From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 12 Feb 2025 10:54:59 +0000 (+0100)
Subject: hostapd: fix sta psk index for dynamic psk auth
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=8118b2dace06de839e1e23f018059995f4af5e11;p=openwrt%2Fstaging%2Fstintel.git

hostapd: fix sta psk index for dynamic psk auth

Depending on the config / circumstances, the get_psk call can be called
multiple times from differnt places, which can lead to wrong sta->psk_idx
values. The correct call is the one that is also interested in the vlan_id,
so use the vlan_id pointer as indication of when to set sta->psk_idx.
Also fix off-by-one error for secondary PSKs

Fixes: b2a2c286170d ("hostapd: add support for authenticating with multiple PSKs via ubus helper")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/package/network/services/hostapd/patches/601-ucode_support.patch b/package/network/services/hostapd/patches/601-ucode_support.patch
index 1e1f399765..cd713ea286 100644
--- a/package/network/services/hostapd/patches/601-ucode_support.patch
+++ b/package/network/services/hostapd/patches/601-ucode_support.patch
@@ -816,7 +816,7 @@ as adding/removing interfaces.
  	if (vlan_id)
  		*vlan_id = 0;
  	if (psk_len)
-@@ -449,13 +450,16 @@ static const u8 * hostapd_wpa_auth_get_p
+@@ -449,13 +450,18 @@ static const u8 * hostapd_wpa_auth_get_p
  	 * returned psk which should not be returned again.
  	 * logic list (all hostapd_get_psk; all sta->psk)
  	 */
@@ -830,16 +830,23 @@ as adding/removing interfaces.
  			*vlan_id = 0;
  		psk = sta->psk->psk;
 -		for (pos = sta->psk; pos; pos = pos->next) {
++		if (vlan_id)
++			sta->psk_idx = psk_idx;
 +		for (pos = sta->psk; pos; pos = pos->next, psk_idx++) {
  			if (pos->is_passphrase) {
  				if (pbkdf2_sha1(pos->passphrase,
  						hapd->conf->ssid.ssid,
-@@ -472,6 +476,8 @@ static const u8 * hostapd_wpa_auth_get_p
+@@ -469,9 +475,13 @@ static const u8 * hostapd_wpa_auth_get_p
+ 			}
+ 			if (pos->psk == prev_psk) {
+ 				psk = pos->next ? pos->next->psk : NULL;
++				if (vlan_id)
++					sta->psk_idx = psk_idx + 1;
  				break;
  			}
  		}
-+		if (psk)
-+			sta->psk_idx = psk_idx;
++		if (vlan_id && !psk)
++			sta->psk_idx = 0;
  	}
  	return psk;
  }
diff --git a/package/network/services/hostapd/patches/730-ft_iface.patch b/package/network/services/hostapd/patches/730-ft_iface.patch
index 728411bb60..4226a59d66 100644
--- a/package/network/services/hostapd/patches/730-ft_iface.patch
+++ b/package/network/services/hostapd/patches/730-ft_iface.patch
@@ -29,7 +29,7 @@ a VLAN interface on top of the bridge, instead of using the bridge directly
  	int bridge_hairpin; /* hairpin_mode on bridge members */
 --- a/src/ap/wpa_auth_glue.c
 +++ b/src/ap/wpa_auth_glue.c
-@@ -1825,8 +1825,12 @@ int hostapd_setup_wpa(struct hostapd_dat
+@@ -1829,8 +1829,12 @@ int hostapd_setup_wpa(struct hostapd_dat
  	    wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) {
  		const char *ft_iface;