[OpenWrt-Devel] [PATCH] hostapd/wpa_supplicant: Fix PMF_Cert_Programm (802.11w) stronger algorithm

Bima Hutama hutamanzi at gmail.com
Sat Jun 4 17:41:19 EDT 2016 

  -Changed:
	1) Moving variable ieee80211w within hostapd_set_bss_options() function to json_get_vars

	2) Changes in netifd.sh (for wpa_supplicant):
	2.1) Adding 2 AKMs (key_mgmt=WPA-PSK WPA-PSK-SHA256) if 802.11w=1 (pmf_optional)
	2.2) Adding 2 AKMs (key_mgmt=WPA-EAP WPA-EAP-SHA256) if 802.11w=1 (pmf_optional)
	2.3) Changing to 1 AKM (key_mgmt=WPA-PSK-SHA256) to support only WPA-PSK-SHA256 if 802.11w=2 (pmf_required)
	2.4) Changing to 1 AKM (key_mgmt=WPA-EAP-SHA256) to support only WPA-EAP-SHA256 if 802.11w=2 (pmf_required)

	3) Deleting json_get_var ieee80211w ieee80211w, as it was moved to json_get_vars

	4) Changes in netifd.sh (for hostapd):
	4.1) Adding 2 AKMs (wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256) if 802.11w=1 (pmf_optional)
	4.2) Adding 2 AKMs (wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256) if 802.11w=1 (pmf_optional)
	4.3) Changing to 1 AKM (wpa_key_mgmt=WPA-PSK-SHA256) to support only WPA-PSK-SHA256 if 802.11w=2 (pmf_required)
	4.4) Changing to 1 AKM (wpa_key_mgmt=WPA-EAP-SHA256) to support only WPA-EAP-SHA256 if 802.11w=2 (pmf_required)

  -Description:
	I tested 802.11w (Protected Management Frame) by setting it to required-mode (ieee802.11w=2) and some clients which
	strictly obeys the PMF Certification Programm will not connect to the AP (like windows 10 with PMF enabled driver).
	It is caused by the hostapd doesn't correctly implement the standards of 802.11w according to PMF Certification
	Programm. After I hacked it, It works flawlessly and there is no more problem with windows 10 clients.
	According to:
		https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

	,with the search keyword "certification program", the PMF Certification Programm defined standards 2 AKMs for
	pmf-optional and only 1 AKM for pmf-required, rather than only 1 AKM (WPA-PSK or WPA-EAP) for all situations.
	This patch also adds automatically support for the stronger SHA-256-based algorithm.

Signed-off-by: Bima Hutama <hutamanzi at gmail.com>
---
 package/network/services/hostapd/files/netifd.sh | 51 +++++++++++++++++++++---
 1 file changed, 45 insertions(+), 6 deletions(-)

diff --git a/package/network/services/hostapd/files/netifd.sh b/package/network/services/hostapd/files/netifd.sh
index 005112d..21caaf8 100644
--- a/package/network/services/hostapd/files/netifd.sh
+++ b/package/network/services/hostapd/files/netifd.sh
@@ -186,7 +186,7 @@ hostapd_set_bss_options() {
 		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 \
 		wps_device_type wps_device_name wps_manufacturer wps_pin \
 		macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
-		iapp_interface eapol_version
+		iapp_interface eapol_version ieee80211w
 
 	set_default isolate 0
 	set_default maxassoc 0
@@ -245,7 +245,17 @@ hostapd_set_bss_options() {
 			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
 
 			wps_possible=1
-			append wpa_key_mgmt "WPA-PSK"
+			case "$ieee80211w" in
+				1)
+					append wpa_key_mgmt "WPA-PSK WPA-PSK-SHA256"
+				;;
+				2)
+					append wpa_key_mgmt "WPA-PSK-SHA256"
+				;;
+				*)
+					append wpa_key_mgmt "WPA-PSK"
+				;;
+			esac
 		;;
 		eap)
 			json_get_vars \
@@ -289,7 +299,17 @@ hostapd_set_bss_options() {
 			[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
 			append bss_conf "eapol_key_index_workaround=1" "$N"
 			append bss_conf "ieee8021x=1" "$N"
-			append wpa_key_mgmt "WPA-EAP"
+			case "$ieee80211w" in
+				1)
+					append wpa_key_mgmt "WPA-EAP WPA-EAP-SHA256"
+				;;
+				2)
+					append wpa_key_mgmt "WPA-EAP-SHA256"
+				;;
+				*)
+					append wpa_key_mgmt "WPA-EAP"
+				;;
+			esac
 
 			[ -n "$dynamic_vlan" ] && {
 				append bss_conf "dynamic_vlan=$dynamic_vlan" "$N"
@@ -408,7 +428,6 @@ hostapd_set_bss_options() {
 		[ "$auth_cache" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
 
 		# RSN -> allow management frame protection
-		json_get_var ieee80211w ieee80211w
 		case "$ieee80211w" in
 			[012])
 				json_get_vars ieee80211w_max_timeout ieee80211w_retry_timeout
@@ -611,7 +630,17 @@ wpa_supplicant_add_network() {
 		psk)
 			local passphrase
 
-			key_mgmt="$wpa_key_mgmt"
+			case "$ieee80211w" in
+				1)
+					key_mgmt='WPA-PSK WPA-PSK-SHA256'
+				;;
+				2)
+					key_mgmt='WPA-PSK-SHA256'
+				;;
+				*)
+					key_mgmt="$wpa_key_mgmt"
+				;;
+			esac
 			if [ ${#key} -eq 64 ]; then
 				passphrase="psk=${key}"
 			else
@@ -620,7 +649,17 @@ wpa_supplicant_add_network() {
 			append network_data "$passphrase" "$N$T"
 		;;
 		eap)
-			key_mgmt='WPA-EAP'
+			case "$ieee80211w" in
+				1)
+					key_mgmt='WPA-EAP WPA-EAP-SHA256'
+				;;
+				2)
+					key_mgmt='WPA-EAP-SHA256'
+				;;
+				*)
+					key_mgmt='WPA-EAP'
+				;;
+			esac
 		        [ "$ieee80211r" -gt 0 ] && key_mgmt="FT-EAP $key_mgmt"
 
 			json_get_vars eap_type identity anonymous_identity ca_cert
-- 
2.1.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list