From patchwork Sun Jun 26 15:18:39 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joerg Werner <schreibubi@gmail.com>
X-Patchwork-Id: 1648438
X-Patchwork-Delegate: hauke@hauke-m.de
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=pass (2048-bit key;
 secure) header.d=lists.infradead.org header.i=@lists.infradead.org
 header.a=rsa-sha256 header.s=bombadil.20210309 header.b=kO2LE4kx;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=azITXdY8;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org
 (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Received: from bombadil.infradead.org (bombadil.infradead.org
 [IPv6:2607:7c80:54:3::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LWF6B03Dbz9t5m
	for <incoming@patchwork.ozlabs.org>; Mon, 27 Jun 2022 01:25:05 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=3cvtH+W+w/TeJrrMElgUxpWrrJQ1xZps3T1SC4iFyJE=; b=kO2LE4kx4VBy4N
	5hQsyjhBI9/vcNXIJtYRAemPGU+FhpPjYYyoDlgpMUGB1vFrTCi7a5VyOmY5Vb6tcRu5JZ206d5sh
	QxVIeJUIJgEWF910GwbNGXCI1XBZRBkwKCnbaoFTMFW9oSCPZpsYf8J6sQwAS9IAy7uSOHmjJX94l
	smr++ZmyIrEn+k/sh0/rdd+E/njUYiuLarkDAK0kgA8GRnV7g7dXSQEnin5zaSO9Xyzn+dkZTz351
	eYYnXtHCm9l9ssM+D+IvInmMLijhQ8SrxOdUf0R2f0OABjK6kMEbJhuFCTUP8AVgjrB3Obn6inrL0
	zCMti07pEYpWV5MtT3dg==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o5U2n-00CO8a-LP; Sun, 26 Jun 2022 15:19:25 +0000
Received: from mail-wr1-x432.google.com ([2a00:1450:4864:20::432])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1o5U2d-00CO2k-Nh
	for openwrt-devel@lists.openwrt.org; Sun, 26 Jun 2022 15:19:17 +0000
Received: by mail-wr1-x432.google.com with SMTP id n1so9634387wrg.12
        for <openwrt-devel@lists.openwrt.org>;
 Sun, 26 Jun 2022 08:18:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=7jjeW3YyMXZQ9xUAFXJMpWX/I5mcAFZf3saeeezeiZo=;
        b=azITXdY8W+85Z45TA1Q3NrmH+MLG29wtq8LOfOWg8zZG/DJ1fcgGncDCC8pWzEU44o
         p/mDWuhrs9RUETc3Ziq71xy8d88yxfjBySI4lO0nMUcrsaWY2WwKOBIHBjsc0YSnNqCm
         mV0JGiH9Z3tGk0es8o3Opi5Yl9tWAQbHT7caoPMwuUYQmyyu1nw5cRVqRuS6Au6ftjl7
         A1jebPYVx4/K+dt3y4NWgM78jc5IdG8v6K6cO9R1lj0q53j/q6ehB4X/4mAEV8MW9dMn
         jF2yTYwvnZqVSjr6bQsM2N3O1kgrwoXipzTLLmgG97s3CAJBWDeEov1ryIRO+UrLFJwX
         YtAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=7jjeW3YyMXZQ9xUAFXJMpWX/I5mcAFZf3saeeezeiZo=;
        b=6aMq0PD3Ij89OtD49OO0uwfEHKk99bd9fSy1OOybuEZ8RyxOsmLYMr/RoxvqVEKRoC
         GfsaTiMSaC6QHjdVq6/d7dmxIG5Oj5gnZyLzR5gmzjMcdxdIP8ZzYd+JPDosoivsfRa4
         wEcGcTv4i/g4rFuum1uC+I9AQgLFjNVrgKmdCzcJE1F559p30NnO/QitYKzB8B4IQd5F
         NIf1qt+aPfh8aTf/mHr8FwoqY7fDkP5i8dkOUCYyDdeuzICXOdHIsJEd3nWL9iQ7N6xr
         bO/oWXw8c2/urTS+OJNV2iZ+NtmC7QPF3p4abVJ0kPJiphc23IDMQxr52qYn5y6ukQxC
         23BQ==
X-Gm-Message-State: AJIora8qFcZIwBQYosIM40/QIyfeBPVyJH92xVVsPlLmxiZpbSXMoEZF
	vfdd8T60OeL7is4NeHdQB8+mnBP6n9H2edxkWQU=
X-Google-Smtp-Source: 
 AGRyM1u7soP5M6eaZjGf7pJIIDNdWizFRuZKHmFNsn+rAHbKMJfGEUYt1YEopc4pZvQEt9T07eeL4g==
X-Received: by 2002:a05:6000:1685:b0:218:45f0:5be6 with SMTP id
 y5-20020a056000168500b0021845f05be6mr8162284wrd.301.1656256732781;
        Sun, 26 Jun 2022 08:18:52 -0700 (PDT)
Received: from bodensee.schreibubi.home.arpa ([2a02:810d:4d40:3e00::da:6666])
        by smtp.gmail.com with ESMTPSA id
 c3-20020a05600c0a4300b00397393419e3sm16690379wmq.28.2022.06.26.08.18.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 26 Jun 2022 08:18:52 -0700 (PDT)
From: Joerg Werner <schreibubi@gmail.com>
To: openwrt-devel@lists.openwrt.org
Cc: Joerg Werner <schreibubi@gmail.com>
Subject: [PATCH] hostapd: fix WPA3 enterprise keys and ciphers
Date: Sun, 26 Jun 2022 17:18:39 +0200
Message-Id: <20220626151839.531572-1-schreibubi@gmail.com>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220626_081915_830678_70F6F252 
X-CRM114-Status: UNSURE (   9.27  )
X-CRM114-Notice: Please train this message.
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "bombadil.infradead.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and
    if 802.11r is active also wpa_key_mgmt FT-EAP-SHA384. This commit also
 requires
    corresponding changes in netifd. Signed-off-by: Joerg Werner ---
 package/network/services/hostapd/files/hostapd.sh
    | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)
 Content analysis details:   (-0.2 points, 5.0 required)
  pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [2a00:1450:4864:20:0:0:0:432 listed in]
                             [list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
                             provider
                             [schreibubi[at]gmail.com]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK
 signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
                             valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.

Signed-off-by: Joerg Werner <schreibubi@gmail.com>
---
 package/network/services/hostapd/files/hostapd.sh | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index fa344bd2dd..08eb254c9d 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -48,12 +48,15 @@ hostapd_append_wpa_key_mgmt() {
 		;;
 		eap192)
 			append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
-			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
+			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384"
 		;;
 		eap-eap192)
 			append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
 			append wpa_key_mgmt "WPA-EAP"
-			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP"
+			[ "${ieee80211r:-0}" -gt 0 ] && {
+				append wpa_key_mgmt "FT-EAP-SHA384"
+				append wpa_key_mgmt "FT-EAP"
+			}
 			[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-EAP-SHA256"
 		;;
 		sae)
@@ -953,7 +956,11 @@ hostapd_set_bss_options() {
 				json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout
 				append bss_conf "ieee80211w=$ieee80211w" "$N"
 				[ "$ieee80211w" -gt "0" ] && {
-					append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N"
+					if [ "$auth_type" = "eap192" ]; then
+						append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N"
+					else
+						append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N"
+					fi
 					[ -n "$ieee80211w_max_timeout" ] && \
 						append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
 					[ -n "$ieee80211w_retry_timeout" ] && \