From 4664f050155f0d74be2489c7ddf6c156eac42837 Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Thu, 7 Dec 2023 18:42:00 -0800
Subject: [PATCH] Remove the 'haveged' options and entropy watchdog

These were needed because of an annoying bug in old versions of
'hostapd', where the kernel's entropy pool was used incorrectly, and 'hostapd'
would decide that there wasn't enough randomness available, e.g.:

    random: Only 9/20 bytes of strong random data available from /dev/random
    random: Not enough entropy pool available for secure operations
    WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects

That issue has been fixed since hostapd v2.6, released in 2016
(https://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html),
so there's really no reason for 'create_ap' to have an entropy-checking
watchdog or to encourage users to install 'haveged'.
---
 README.md       |  3 ++-
 bash_completion |  3 ---
 create_ap       | 43 ++-----------------------------------------
 create_ap.conf  |  2 --
 4 files changed, 4 insertions(+), 47 deletions(-)

diff --git a/README.md b/README.md
index 705d820..3ae4b61 100644
--- a/README.md
+++ b/README.md
@@ -20,10 +20,11 @@ This project is a fork of the no-longer-maintained [oblique/create_ap](//github.
 * util-linux (for getopt)
 * procps or procps-ng
 * hostapd
+  * Version 2.6 or newer is required; earlier versions may
+    fail unpredictably due to [a RNG bug](https://packetstormsecurity.com/files/156573/Hostapd-Insufficient-Entropy.html).
 * iproute2
 * iw
 * iwconfig (you only need this if 'iw' can not recognize your adapter)
-* haveged (optional)
 
 ### For 'NATed' or 'None' Internet sharing method
 * dnsmasq
diff --git a/bash_completion b/bash_completion
index aae0bb2..78a2a15 100644
--- a/bash_completion
+++ b/bash_completion
@@ -115,9 +115,6 @@ _create_ap() {
         --no-virt)
             # No Options
             ;;
-        --no-haveged)
-            # No Options
-            ;;
         --fix-unmanaged)
             # No Options
             ;;
diff --git a/create_ap b/create_ap
index 86bf1e8..7df1e3c 100755
--- a/create_ap
+++ b/create_ap
@@ -8,7 +8,6 @@
 #    iproute2
 #    iw
 #    iwconfig (you only need this if 'iw' can not recognize your adapter)
-#    haveged (optional)
 
 # dependencies for 'nat' or 'none' Internet sharing method
 #    dnsmasq
@@ -59,7 +58,6 @@ usage() {
     echo "  --freq-band <GHz>       Set frequency band. Valid inputs: 2.4, 5 (default: 2.4)"
     echo "  --driver                Choose your WiFi adapter driver (default: nl80211)"
     echo "  --no-virt               Do not create virtual interface"
-    echo "  --no-haveged            Do not run 'haveged' automatically when needed"
     echo "  --fix-unmanaged         If NetworkManager shows your interface as unmanaged after you"
     echo "                          close create_ap, then use this option to switch your interface"
     echo "                          back to managed"
@@ -462,28 +460,6 @@ get_new_ipv6addr() {
     echo $NEWIP
 }
 
-# start haveged when needed
-haveged_watchdog() {
-    local show_warn=1
-    while :; do
-        mutex_lock
-        if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then
-            if ! which haveged > /dev/null 2>&1; then
-                if [[ $show_warn -eq 1 ]]; then
-                    echo "WARN: Low entropy detected. We recommend you to install \`haveged'"
-                    show_warn=0
-                fi
-            elif ! pidof haveged > /dev/null 2>&1; then
-                echo "Low entropy detected, starting haveged"
-                # boost low-entropy
-                haveged -w 1024 -p $COMMON_CONFDIR/haveged.pid
-            fi
-        fi
-        mutex_unlock
-        sleep 2
-    done
-}
-
 NETWORKMANAGER_CONF=/etc/NetworkManager/NetworkManager.conf
 NM_OLDER_VERSION=1
 
@@ -688,7 +664,6 @@ NEW_MACADDR=
 DAEMONIZE=0
 DAEMON_PIDFILE=
 DAEMON_LOGFILE=/dev/null
-NO_HAVEGED=0
 USE_PSK=0
 IPV6=0
 WPS=0
@@ -698,7 +673,7 @@ REDIRECT_TO_LOCALHOST=0
 
 CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS DHCP_DNS6 NO_DNS NO_DNSMASQ HIDDEN MAC_FILTER MAC_FILTER_ACCEPT ISOLATE_CLIENTS
              SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND
-             NEW_MACADDR DAEMONIZE DAEMON_PIDFILE DAEMON_LOGFILE NO_HAVEGED WIFI_IFACE INTERNET_IFACE
+             NEW_MACADDR DAEMONIZE DAEMON_PIDFILE DAEMON_LOGFILE WIFI_IFACE INTERNET_IFACE
              SSID PASSPHRASE USE_PSK BEACON_INTERVAL DTIM_PERIOD IPV6 ADDN_HOSTS WPS METERED)
 
 FIX_UNMANAGED=0
@@ -718,8 +693,6 @@ OLD_MACADDR=
 IP_ADDRS=
 ROUTE_ADDRS=
 
-HAVEGED_WATCHDOG_PID=
-
 _cleanup() {
     local PID x
 
@@ -727,9 +700,6 @@ _cleanup() {
     mutex_lock
     disown -a
 
-    # kill haveged_watchdog
-    [[ -n "$HAVEGED_WATCHDOG_PID" ]] && kill $HAVEGED_WATCHDOG_PID
-
     # kill processes
     for x in $CONFDIR/*.pid; do
         # even if the $CONFDIR is empty, the for loop will assign
@@ -1160,7 +1130,7 @@ for ((i=0; i<$#; i++)); do
     fi
 done
 
-GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","dhcp-dns6:","daemon","pidfile:","logfile:","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","ipv6","mkconfig:","config:","wps","wps-pbc:","wps-pin:","metered" -n "$PROGNAME" -- "$@")
+GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","dhcp-dns6:","daemon","pidfile:","logfile:","stop:","list","list-running","list-clients:","version","psk","no-dns","no-dnsmasq","ipv6","mkconfig:","config:","wps","wps-pbc:","wps-pin:","metered" -n "$PROGNAME" -- "$@")
 [[ $? -ne 0 ]] && exit 1
 eval set -- "$GETOPT_ARGS"
 
@@ -1334,10 +1304,6 @@ while :; do
             WPS_TRIGGER_PIN="${1/*,/}"
             shift;
             ;;
-        --no-haveged)
-            shift
-            NO_HAVEGED=1
-            ;;
         --wps)
             shift
             WPS=1
@@ -2114,11 +2080,6 @@ fi
 # start access point
 echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"
 
-if [[ $NO_HAVEGED -eq 0 ]]; then
-    haveged_watchdog &
-    HAVEGED_WATCHDOG_PID=$!
-fi
-
 # start hostapd (use stdbuf when available for no delayed output in programs that redirect stdout)
 STDBUF_PATH=`which stdbuf`
 if [ $? -eq 0 ]; then
diff --git a/create_ap.conf b/create_ap.conf
index 4f7db13..b7c0809 100644
--- a/create_ap.conf
+++ b/create_ap.conf
@@ -95,5 +95,3 @@ DRIVER=nl80211
 DAEMONIZE=0
 # Set to 1 to disable virtual interface creation
 NO_VIRT=0
-# Set to 1 to disable haveged random number generation
-NO_HAVEGED=0