From patchwork Mon Oct 11 12:16:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Crispin X-Patchwork-Id: 1539292 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=yMt7HarE; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HSdBM3MPqz9sNH for ; Mon, 11 Oct 2021 23:18:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To :From:Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=RYeawWg9yZocWqH4v0h1IO/27Rkw6In0vKu1poSarlg=; b=yMt7HarEsDbhQP SBsHAtCPLnBaTkYSALugW2+3cD67sA1hqA/zSn3hAxwoXQLeSu7A1pfRfwRfgLdlqch41EG9pLLJD j4M9bbgHle45qfkhUzJ1llT0+f52y/gZulw+HixjcgpqDwznxtv7MH8QRVWPsWYTOCl+keQzVtNP/ HmMknoUAyOJABrOhBVMajkbDB+lNEfV0v07UPCT6CMLpSEliMu5FFL9ltBx2DTq+7jWbFR4+aKwHP 0XixL3vclzDHU/hRDyq/HEAyoVj0ULE2a16+I9ovT6fad7OArC+Hjcf16xPt8IKCkj0FvCN4YqqLq zm3rttmkD4YBcSM/GqWw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mZuEP-009I0f-AM; Mon, 11 Oct 2021 12:16:37 +0000 Received: from nbd.name ([2a01:4f8:221:3d45::2]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mZuE8-009HwI-L7 for openwrt-devel@lists.openwrt.org; Mon, 11 Oct 2021 12:16:22 +0000 Received: from [2a04:4540:1402:3600:2d8:61ff:fef0:a7c3] (helo=localhost.localdomain) by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1mZuE2-0003vO-HA for openwrt-devel@lists.openwrt.org; Mon, 11 Oct 2021 14:16:14 +0200 From: John Crispin To: openwrt-devel@lists.openwrt.org Subject: [PATCH 1/2] hostapd: fix wpa enterprise mode Date: Mon, 11 Oct 2021 14:16:13 +0200 Message-Id: <20211011121614.1537697-1-john@phrozen.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211011_051620_874033_FCD2422A X-CRM114-Status: UNSURE ( 7.88 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently netifd only knows 2 wpa3/eap modes, wpa3 and wpa3-mixed. Accoring to the spec there are however 3 mode, wpa3, wpa3-192 and wpa3-mixed. In addition the mode currently called "incorrectly" set [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Currently netifd only knows 2 wpa3/eap modes, wpa3 and wpa3-mixed. Accoring to the spec there are however 3 mode, wpa3, wpa3-192 and wpa3-mixed. In addition the mode currently called "incorrectly" setups up wpa3-192 and there is currently no wpa3(-only) mode. Fix hostapd.sh s.T. the now corretly passed values from netifd are honoured. Tested-on: iPhone 12, Samsung S10/S20 Signed-off-by: John Crispin --- .../network/services/hostapd/files/hostapd.sh | 35 +++++++++++++------ 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index 4f306317c7..efb06427ca 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -48,14 +48,18 @@ hostapd_append_wpa_key_mgmt() { ;; eap192) append wpa_key_mgmt "WPA-EAP-SUITE-B-192" + append wpa_key_mgmt "WPA-EAP-SHA256" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" - ;; - eap-eap192) - append wpa_key_mgmt "WPA-EAP-SUITE-B-192" + ;; + eap-eap256) append wpa_key_mgmt "WPA-EAP" + append wpa_key_mgmt "WPA-EAP-SHA256" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" - [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-EAP-SHA256" - ;; + ;; + eap256) + append wpa_key_mgmt "WPA-EAP-SHA256" + [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" + ;; sae) append wpa_key_mgmt "SAE" [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE" @@ -602,11 +606,11 @@ hostapd_set_bss_options() { } case "$auth_type" in - sae|owe|eap192|eap-eap192) + sae|owe|eap192|eap256) set_default ieee80211w 2 set_default sae_require_mfp 1 ;; - psk-sae) + psk-sae|eap-eap256) set_default ieee80211w 1 set_default sae_require_mfp 1 ;; @@ -649,7 +653,7 @@ hostapd_set_bss_options() { vlan_possible=1 wps_possible=1 ;; - eap|eap192|eap-eap192) + eap|eap192|eap-eap256|eap256) json_get_vars \ auth_server auth_secret auth_port \ dae_client dae_secret dae_port \ @@ -885,7 +889,16 @@ hostapd_set_bss_options() { json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout append bss_conf "ieee80211w=$ieee80211w" "$N" [ "$ieee80211w" -gt "0" ] && { - append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N" + case "$auth_type" in + eap192) + append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N" + append bss_conf "group_cipher=GCMP-256" "$N" + ;; + *) + append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N" + ;; + esac + [ -n "$ieee80211w_max_timeout" ] && \ append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N" [ -n "$ieee80211w_retry_timeout" ] && \ @@ -1197,7 +1210,7 @@ wpa_supplicant_add_network() { default_disabled case "$auth_type" in - sae|owe|eap192|eap-eap192) + sae|owe|eap192|eap-eap256|eap256) set_default ieee80211w 2 ;; psk-sae) @@ -1278,7 +1291,7 @@ wpa_supplicant_add_network() { fi append network_data "$passphrase" "$N$T" ;; - eap|eap192|eap-eap192) + eap|eap192|eap-eap256|eap256) hostapd_append_wpa_key_mgmt key_mgmt="$wpa_key_mgmt" From patchwork Mon Oct 11 12:16:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Crispin X-Patchwork-Id: 1539291 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=XDBYgZ0d; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HSdBM4F84z9sRN for ; Mon, 11 Oct 2021 23:18:51 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=awTEsatp6HnKzv86Xg8cecOhL8UWSRjCQzR1t/JpXJc=; b=XDBYgZ0dE+ADTG +AJjXwmjxrUBTVJDJBM8fJIbtmWObUEkbqANscEdXgF5NXsD2I8VB436C6lwRy1FHYrtucoF3laJb L804dP6PCkDpSVEbhzICJmksCmK3z6GvLy+ePcH8XMpoEPBfhFOeAX0U9LP3DGtoaI51HsdThl6yc iELTNHWm2E/+/t2z8qfNGiFX4caAwEk44+Pj4Gb1E/YwoXcbr1FBR49fl9iMvj17ghQ4EDhcW+xdl oG2YbpJO4aj0MUtt3SnFHRY7uYRpAEK5GszOWw0LOo0PCwddP7GDZLpqytf3LbvZgGVwFDS5GDpH+ 46Nd3dVwUvlAteiVVSmA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mZuEC-009Hxo-AJ; Mon, 11 Oct 2021 12:16:24 +0000 Received: from nbd.name ([2a01:4f8:221:3d45::2]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mZuE8-009Hw6-KI for openwrt-devel@lists.openwrt.org; Mon, 11 Oct 2021 12:16:22 +0000 Received: from [2a04:4540:1402:3600:2d8:61ff:fef0:a7c3] (helo=localhost.localdomain) by ds12 with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1mZuE2-0003vO-MD for openwrt-devel@lists.openwrt.org; Mon, 11 Oct 2021 14:16:14 +0200 From: John Crispin To: openwrt-devel@lists.openwrt.org Subject: [PATCH 2/2] hostapd: force ieee80211w instead of setting a default Date: Mon, 11 Oct 2021 14:16:14 +0200 Message-Id: <20211011121614.1537697-2-john@phrozen.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211011121614.1537697-1-john@phrozen.org> References: <20211011121614.1537697-1-john@phrozen.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211011_051620_862954_49A19072 X-CRM114-Status: UNSURE ( 8.38 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: WPA3 modes require 11w to be set to optional/required. Using set_default would allow forcing an invalid value from UCI. Signed-off-by: John Crispin --- package/network/services/hostapd/files/hostapd.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org WPA3 modes require 11w to be set to optional/required. Using set_default would allow forcing an invalid value from UCI. Signed-off-by: John Crispin --- package/network/services/hostapd/files/hostapd.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index efb06427ca..36156a002c 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -1211,10 +1211,10 @@ wpa_supplicant_add_network() { case "$auth_type" in sae|owe|eap192|eap-eap256|eap256) - set_default ieee80211w 2 + ieee80211w=2 ;; psk-sae) - set_default ieee80211w 1 + ieee80211w=1 ;; esac