| Message ID | 20211011121614.1537697-2-john@phrozen.org |
|---|---|
| State | Under Review |
| Delegated to: | John Crispin |
| Headers | show |
| Series | [1/2] hostapd: fix wpa enterprise mode | expand |
On Mon, Oct 11, 2021 at 02:16:14PM +0200, John Crispin wrote: > WPA3 modes require 11w to be set to optional/required. Using set_default would > allow forcing an invalid value from UCI. > > Signed-off-by: John Crispin <john@phrozen.org> > --- > package/network/services/hostapd/files/hostapd.sh | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh > index efb06427ca..36156a002c 100644 > --- a/package/network/services/hostapd/files/hostapd.sh > +++ b/package/network/services/hostapd/files/hostapd.sh > @@ -1211,10 +1211,10 @@ wpa_supplicant_add_network() { > > case "$auth_type" in > sae|owe|eap192|eap-eap256|eap256) > - set_default ieee80211w 2 > + ieee80211w=2 > ;; > psk-sae) > - set_default ieee80211w 1 > + ieee80211w=1 Doesn't that downgrade PSK-SAE which the user configured to be with mandatory MFP to now only have optional MFP?
Hi, > Doesn't that downgrade PSK-SAE which the user configured to be with > mandatory MFP to now only have optional MFP? yes. The way I read it, it also prevents using the WPA3 protocol without obligatory MFP (afair some users use that for limited drivers) ~ Jo
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. On 11/10/2021 14:14, Jo-Philipp Wich wrote: >> Doesn't that downgrade PSK-SAE which the user configured to be with >> mandatory MFP to now only have optional MFP? > > yes. The way I read it, it also prevents using the WPA3 protocol without > obligatory MFP (afair some users use that for limited drivers) The only way this is not going to cause user issues, is to have an "auto" in LuCI (for UCI, that might be "unset"), for the proper default, and let the user force-override it where wanted.
Am 11.10.21 um 19:40 schrieb Henrique de Moraes Holschuh via openwrt-devel: > The sender domain has a DMARC Reject/Quarantine policy which disallows > sending mailing list messages using the original "From" header. > > To mitigate this problem, the original message has been wrapped > automatically by the mailing list software. right now luci will force 2
Hi,
> right now luci will force 2
nope, it will not. It calculates the dynamic default according to the logic in
hostapd.sh and will remove the value from uci if the selected user value
matches the dynamic default [1].
So with WPA3 selected and choosing 11w ...
... required -> remove option ieee80211w
... optional -> write option ieee80211w 1
... disabled -> write option ieee80211w 0 [2]
With WPA3 mixed mode selected and choosing 11w ...
... required -> write option ieee80211w 2
... optional -> remove option ieee80211w
... disabled -> write option ieee80211w 0 [2]
With any other WPA mode selected and choosing 11w ...
... required -> write option ieee80211w 2
... optional -> write option ieee80211w 1
... disabled -> remove option ieee80211w
1: See defaults at:
https://github.com/openwrt/luci/blob/master/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js#L1685
2: Disabling (0) is bugged in 21.02.0 and has been fixed in master with:
https://github.com/openwrt/luci/commit/0b49ed45c6e9f4bc10abdcea392125aec3794e58
~ Jo
diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index efb06427ca..36156a002c 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -1211,10 +1211,10 @@ wpa_supplicant_add_network() { case "$auth_type" in sae|owe|eap192|eap-eap256|eap256) - set_default ieee80211w 2 + ieee80211w=2 ;; psk-sae) - set_default ieee80211w 1 + ieee80211w=1 ;; esac
WPA3 modes require 11w to be set to optional/required. Using set_default would allow forcing an invalid value from UCI. Signed-off-by: John Crispin <john@phrozen.org> --- package/network/services/hostapd/files/hostapd.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)