From: Joerg Werner Date: Sun, 26 Jun 2022 15:18:39 +0000 (+0200) Subject: hostapd: fix WPA3 enterprise keys and ciphers X-Git-Tag: v22.03.0~30 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=0197cc553ad896284b60e7ca66493d0d686cc732;p=openwrt%2Fstaging%2Fhauke.git hostapd: fix WPA3 enterprise keys and ciphers WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires corresponding changes in netifd. Signed-off-by: Joerg Werner (cherry picked from commit 9fbb76c0470fd54f1f34909b1098d0f76078878f) --- diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index 99688810f3..f7bb7164cd 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -48,12 +48,15 @@ hostapd_append_wpa_key_mgmt() { ;; eap192) append wpa_key_mgmt "WPA-EAP-SUITE-B-192" - [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" + [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384" ;; eap-eap192) append wpa_key_mgmt "WPA-EAP-SUITE-B-192" append wpa_key_mgmt "WPA-EAP" - [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP" + [ "${ieee80211r:-0}" -gt 0 ] && { + append wpa_key_mgmt "FT-EAP-SHA384" + append wpa_key_mgmt "FT-EAP" + } [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-EAP-SHA256" ;; sae) @@ -934,7 +937,11 @@ hostapd_set_bss_options() { json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout append bss_conf "ieee80211w=$ieee80211w" "$N" [ "$ieee80211w" -gt "0" ] && { - append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N" + if [ "$auth_type" = "eap192" ]; then + append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N" + else + append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N" + fi [ -n "$ieee80211w_max_timeout" ] && \ append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N" [ -n "$ieee80211w_retry_timeout" ] && \