From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 12 Feb 2025 10:54:59 +0000 (+0100)
Subject: hostapd: fix sta psk index for dynamic psk auth
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=cb4d2b3fb2a85bcd2aa49c4d11732e5b55e458c5;p=openwrt%2Fopenwrt.git

hostapd: fix sta psk index for dynamic psk auth

Depending on the config / circumstances, the get_psk call can be called
multiple times from differnt places, which can lead to wrong sta->psk_idx
values. The correct call is the one that is also interested in the vlan_id,
so use the vlan_id pointer as indication of when to set sta->psk_idx.
Also fix off-by-one error for secondary PSKs

Fixes: b2a2c286170d ("hostapd: add support for authenticating with multiple PSKs via ubus helper")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 8118b2dace06de839e1e23f018059995f4af5e11)
---

diff --git a/package/network/services/hostapd/patches/601-ucode_support.patch b/package/network/services/hostapd/patches/601-ucode_support.patch
index 5a88687cf2..13fd2b1b51 100644
--- a/package/network/services/hostapd/patches/601-ucode_support.patch
+++ b/package/network/services/hostapd/patches/601-ucode_support.patch
@@ -816,7 +816,7 @@ as adding/removing interfaces.
  	if (vlan_id)
  		*vlan_id = 0;
  	if (psk_len)
-@@ -446,13 +447,16 @@ static const u8 * hostapd_wpa_auth_get_p
+@@ -446,13 +447,18 @@ static const u8 * hostapd_wpa_auth_get_p
  	 * returned psk which should not be returned again.
  	 * logic list (all hostapd_get_psk; all sta->psk)
  	 */
@@ -830,16 +830,23 @@ as adding/removing interfaces.
  			*vlan_id = 0;
  		psk = sta->psk->psk;
 -		for (pos = sta->psk; pos; pos = pos->next) {
++		if (vlan_id)
++			sta->psk_idx = psk_idx;
 +		for (pos = sta->psk; pos; pos = pos->next, psk_idx++) {
  			if (pos->is_passphrase) {
  				if (pbkdf2_sha1(pos->passphrase,
  						hapd->conf->ssid.ssid,
-@@ -469,6 +473,8 @@ static const u8 * hostapd_wpa_auth_get_p
+@@ -466,9 +472,13 @@ static const u8 * hostapd_wpa_auth_get_p
+ 			}
+ 			if (pos->psk == prev_psk) {
+ 				psk = pos->next ? pos->next->psk : NULL;
++				if (vlan_id)
++					sta->psk_idx = psk_idx + 1;
  				break;
  			}
  		}
-+		if (psk)
-+			sta->psk_idx = psk_idx;
++		if (vlan_id && !psk)
++			sta->psk_idx = 0;
  	}
  	return psk;
  }
diff --git a/package/network/services/hostapd/patches/730-ft_iface.patch b/package/network/services/hostapd/patches/730-ft_iface.patch
index ac7d3abd78..f021f1f99b 100644
--- a/package/network/services/hostapd/patches/730-ft_iface.patch
+++ b/package/network/services/hostapd/patches/730-ft_iface.patch
@@ -29,7 +29,7 @@ a VLAN interface on top of the bridge, instead of using the bridge directly
  	int bridge_hairpin; /* hairpin_mode on bridge members */
 --- a/src/ap/wpa_auth_glue.c
 +++ b/src/ap/wpa_auth_glue.c
-@@ -1821,8 +1821,12 @@ int hostapd_setup_wpa(struct hostapd_dat
+@@ -1825,8 +1825,12 @@ int hostapd_setup_wpa(struct hostapd_dat
  	    wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) {
  		const char *ft_iface;
  
diff --git a/package/network/services/hostapd/patches/803-hostapd-fix-80211be-build.patch b/package/network/services/hostapd/patches/803-hostapd-fix-80211be-build.patch
index f197b71bd7..cbd6298d9d 100644
--- a/package/network/services/hostapd/patches/803-hostapd-fix-80211be-build.patch
+++ b/package/network/services/hostapd/patches/803-hostapd-fix-80211be-build.patch
@@ -25,7 +25,7 @@
 +
 --- a/src/ap/sta_info.h
 +++ b/src/ap/sta_info.h
-@@ -409,23 +409,8 @@ int ap_sta_re_add(struct hostapd_data *h
+@@ -408,23 +408,8 @@ int ap_sta_re_add(struct hostapd_data *h
  
  void ap_free_sta_pasn(struct hostapd_data *hapd, struct sta_info *sta);