[OpenWrt-Devel] [PATCH v2] hostapd/wpa_supplicant: Fix PMF_Cert_Programm (802.11w) stronger algorithm

Bima Hutama hutamanzi at gmail.com
Sun Jun 5 15:37:12 EDT 2016


  -Description:
        I tested 802.11w (Protected Management Frame) by setting it to required-mode (ieee802.11w=2) and some clients which
        strictly obeys the PMF Certification Programm will not connect to the AP (like windows 10 with PMF enabled driver).
        It is caused by the hostapd doesn't correctly implement the standards of 802.11w according to PMF Certification
        Programm. After I hacked it, It works flawlessly and there is no more problem with windows 10 clients.
        According to:
                https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

        ,with the search keyword "certification program", the PMF Certification Programm defined standards 2 AKMs for
        pmf-optional and only 1 AKM for pmf-required, rather than only 1 AKM (WPA-PSK or WPA-EAP) for all situations.
        This patch also adds automatically support for the stronger SHA-256-based algorithm.

  -Changed:
   v1:
        1) Moving variable ieee80211w within hostapd_set_bss_options() function to json_get_vars

        2) Changes in netifd.sh (for hostapd):
        2.1) Adding 2 AKMs (wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256) if 802.11w=1 (pmf_optional)
        2.2) Changing to 1 AKM (wpa_key_mgmt=WPA-PSK-SHA256) to support only WPA-PSK-SHA256 if 802.11w=2 (pmf_required)
        2.3) Adding 2 AKMs (wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256) if 802.11w=1 (pmf_optional)
        2.4) Changing to 1 AKM (wpa_key_mgmt=WPA-EAP-SHA256) to support only WPA-EAP-SHA256 if 802.11w=2 (pmf_required)

        3) Deleting json_get_var ieee80211w ieee80211w, as it was moved to json_get_vars

        4) Changes in netifd.sh (for wpa_supplicant):
        4.1) Adding 2 AKMs (key_mgmt=WPA-PSK WPA-PSK-SHA256) if 802.11w=1 (pmf_optional)
        4.2) Changing to 1 AKM (key_mgmt=WPA-PSK-SHA256) to support only WPA-PSK-SHA256 if 802.11w=2 (pmf_required)
        4.3) Adding 2 AKMs (key_mgmt=WPA-EAP WPA-EAP-SHA256) if 802.11w=1 (pmf_optional)
        4.4) Changing to 1 AKM (key_mgmt=WPA-EAP-SHA256) to support only WPA-EAP-SHA256 if 802.11w=2 (pmf_required)

   v2:
        1) Changes in netifd.sh (for wpa_supplicant):
        1.2) Adding compatibility support if key_mgmt not WPA-PSK with nested-"case" and constructing nested-"case" to be
             compatible for future standards by just adding new "case"-condition

Signed-off-by: Bima Hutama <hutamanzi at gmail.com>
---
 package/network/services/hostapd/files/netifd.sh | 70 ++++++++++++++++++++++--
 1 file changed, 65 insertions(+), 5 deletions(-)

diff --git a/package/network/services/hostapd/files/netifd.sh b/package/network/services/hostapd/files/netifd.sh
index 005112d..9c31379 100644
--- a/package/network/services/hostapd/files/netifd.sh
+++ b/package/network/services/hostapd/files/netifd.sh
@@ -186,7 +186,7 @@ hostapd_set_bss_options() {
 		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 \
 		wps_device_type wps_device_name wps_manufacturer wps_pin \
 		macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
-		iapp_interface eapol_version
+		iapp_interface eapol_version ieee80211w
 
 	set_default isolate 0
 	set_default maxassoc 0
@@ -245,7 +245,17 @@ hostapd_set_bss_options() {
 			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
 
 			wps_possible=1
-			append wpa_key_mgmt "WPA-PSK"
+			case "$ieee80211w" in
+				1)
+					append wpa_key_mgmt "WPA-PSK WPA-PSK-SHA256"
+				;;
+				2)
+					append wpa_key_mgmt "WPA-PSK-SHA256"
+				;;
+				*)
+					append wpa_key_mgmt "WPA-PSK"
+				;;
+			esac
 		;;
 		eap)
 			json_get_vars \
@@ -289,7 +299,17 @@ hostapd_set_bss_options() {
 			[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
 			append bss_conf "eapol_key_index_workaround=1" "$N"
 			append bss_conf "ieee8021x=1" "$N"
-			append wpa_key_mgmt "WPA-EAP"
+			case "$ieee80211w" in
+				1)
+					append wpa_key_mgmt "WPA-EAP WPA-EAP-SHA256"
+				;;
+				2)
+					append wpa_key_mgmt "WPA-EAP-SHA256"
+				;;
+				*)
+					append wpa_key_mgmt "WPA-EAP"
+				;;
+			esac
 
 			[ -n "$dynamic_vlan" ] && {
 				append bss_conf "dynamic_vlan=$dynamic_vlan" "$N"
@@ -408,7 +428,6 @@ hostapd_set_bss_options() {
 		[ "$auth_cache" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
 
 		# RSN -> allow management frame protection
-		json_get_var ieee80211w ieee80211w
 		case "$ieee80211w" in
 			[012])
 				json_get_vars ieee80211w_max_timeout ieee80211w_retry_timeout
@@ -611,7 +630,31 @@ wpa_supplicant_add_network() {
 		psk)
 			local passphrase
 
-			key_mgmt="$wpa_key_mgmt"
+			case "$ieee80211w" in
+				1)
+					case "$wpa_key_mgmt" in
+						WPA-PSK)
+							key_mgmt="$wpa_key_mgmt WPA-PSK-SHA256"
+						;;
+						*)
+							key_mgmt="$wpa_key_mgmt"
+						;;
+					esac
+				;;
+				2)
+					case "$wpa_key_mgmt" in
+						WPA-PSK)
+							key_mgmt="WPA-PSK-SHA256"
+						;;
+						*)
+							key_mgmt="$wpa_key_mgmt"
+						;;
+					esac
+				;;
+				*)
+					key_mgmt="$wpa_key_mgmt"
+				;;
+			esac
 			if [ ${#key} -eq 64 ]; then
 				passphrase="psk=${key}"
 			else
@@ -623,6 +666,23 @@ wpa_supplicant_add_network() {
 			key_mgmt='WPA-EAP'
 		        [ "$ieee80211r" -gt 0 ] && key_mgmt="FT-EAP $key_mgmt"
 
+			case "$ieee80211w" in
+				1)
+					case "$key_mgmt" in
+						WPA-EAP)
+							key_mgmt='WPA-EAP WPA-EAP-SHA256'
+						;;
+					esac
+				;;
+				2)
+					case "$key_mgmt" in
+						WPA-EAP)
+							key_mgmt='WPA-EAP-SHA256'
+						;;
+					esac
+				;;
+			esac
+
 			json_get_vars eap_type identity anonymous_identity ca_cert
 			[ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
 			[ -n "$identity" ] && append network_data "identity=\"$identity\"" "$N$T"
-- 
2.1.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list