From patchwork Fri Oct 12 20:37:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 983299 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=hauke-m.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="qjadGy57"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42X0CM0CCvz9s3Z for ; Sat, 13 Oct 2018 07:42:54 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=9Em7kdeHSDssePCLFAPtqG0XdzY3bdl9Rhx9lCWiC7s=; b=qjadGy57qFsjd1 Wtjgjrgm8MZ1Hiyin3pdCRPqRYELLiGXMsXvrkzkJMk5buTIdO81LJOMjxsDhyQRU5Tqcv98r5U3M FbVqHjNcfDSvCcSWMk28Hei/6qCCP5WFl/lZNo8l2IYaVDtGfrVCvq+bb7MXoUfWo7UCEkCdtfNCe RUlX5LfmICGQ0vQfmvSnwil6TkznchH3Rn8dptzwWF0x7J3ipZGDJfu6hVxYg+2uqiKJNpsPZxvJ1 mFeWRDCVc7vrSoQsQfxlQk11QtsnsOKOor4tswjAappxM/gOqIu6Mg76ZKycLv1TXtvVBdc4uxMkh WCK59f+jAiX/l54Y2xMg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gB4Gq-0004pQ-0o; Fri, 12 Oct 2018 20:42:52 +0000 Received: from mx1.mailbox.org ([2001:67c:2050:104:0:1:25:1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gB4C3-00012P-La for openwrt-devel@lists.openwrt.org; Fri, 12 Oct 2018 20:38:20 +0000 Received: from smtp2.mailbox.org (unknown [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id 842F54AF3F; Fri, 12 Oct 2018 22:37:29 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter01.heinlein-hosting.de (spamfilter01.heinlein-hosting.de [80.241.56.115]) (amavisd-new, port 10030) with ESMTP id 5zr4IoXZ2cLj; Fri, 12 Oct 2018 22:37:28 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Date: Fri, 12 Oct 2018 22:37:04 +0200 Message-Id: <20181012203707.14716-7-hauke@hauke-m.de> In-Reply-To: <20181012203707.14716-1-hauke@hauke-m.de> References: <20181012203707.14716-1-hauke@hauke-m.de> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181012_133756_077385_5B6F40FA X-CRM114-Status: GOOD ( 15.25 ) X-Spam-Score: -0.0 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record Subject: [OpenWrt-Devel] [PATCH 6/9] hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise) X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This adds support for the WPA3-Enterprise mode authentication. The settings for the WPA3-Enterpriese mode are defined in WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and guarantees at least 192 bit of security. This does not increase the ipkg size by a significant size. Signed-off-by: Hauke Mehrtens --- package/network/services/hostapd/Makefile | 4 ++-- package/network/services/hostapd/files/hostapd.sh | 15 ++++++++++++--- .../services/hostapd/src/src/utils/build_features.h | 4 ++++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index 06cf0469ef..41f5f54b82 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -97,11 +97,11 @@ endif ifeq ($(LOCAL_VARIANT),full) ifeq ($(SSL_VARIANT),openssl) - DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y CONFIG_OWE=y + DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y CONFIG_OWE=y CONFIG_SUITEB192=y TARGET_LDFLAGS += -lcrypto -lssl endif ifeq ($(SSL_VARIANT),wolfssl) - DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1 CONFIG_SAE=y CONFIG_OWE=y + DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1 CONFIG_SAE=y CONFIG_OWE=y CONFIG_SUITEB192=y TARGET_LDFLAGS += -lwolfssl endif endif diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index 6a2eb7b023..540d1182cc 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -45,6 +45,15 @@ hostapd_append_wpa_key_mgmt() { [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}" [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256" ;; + eap192) + append wpa_key_mgmt "WPA-EAP-SUITE-B-192" + ;; + eap-eap192) + append wpa_key_mgmt "WPA-EAP-SUITE-B-192" + append wpa_key_mgmt "WPA-EAP" + [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" + [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-EAP-SHA256" + ;; sae) append wpa_key_mgmt "SAE" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE" @@ -307,7 +316,7 @@ hostapd_set_bss_options() { } case "$auth_type" in - sae|owe) + sae|owe|eap192|eap-eap192) set_default ieee80211w 2 set_default sae_require_mfp 1 ;; @@ -350,7 +359,7 @@ hostapd_set_bss_options() { wps_possible=1 ;; - eap) + eap|eap192|eap-eap192) json_get_vars \ auth_server auth_secret auth_port \ dae_client dae_secret dae_port \ @@ -771,7 +780,7 @@ wpa_supplicant_add_network() { fi append network_data "$passphrase" "$N$T" ;; - eap) + eap|eap192|eap-eap192) hostapd_append_wpa_key_mgmt key_mgmt="$wpa_key_mgmt" diff --git a/package/network/services/hostapd/src/src/utils/build_features.h b/package/network/services/hostapd/src/src/utils/build_features.h index 4013ae7b30..abebecb570 100644 --- a/package/network/services/hostapd/src/src/utils/build_features.h +++ b/package/network/services/hostapd/src/src/utils/build_features.h @@ -35,6 +35,10 @@ static inline int has_feature(const char *feat) if (!strcmp(feat, "owe")) return 1; #endif +#ifdef CONFIG_SUITEB192 + if (!strcmp(feat, "suiteb192")) + return 1; +#endif return 0; }