From 0a21b9d2540afe2fdbf7e1e43ead138bfd3388b5 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Thu, 18 Jul 2024 08:31:19 +0200 Subject: [PATCH] hostapd: enable FT-PSK for psk2-radius Signed-off-by: John Crispin --- feeds/ipq807x_v5.4/hostapd/files/hostapd.sh | 9 +++- .../hostapd/patches/zzz-roaming-key.patch | 48 ++++++++++++------- 2 files changed, 38 insertions(+), 19 deletions(-) diff --git a/feeds/ipq807x_v5.4/hostapd/files/hostapd.sh b/feeds/ipq807x_v5.4/hostapd/files/hostapd.sh index 1433b32f0..c9628285b 100644 --- a/feeds/ipq807x_v5.4/hostapd/files/hostapd.sh +++ b/feeds/ipq807x_v5.4/hostapd/files/hostapd.sh @@ -73,6 +73,10 @@ hostapd_append_wpa_key_mgmt() { owe) append wpa_key_mgmt "OWE" ;; + psk2-radius) + append wpa_key_mgmt "WPA-PSK-SHA256" + [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK" + ;; esac [ "$fils" -gt 0 ] && { @@ -405,7 +409,7 @@ hostapd_common_add_bss_config() { config_add_boolean ieee80211r pmk_r1_push ft_psk_generate_local ft_over_ds config_add_int r0_key_lifetime reassociation_deadline ft_l2_refresh - config_add_string mobility_domain r1_key_holder + config_add_string mobility_domain r1_key_holder ft_key config_add_array r0kh r1kh config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout @@ -1014,7 +1018,7 @@ hostapd_set_bss_options() { [ -n "$ft_l2_refresh" ] && append bss_conf "ft_l2_refresh=$ft_l2_refresh" "$N" if [ "$skip_kh_setup" -eq "0" ]; then - json_get_vars r0_key_lifetime r1_key_holder pmk_r1_push + json_get_vars r0_key_lifetime r1_key_holder pmk_r1_push ft_key json_get_values r0kh r0kh json_get_values r1kh r1kh @@ -1028,6 +1032,7 @@ hostapd_set_bss_options() { set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$key" } + [ -n "$ft_key" ] && append bss_conf "ft_key=$ft_key" "$N" [ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N" append bss_conf "r0_key_lifetime=$r0_key_lifetime" "$N" append bss_conf "pmk_r1_push=$pmk_r1_push" "$N" diff --git a/feeds/ipq807x_v5.4/hostapd/patches/zzz-roaming-key.patch b/feeds/ipq807x_v5.4/hostapd/patches/zzz-roaming-key.patch index 67f67fa47..b3de2bd05 100644 --- a/feeds/ipq807x_v5.4/hostapd/patches/zzz-roaming-key.patch +++ b/feeds/ipq807x_v5.4/hostapd/patches/zzz-roaming-key.patch @@ -14,42 +14,56 @@ fclose(f); - for (i = 0; i < conf->num_bss; i++) -+#define _MACSTR "%02x%02x%02x%02x%02x%02x" + for (i = 0; i < conf->num_bss; i++) { - hostapd_set_security_params(conf->bss[i], 1); + if (*conf->bss[i]->ft_key) { + u8 buffer[128]; -+ sprintf(buffer, MACSTR " " _MACSTR " %s", MAC2STR(conf->bss[i]->bssid), MAC2STR(conf->bss[i]->bssid), conf->bss[i]->ft_key); ++ sprintf(buffer, "%02X:%02X:%02X:%02X:%02X:%02X %02X%02X%02X%02X%02X%02X %s", MAC2STR(conf->bss[i]->bssid), MAC2STR(conf->bss[i]->bssid), conf->bss[i]->ft_key); + add_r0kh(conf->bss[i], buffer); ++ sprintf(buffer, "%02X:%02X:%02X:%02X:%02X:%02X %02X:%02X:%02X:%02X:%02X:%02X %s", MAC2STR(conf->bss[i]->bssid), MAC2STR(conf->bss[i]->bssid), conf->bss[i]->ft_key); ++ add_r1kh(conf->bss[i], buffer); + sprintf(buffer, "ff:ff:ff:ff:ff:ff * %s", conf->bss[i]->ft_key); + add_r0kh(conf->bss[i], buffer); -+ sprintf(buffer, MACSTR " " MACSTR " %s", MAC2STR(conf->bss[i]->bssid), MAC2STR(conf->bss[i]->bssid), conf->bss[i]->ft_key); -+ add_r1kh(conf->bss[i], buffer); + sprintf(buffer, "00:00:00:00:00:00 00:00:00:00:00:00 %s", conf->bss[i]->ft_key); + add_r1kh(conf->bss[i], buffer); -+ os_memcpy(conf->bss[i]->r1_key_holder, conf->bss[i]->bssid, 6); ++ hexstr2bin(conf->bss[i]->bssid, conf->bss[i]->r1_key_holder, FT_R1KH_ID_LEN); ++ conf->bss[i]->r0_key_holder_bssid = 1; + } + hostapd_set_security_params(conf->bss[i], 1); + } if (hostapd_config_check(conf, 1)) errors++; ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -221,6 +221,7 @@ struct wpa_auth_config { - int pmk_r1_push; - int ft_over_ds; - int ft_psk_generate_local; -+ u8 ft_key[33]; - #endif /* CONFIG_IEEE80211R_AP */ - int disable_gtk; - int ap_mlme; --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -403,6 +403,7 @@ struct hostapd_bss_config { int ft_psk_generate_local; int ft_l2_refresh; int r1_max_key_lifetime; -+ u8 ft_key[33]; ++ u8 ft_key[65]; #endif /* CONFIG_IEEE80211R_AP */ char *ctrl_interface; /* directory for UNIX domain sockets */ +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -390,6 +390,7 @@ struct hostapd_bss_config { + /* IEEE 802.11r - Fast BSS Transition */ + u8 mobility_domain[MOBILITY_DOMAIN_ID_LEN]; + u8 r1_key_holder[FT_R1KH_ID_LEN]; ++ int r0_key_holder_bssid; + u32 r0_key_lifetime; /* PMK-R0 lifetime seconds */ + int rkh_pos_timeout; + int rkh_neg_timeout; +--- a/src/ap/wpa_auth_glue.c ++++ b/src/ap/wpa_auth_glue.c +@@ -80,7 +80,10 @@ static void hostapd_wpa_auth_conf(struct + os_memcpy(wconf->ssid, conf->ssid.ssid, wconf->ssid_len); + os_memcpy(wconf->mobility_domain, conf->mobility_domain, + MOBILITY_DOMAIN_ID_LEN); +- if (conf->nas_identifier && ++ if (conf->r0_key_holder_bssid) { ++ sprintf(wconf->r0_key_holder, "%02X%02X%02X%02X%02X%02X", MAC2STR(conf->bssid)); ++ wconf->r0_key_holder_len = 12; ++ } else if (conf->nas_identifier && + os_strlen(conf->nas_identifier) <= FT_R0KH_ID_MAX_LEN) { + wconf->r0_key_holder_len = os_strlen(conf->nas_identifier); + os_memcpy(wconf->r0_key_holder, conf->nas_identifier,