From b7d9bced3056d37857292670ed1a29084ecb0aa1 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 7 Dec 2021 14:47:40 +0100 Subject: [PATCH] hostapd: add support for enabling FILS on AP and client interfaces This is only supported with WPA-enterprise Signed-off-by: Felix Fietkau --- .../network/services/hostapd/files/hostapd.sh | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index b4aa5e4c85..30d1418789 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -72,6 +72,15 @@ hostapd_append_wpa_key_mgmt() { ;; esac + [ "$fils" -gt 0 ] && { + case "$auth_type" in + eap*) + append wpa_key_mgmt FILS-SHA256 + [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256 + ;; + esac + } + [ "$auth_osen" = "1" ] && append wpa_key_mgmt "OSEN" } @@ -359,6 +368,8 @@ hostapd_common_add_bss_config() { config_add_int eap_server config_add_string eap_user_file ca_cert server_cert private_key private_key_passwd server_id + + config_add_boolean fils } hostapd_set_vlan_file() { @@ -531,8 +542,9 @@ hostapd_set_bss_options() { airtime_bss_weight airtime_bss_limit airtime_sta_weight \ multicast_to_unicast proxy_arp per_sta_vif \ eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \ - vendor_elements + vendor_elements fils + set_default fils 0 set_default isolate 0 set_default maxassoc 0 set_default max_inactivity 0 @@ -554,6 +566,8 @@ hostapd_set_bss_options() { set_default airtime_bss_limit 0 set_default eap_server 0 + /usr/sbin/hostapd -vfils || fils=0 + append bss_conf "ctrl_interface=/var/run/hostapd" if [ "$isolate" -gt 0 ]; then append bss_conf "ap_isolate=$isolate" "$N" @@ -654,7 +668,9 @@ hostapd_set_bss_options() { auth_server auth_secret auth_port \ dae_client dae_secret dae_port \ ownip radius_client_addr \ - eap_reauth_period request_cui + eap_reauth_period request_cui \ + erp_domain mobility_domain \ + fils_realm # radius can provide VLAN ID for clients vlan_possible=1 @@ -664,6 +680,17 @@ hostapd_set_bss_options() { [ -n "$auth_port" ] || json_get_var auth_port port [ -n "$auth_secret" ] || json_get_var auth_secret key + [ "$fils" -gt 0 ] && { + set_default erp_domain "$mobility_domain" + set_default erp_domain "$(echo "$ssid" | md5sum | head -c 8)" + set_default fils_realm "$erp_domain" + + append bss_conf "erp_send_reauth_start=1" "$N" + append bss_conf "erp_domain=$erp_domain" "$N" + append bss_conf "fils_realm=$fils_realm" "$N" + append bss_conf "fils_cache_id=$(echo "$fils_realm" | md5sum | head -c 4)" "$N" + } + set_default auth_port 1812 set_default dae_port 3799 set_default request_cui 0 @@ -853,6 +880,10 @@ hostapd_set_bss_options() { done fi fi + if [ "$fils" -gt 0 ]; then + json_get_vars fils_realm + set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)" + fi append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N" @@ -877,7 +908,7 @@ hostapd_set_bss_options() { fi append bss_conf "okc=$auth_cache" "$N" - [ "$auth_cache" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N" + [ "$auth_cache" = 0 -a "$fils" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N" # RSN -> allow management frame protection case "$ieee80211w" in @@ -1031,6 +1062,7 @@ hostapd_set_bss_options() { if [ "$eap_server" = "1" ]; then append bss_conf "eap_server=1" "$N" + append bss_conf "eap_server_erp=1" "$N" [ -n "$eap_user_file" ] && append bss_conf "eap_user_file=$eap_user_file" "$N" [ -n "$ca_cert" ] && append bss_conf "ca_cert=$ca_cert" "$N" [ -n "$server_cert" ] && append bss_conf "server_cert=$server_cert" "$N" @@ -1197,7 +1229,7 @@ wpa_supplicant_add_network() { json_get_vars \ ssid bssid key \ basic_rate mcast_rate \ - ieee80211w ieee80211r \ + ieee80211w ieee80211r fils \ multi_ap \ default_disabled @@ -1289,6 +1321,7 @@ wpa_supplicant_add_network() { json_get_vars eap_type identity anonymous_identity ca_cert ca_cert_usesystem + [ "$fils" -gt 0 ] && append network_data "erp=1" "$N$T" if [ "$ca_cert_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then append network_data "ca_cert=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T" else -- 2.30.2