hostapd: update to git snapshot of 2018-03-26

The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
 replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
 replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
 replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
 replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
 replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
 replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
 replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
 replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
 replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
 replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
 replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
 replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
 replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
 replaced by commit 114f2830d

Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.

For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

1 files changed, 0 insertions, 221 deletions

diff --git a/package/network/services/hostapd/patches/010-Optional-AP-side-workaround-for-key-reinstallation-a.patch b/package/network/services/hostapd/patches/010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
deleted file mode 100644
index 19165cce2d..0000000000
--- a/package/network/services/hostapd/patches/010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From 6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Mon, 16 Oct 2017 18:37:43 +0300
-Subject: [PATCH] Optional AP side workaround for key reinstallation attacks
-
-This adds a new hostapd configuration parameter
-wpa_disable_eapol_key_retries=1 that can be used to disable
-retransmission of EAPOL-Key frames that are used to install
-keys (EAPOL-Key message 3/4 and group message 1/2). This is
-similar to setting wpa_group_update_count=1 and
-wpa_pairwise_update_count=1, but with no impact to message 1/4
-retries and with extended timeout for messages 4/4 and group
-message 2/2 to avoid causing issues with stations that may use
-aggressive power saving have very long time in replying to the
-EAPOL-Key messages.
-
-This option can be used to work around key reinstallation attacks
-on the station (supplicant) side in cases those station devices
-cannot be updated for some reason. By removing the
-retransmissions the attacker cannot cause key reinstallation with
-a delayed frame transmission. This is related to the station side
-vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
-CVE-2017-13080, and CVE-2017-13081.
-
-This workaround might cause interoperability issues and reduced
-robustness of key negotiation especially in environments with
-heavy traffic load due to the number of attempts to perform the
-key exchange is reduced significantly. As such, this workaround
-is disabled by default (unless overridden in build
-configuration). To enable this, set the parameter to 1.
-
-It is also possible to enable this in the build by default by
-adding the following to the build configuration:
-
-CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- hostapd/config_file.c  |  2 ++
- hostapd/defconfig      |  4 ++++
- hostapd/hostapd.conf   | 24 ++++++++++++++++++++++++
- src/ap/ap_config.c     |  6 ++++++
- src/ap/ap_config.h     |  1 +
- src/ap/wpa_auth.c      | 22 ++++++++++++++++++++--
- src/ap/wpa_auth.h      |  1 +
- src/ap/wpa_auth_glue.c |  2 ++
- 8 files changed, 60 insertions(+), 2 deletions(-)
-
---- a/hostapd/config_file.c
-+++ b/hostapd/config_file.c
-@@ -2542,6 +2542,8 @@ static int hostapd_config_fill(struct ho
- 			return 1;
- 		}
- 		bss->wpa_pairwise_update_count = (u32) val;
-+	} else if (os_strcmp(buf, "wpa_disable_eapol_key_retries") == 0) {
-+		bss->wpa_disable_eapol_key_retries = atoi(pos);
- 	} else if (os_strcmp(buf, "wpa_passphrase") == 0) {
- 		int len = os_strlen(pos);
- 		if (len < 8 || len > 63) {
---- a/hostapd/defconfig
-+++ b/hostapd/defconfig
-@@ -372,3 +372,7 @@ CONFIG_IPV6=y
- # Opportunistic Wireless Encryption (OWE)
- # Experimental implementation of draft-harkins-owe-07.txt
- #CONFIG_OWE=y
-+
-+# Override default value for the wpa_disable_eapol_key_retries configuration
-+# parameter. See that parameter in hostapd.conf for more details.
-+#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
---- a/hostapd/hostapd.conf
-+++ b/hostapd/hostapd.conf
-@@ -1315,6 +1315,30 @@ own_ip_addr=127.0.0.1
- # Range 1..4294967295; default: 4
- #wpa_pairwise_update_count=4
- 
-+# Workaround for key reinstallation attacks
-+#
-+# This parameter can be used to disable retransmission of EAPOL-Key frames that
-+# are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This
-+# is similar to setting wpa_group_update_count=1 and
-+# wpa_pairwise_update_count=1, but with no impact to message 1/4 and with
-+# extended timeout on the response to avoid causing issues with stations that
-+# may use aggressive power saving have very long time in replying to the
-+# EAPOL-Key messages.
-+#
-+# This option can be used to work around key reinstallation attacks on the
-+# station (supplicant) side in cases those station devices cannot be updated
-+# for some reason. By removing the retransmissions the attacker cannot cause
-+# key reinstallation with a delayed frame transmission. This is related to the
-+# station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
-+# CVE-2017-13080, and CVE-2017-13081.
-+#
-+# This workaround might cause interoperability issues and reduced robustness of
-+# key negotiation especially in environments with heavy traffic load due to the
-+# number of attempts to perform the key exchange is reduced significantly. As
-+# such, this workaround is disabled by default (unless overridden in build
-+# configuration). To enable this, set the parameter to 1.
-+#wpa_disable_eapol_key_retries=1
-+
- # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
- # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
- # authentication and key handshake before actually associating with a new AP.
---- a/src/ap/ap_config.c
-+++ b/src/ap/ap_config.c
-@@ -37,6 +37,10 @@ static void hostapd_config_free_vlan(str
- }
- 
- 
-+#ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
-+#define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
-+#endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
-+
- void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
- {
- 	dl_list_init(&bss->anqp_elem);
-@@ -58,6 +62,8 @@ void hostapd_config_defaults_bss(struct
- 	bss->wpa_gmk_rekey = 86400;
- 	bss->wpa_group_update_count = 4;
- 	bss->wpa_pairwise_update_count = 4;
-+	bss->wpa_disable_eapol_key_retries =
-+		DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
- 	bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
- 	bss->wpa_pairwise = WPA_CIPHER_TKIP;
- 	bss->wpa_group = WPA_CIPHER_TKIP;
---- a/src/ap/ap_config.h
-+++ b/src/ap/ap_config.h
-@@ -333,6 +333,7 @@ struct hostapd_bss_config {
- 	int wpa_ptk_rekey;
- 	u32 wpa_group_update_count;
- 	u32 wpa_pairwise_update_count;
-+	int wpa_disable_eapol_key_retries;
- 	int rsn_pairwise;
- 	int rsn_preauth;
- 	char *rsn_preauth_interfaces;
---- a/src/ap/wpa_auth.c
-+++ b/src/ap/wpa_auth.c
-@@ -65,6 +65,7 @@ static u8 * ieee80211w_kde_add(struct wp
- static const u32 eapol_key_timeout_first = 100; /* ms */
- static const u32 eapol_key_timeout_subseq = 1000; /* ms */
- static const u32 eapol_key_timeout_first_group = 500; /* ms */
-+static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
- 
- /* TODO: make these configurable */
- static const int dot11RSNAConfigPMKLifetime = 43200;
-@@ -1653,6 +1654,9 @@ static void wpa_send_eapol(struct wpa_au
- 			eapol_key_timeout_first_group;
- 	else
- 		timeout_ms = eapol_key_timeout_subseq;
-+	if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
-+	    (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
-+		timeout_ms = eapol_key_timeout_no_retrans;
- 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
- 		sm->pending_1_of_4_timeout = 1;
- 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
-@@ -2882,6 +2886,11 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
- 	sm->TimeoutEvt = FALSE;
- 
- 	sm->TimeoutCtr++;
-+	if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
-+	    sm->TimeoutCtr > 1) {
-+		/* Do not allow retransmission of EAPOL-Key msg 3/4 */
-+		return;
-+	}
- 	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
- 		/* No point in sending the EAPOL-Key - we will disconnect
- 		 * immediately following this. */
-@@ -3220,7 +3229,9 @@ SM_STEP(WPA_PTK)
- 			 sm->EAPOLKeyPairwise && sm->MICVerified)
- 			SM_ENTER(WPA_PTK, PTKINITDONE);
- 		else if (sm->TimeoutCtr >
--			 sm->wpa_auth->conf.wpa_pairwise_update_count) {
-+			 sm->wpa_auth->conf.wpa_pairwise_update_count ||
-+			 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
-+			  sm->TimeoutCtr > 1)) {
- 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
- 			wpa_auth_vlogger(
- 				sm->wpa_auth, sm->addr, LOGGER_DEBUG,
-@@ -3260,6 +3271,11 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING
- 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
- 
- 	sm->GTimeoutCtr++;
-+	if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
-+	    sm->GTimeoutCtr > 1) {
-+		/* Do not allow retransmission of EAPOL-Key group msg 1/2 */
-+		return;
-+	}
- 	if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
- 		/* No point in sending the EAPOL-Key - we will disconnect
- 		 * immediately following this. */
-@@ -3363,7 +3379,9 @@ SM_STEP(WPA_PTK_GROUP)
- 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
- 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
- 		else if (sm->GTimeoutCtr >
--			 sm->wpa_auth->conf.wpa_group_update_count)
-+			 sm->wpa_auth->conf.wpa_group_update_count ||
-+			 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
-+			  sm->GTimeoutCtr > 1))
- 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
- 		else if (sm->TimeoutEvt)
- 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
---- a/src/ap/wpa_auth.h
-+++ b/src/ap/wpa_auth.h
-@@ -165,6 +165,7 @@ struct wpa_auth_config {
- 	int wpa_ptk_rekey;
- 	u32 wpa_group_update_count;
- 	u32 wpa_pairwise_update_count;
-+	int wpa_disable_eapol_key_retries;
- 	int rsn_pairwise;
- 	int rsn_preauth;
- 	int eapol_version;
---- a/src/ap/wpa_auth_glue.c
-+++ b/src/ap/wpa_auth_glue.c
-@@ -45,6 +45,8 @@ static void hostapd_wpa_auth_conf(struct
- 	wconf->wpa_gmk_rekey = conf->wpa_gmk_rekey;
- 	wconf->wpa_ptk_rekey = conf->wpa_ptk_rekey;
- 	wconf->wpa_group_update_count = conf->wpa_group_update_count;
-+	wconf->wpa_disable_eapol_key_retries =
-+		conf->wpa_disable_eapol_key_retries;
- 	wconf->wpa_pairwise_update_count = conf->wpa_pairwise_update_count;
- 	wconf->rsn_pairwise = conf->rsn_pairwise;
- 	wconf->rsn_preauth = conf->rsn_preauth;