.11ax) support, including 6 GHz support
	* removed obsolete IAPP functionality
	* fixed EAP-FAST server with TLS GCM/CCM ciphers
	* dropped support for libnl 1.1
	* added support for nl80211 control port for EAPOL frame TX/RX
	* fixed OWE key derivation with groups 20 and 21; this breaks backwards
	  compatibility for these groups while the default group 19 remains
	  backwards compatible; owe_ptk_workaround=1 can be used to enabled a
	  a workaround for the group 20/21 backwards compatibility
	* added support for Beacon protection
	* added support for Extended Key ID for pairwise keys
	* removed WEP support from the default build (CONFIG_WEP=y can be used
	  to enable it, if really needed)
	* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
	* added support for Transition Disable mechanism to allow the AP to
	  automatically disable transition mode to improve security
	* added support for PASN
	* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
	* a large number of other fixes, cleanup, and extensions"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/lfs/hostapd b/lfs/hostapd
index cb2626bf3a76c2dce4bb63493253463ddc70e185..f07d378be5523bcdf3b2af0dca92b68a646c95b0 100644 (file)
--- a/lfs/hostapd
+++ b/lfs/hostapd
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,22 +24,18 @@
 
 include Config
 
-SUMMARY    = Daemon for running a WPA capable Access Point 
+VER        = 2_10
 
-VER        = 581dfcc
-
-THISAPP    = hostapd-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
+THISAPP    = hostap_$(VER)
+DL_FILE    = $(THISAPP).tar.bz2
 DL_FROM    = $(URL_IPFIRE)
-DIR_APP    = $(DIR_SRC)/hostap-$(VER)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = hostapd
-PAK_VER    = 58
+PAK_VER    = 59
 
 DEPS       =
 
-SERVICES   = hostapd
-
 ###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -48,7 +44,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = eed922f2daabe16d74adf2b23455d8bd
+$(DL_FILE)_MD5 = 973639d02c9f6712b3b3da6d6c70ab37
 
 install : $(TARGET)
 
@@ -80,18 +76,18 @@ $(subst %,%_MD5,$(objects)) :
 
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
-       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/hostapd/hostapd-2.9-noscan.patch
 
        cd $(DIR_APP)/hostapd && cp $(DIR_SRC)/config/hostapd/config ./.config
        cd $(DIR_APP)/hostapd && sed -e "s@/usr/local@/usr@g" -i Makefile
-       cd $(DIR_APP)/hostapd && make $(MAKETUNING)
+       cd $(DIR_APP)/hostapd && make $(MAKETUNING) $(EXTRA_MAKE)
        cd $(DIR_APP)/hostapd && make install
        install -v -m 644 $(DIR_SRC)/config/backup/includes/hostapd /var/ipfire/backup/addons/includes/hostapd
        # install initscript
-       $(call INSTALL_INITSCRIPTS,$(SERVICES))
+       $(call INSTALL_INITSCRIPT,hostapd)
        mkdir -p /var/ipfire/wlanap
        touch /var/ipfire/wlanap/settings
        cp -vrf $(DIR_SRC)/config/hostapd/hostapd.conf /var/ipfire/wlanap/hostapd.conf

diff --git a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
index 87aec005ba2513d7cfb11b64b92b56a552796578..67d9d4f22abc5cf2902b0778c0a73d4a869164cb 100644 (file)
--- a/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
+++ b/src/patches/hostapd/hostapd-2.9-increase_EAPOL-timeouts.patch
@@ -1,8 +1,8 @@
 diff U3 src/ap/wpa_auth.c src/ap/wpa_auth.c
 --- a/src/ap/wpa_auth.c        Wed Aug  7 15:25:25 2019
 +++ b/src/ap/wpa_auth.c        Fri Sep 20 17:35:23 2019
-@@ -65,9 +65,9 @@
-                         struct wpa_group *group);
+@@ -68,9 +68,9 @@
+ static int ieee80211w_kde_len(struct wpa_state_machine *sm);
  static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
  
 -static const u32 eapol_key_timeout_first = 100; /* ms */

diff --git a/src/patches/hostapd/hostapd-2.9-noscan.patch b/src/patches/hostapd/hostapd-2.9-noscan.patch
index 638b76f84e6705ce8bdba97b4e985e6c3913b2b9..01a33d0d035b1880244c26b3a2f1d6e93ff32eb6 100644 (file)
--- a/src/patches/hostapd/hostapd-2.9-noscan.patch
+++ b/src/patches/hostapd/hostapd-2.9-noscan.patch
@@ -1,6 +1,6 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
-@@ -3493,6 +3493,10 @@ static int hostapd_config_fill(struct ho
+@@ -3474,6 +3474,10 @@ static int hostapd_config_fill(struct ho
                if (bss->ocv && !bss->ieee80211w)
                        bss->ieee80211w = 1;
  #endif /* CONFIG_OCV */
@@ -13,7 +13,7 @@
        } else if (os_strcmp(buf, "ht_capab") == 0) {
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
-@@ -984,6 +984,8 @@ struct hostapd_config {
+@@ -1014,6 +1014,8 @@ struct hostapd_config {
  
        int ht_op_mode_fixed;
        u16 ht_capab;
@@ -24,7 +24,7 @@
        int no_pri_sec_switch;
 --- a/src/ap/hw_features.c
 +++ b/src/ap/hw_features.c
-@@ -500,7 +500,8 @@ static int ieee80211n_check_40mhz(struct
+@@ -517,7 +517,8 @@ static int ieee80211n_check_40mhz(struct
        int ret;
  
        /* Check that HT40 is used and PRI / SEC switch is allowed */