hostapd: fix 11r defaults when using WPA
authorJesus Fernandez Manzano <jesus.manzano@galgus.ai>
Mon, 22 Jan 2024 12:46:14 +0000 (13:46 +0100)
committerHauke Mehrtens <hauke@hauke-m.de>
Mon, 8 Jul 2024 20:27:11 +0000 (22:27 +0200)
802.11r can not be used when selecting WPA. It needs at least WPA2.

This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.

Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
(cherry picked from commit cdc4c551755115e0e1047a0c90a658e6238e96ee)
Link: https://github.com/openwrt/openwrt/pull/15899
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
package/network/services/hostapd/files/hostapd.sh

index 03f34f8b218cdee7f7dbfb76e16128bfbefd6fcb..88d7ce76b3aa26e85fadd05e3bc13974975474a8 100644 (file)
@@ -43,7 +43,7 @@ hostapd_append_wpa_key_mgmt() {
        case "$auth_type" in
                psk|eap)
                        append wpa_key_mgmt "WPA-$auth_type_l"
-                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
+                       [ "${wpa:-2}" -ge 2 ] && [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
                        [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
                ;;
                eap192)
@@ -846,10 +846,21 @@ hostapd_set_bss_options() {
                }
        fi
 
+       json_get_vars ieee80211r
+       set_default ieee80211r 0
        if [ "$wpa" -ge "1" ]; then
-               json_get_vars ieee80211r
-               set_default ieee80211r 0
+               if [ "$fils" -gt 0 ]; then
+                       json_get_vars fils_realm
+                       set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
+               fi
+
+               append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
+
+               hostapd_append_wpa_key_mgmt
+               [ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
+       fi
 
+       if [ "$wpa" -ge "2" ]; then
                if [ "$ieee80211r" -gt "0" ]; then
                        json_get_vars mobility_domain ft_psk_generate_local ft_over_ds reassociation_deadline
 
@@ -900,18 +911,7 @@ hostapd_set_bss_options() {
                                done
                        fi
                fi
-               if [ "$fils" -gt 0 ]; then
-                       json_get_vars fils_realm
-                       set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
-               fi
-
-               append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
 
-               hostapd_append_wpa_key_mgmt
-               [ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
-       fi
-
-       if [ "$wpa" -ge "2" ]; then
                if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
                        set_default auth_cache 1
                        append bss_conf "rsn_preauth=1" "$N"