hostapd: fix 11r defaults when using WPA
authorJesus Fernandez Manzano <jesus.manzano@galgus.ai>
Mon, 22 Jan 2024 12:46:14 +0000 (13:46 +0100)
committerJo-Philipp Wich <jo@mein.io>
Wed, 6 Mar 2024 13:05:22 +0000 (14:05 +0100)
802.11r can not be used when selecting WPA. It needs at least WPA2.

This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.

Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit cdc4c551755115e0e1047a0c90a658e6238e96ee)

package/network/services/hostapd/files/hostapd.sh

index 73bd1bbeeb912d6b6d23953b9f8684d4ab4a9ff4..8e0cf4f091242efc3e1f64d4548abbc7840ff4c5 100644 (file)
@@ -43,7 +43,7 @@ hostapd_append_wpa_key_mgmt() {
        case "$auth_type" in
                psk|eap)
                        append wpa_key_mgmt "WPA-$auth_type_l"
-                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
+                       [ "${wpa:-2}" -ge 2 ] && [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
                        [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
                ;;
                eap192)
@@ -897,10 +897,21 @@ hostapd_set_bss_options() {
                }
        fi
 
+       json_get_vars ieee80211r
+       set_default ieee80211r 0
        if [ "$wpa" -ge "1" ]; then
-               json_get_vars ieee80211r
-               set_default ieee80211r 0
+               if [ "$fils" -gt 0 ]; then
+                       json_get_vars fils_realm
+                       set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
+               fi
+
+               append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
+
+               hostapd_append_wpa_key_mgmt
+               [ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
+       fi
 
+       if [ "$wpa" -ge "2" ]; then
                if [ "$ieee80211r" -gt "0" ]; then
                        json_get_vars mobility_domain ft_psk_generate_local ft_over_ds reassociation_deadline
 
@@ -950,18 +961,7 @@ hostapd_set_bss_options() {
                                done
                        fi
                fi
-               if [ "$fils" -gt 0 ]; then
-                       json_get_vars fils_realm
-                       set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
-               fi
-
-               append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
 
-               hostapd_append_wpa_key_mgmt
-               [ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
-       fi
-
-       if [ "$wpa" -ge "2" ]; then
                if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
                        set_default auth_cache 1
                        append bss_conf "rsn_preauth=1" "$N"