This patch series enables management frame protection (802.11w) in hostapd and
wpa_supplicant. Both programs implement IEEE Std 802.11w-2009 since version
0.7.0 (1),(2). According to (3), the only driver that currently supports
802.11w is ath9k.
I have tested this on two identical OpenWrt devices, based on Ubiquiti
RouterStation Pro with SR-71A (phy0: Atheros AR9160 MAC/BB Rev:0 AR5133 RF
Rev:b0), running trunk r19922. MFP can be either disabled, optional or
required, in both programs. For my tests, I set ieee80211w=1 (optional) on my
AP and ieee80211w=2 (required) on the client. Association sometimes succeeded,
but not always. With "iw dev wlan0 scan" on the client, there is also some
bogus tail data in the RSN part:
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 16-PTKSA-RC MFP-capable (0x008c)
* bogus tail data (6): 00 00 00 0f ac 06
Given my first test results, this feature should imo be considered
experimental, but the ability to configure it in /etc/config/wireless will
allow for easier testing.
(1)
http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/ChangeLog
(2)
http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/ChangeLog
(3) http://linuxwireless.org/
(Resend on request of thepeople)
From ce41df3dc0a876436cfe0598b5e2df0557510a3d Mon Sep 17 00:00:00 2001
From: Stijn Tintel <st...@linux-ipv6.be>
Date: Mon, 1 Mar 2010 17:08:59 +0100
Subject: [PATCH 1/4] wpa_supplicant: cleanup psk handling
Cleanup redundant psk handling code in wpa_supplicant.sh.
(I sent this one to openwrt-devel before, but I am resending it as part of
this series because the next patch will also edit wpa_supplicant.sh).
Signed-off-by: Stijn Tintel <st...@linux-ipv6.be>
---
package/hostapd/files/wpa_supplicant.sh | 15 +++++----------
1 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/package/hostapd/files/wpa_supplicant.sh
b/package/hostapd/files/wpa_supplicant.sh
index 97a0082..522d423 100644
--- a/package/hostapd/files/wpa_supplicant.sh
+++ b/package/hostapd/files/wpa_supplicant.sh
@@ -42,22 +42,17 @@ wpa_supplicant_setup_vif() {
*psk*)
key_mgmt='WPA-PSK'
config_get_bool usepassphrase "$vif" passphrase 1
+ if [ "$usepassphrase" = "1" ]; then
+ passphrase="psk=\"${key}\""
+ else
+ passphrase="psk=${key}"
+ fi
case "$enc" in
*psk2*)
proto='proto=RSN'
- if [ "$usepassphrase" = "1" ]; then
- passphrase="psk=\"${key}\""
- else
- passphrase="psk=${key}"
- fi
;;
*psk*)
proto='proto=WPA'
- if [ "$usepassphrase" = "1" ]; then
- passphrase="psk=\"${key}\""
- else
- passphrase="psk=${key}"
- fi
;;
esac
;;
--
1.6.4.4
From ea403b94005a2097599f42bbe50aade173e3f0c8 Mon Sep 17 00:00:00 2001
From: Stijn Tintel <st...@linux-ipv6.be>
Date: Mon, 1 Mar 2010 17:13:48 +0100
Subject: [PATCH 2/4] wpa_supplicant: enable 802.11w
Enable management frame protection in wpa_supplicant, and make it
configurable in /etc/config/wireless.
Signed-off-by: Stijn Tintel <st...@linux-ipv6.be>
---
package/hostapd/files/wpa_supplicant-full.config | 2 +-
package/hostapd/files/wpa_supplicant.sh | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/package/hostapd/files/wpa_supplicant-full.config
b/package/hostapd/files/wpa_supplicant-full.config
index 5e7fd27..8d6813a 100644
--- a/package/hostapd/files/wpa_supplicant-full.config
+++ b/package/hostapd/files/wpa_supplicant-full.config
@@ -301,7 +301,7 @@ CONFIG_PEERKEY=y
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w.
-#CONFIG_IEEE80211W=y
+CONFIG_IEEE80211W=y
# Select TLS implementation
# openssl = OpenSSL (default)
diff --git a/package/hostapd/files/wpa_supplicant.sh
b/package/hostapd/files/wpa_supplicant.sh
index 522d423..8e9b5c3 100644
--- a/package/hostapd/files/wpa_supplicant.sh
+++ b/package/hostapd/files/wpa_supplicant.sh
@@ -50,6 +50,7 @@ wpa_supplicant_setup_vif() {
case "$enc" in
*psk2*)
proto='proto=RSN'
+ config_get ieee80211w "$vif" ieee80211w
;;
*psk*)
proto='proto=WPA'
@@ -59,6 +60,7 @@ wpa_supplicant_setup_vif() {
*wpa*|*8021x*)
proto='proto=WPA2'
key_mgmt='WPA-EAP'
+ config_get ieee80211w "$vif" ieee80211w
config_get ca_cert "$vif" ca_cert
ca_cert=${ca_cert:+"ca_cert=\"$ca_cert\""}
case "$eap_type" in
@@ -82,6 +84,13 @@ wpa_supplicant_setup_vif() {
eap_type="eap=$(echo $eap_type | tr 'a-z' 'A-Z')"
;;
esac
+
+ case "$ieee80211w" in
+ [012])
+ ieee80211w="ieee80211w=$ieee80211w"
+ ;;
+ esac
+
config_get ifname "$vif" ifname
config_get bridge "$vif" bridge
config_get ssid "$vif" ssid
@@ -96,6 +105,7 @@ network={
$bssid
key_mgmt=$key_mgmt
$proto
+ $ieee80211w
$passphrase
$pairwise
$group
--
1.6.4.4
From 8c827054cc4c63e2088d0cb134d49de20bd4cd41 Mon Sep 17 00:00:00 2001
From: Stijn Tintel <st...@linux-ipv6.be>
Date: Mon, 1 Mar 2010 17:16:00 +0100
Subject: [PATCH 3/4] hostapd: enable 802.11w
Enable management frame protection in hostapd, and make it configurable
in /etc/config/wireless. Since ath9k is currently the only driver that
supports MFP, it will only be enabled when ath9k is enabled.
Signed-off-by: Stijn Tintel <st...@linux-ipv6.be>
---
package/hostapd/Makefile | 3 ++-
package/hostapd/files/hostapd.sh | 7 +++++++
2 files changed, 9 insertions(+), 1 deletions(-)
diff --git a/package/hostapd/Makefile b/package/hostapd/Makefile
index e6e2313..11b202e 100644
--- a/package/hostapd/Makefile
+++ b/package/hostapd/Makefile
@@ -54,7 +54,8 @@ DRIVER_MAKEOPTS= \
CONFIG_DRIVER_NL80211=$(CONFIG_PACKAGE_kmod-mac80211) \
CONFIG_DRIVER_MADWIFI=$(CONFIG_PACKAGE_kmod-madwifi) \
CONFIG_DRIVER_HOSTAP=$(CONFIG_PACKAGE_kmod-hostap) \
- CONFIG_IEEE80211N=$(CONFIG_PACKAGE_kmod-ath9k)
+ CONFIG_IEEE80211N=$(CONFIG_PACKAGE_kmod-ath9k) \
+ CONFIG_IEEE80211W=$(CONFIG_PACKAGE_kmod-ath9k)
ifeq ($(LOCAL_TYPE),supplicant)
ifeq ($(LOCAL_VARIANT),full)
diff --git a/package/hostapd/files/hostapd.sh b/package/hostapd/files/hostapd.sh
index b477cd7..622eeac 100644
--- a/package/hostapd/files/hostapd.sh
+++ b/package/hostapd/files/hostapd.sh
@@ -106,6 +106,13 @@ hostapd_set_bss_options() {
append "$var" "ssid=$ssid" "$N"
[ -n "$bridge" ] && append "$var" "bridge=$bridge" "$N"
[ -n "$ieee80211d" ] && append "$var" "ieee80211d=$ieee80211d" "$N"
+
+ [ "$wpa" -ge "2" ] && config_get ieee80211w "$vif" ieee80211w
+ case "$ieee80211w" in
+ [012])
+ append "$var" "ieee80211w=$ieee80211w" "$N"
+ ;;
+ esac
}
hostapd_setup_vif() {
--
1.6.4.4
From 5039471d3231457e5b257e5f24661c4bde72f9ce Mon Sep 17 00:00:00 2001
From: Stijn Tintel <st...@linux-ipv6.be>
Date: Mon, 1 Mar 2010 19:59:06 +0100
Subject: [PATCH 4/4] hostapd: make 802.11w related options configurable
When enabling MFP, hostapd will read assoc_sa_query_max_timeout and
assoc_sa_query_retry_timeout from it's config file. Make these options
configurable in /etc/config/wireless. To make it clear that these
options are 802.11w related, I named them ieee80211w_max_timeout and
ieee80211w_retry_timeout instead.
Signed-off-by: Stijn Tintel <st...@linux-ipv6.be>
---
package/hostapd/files/hostapd.sh | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/package/hostapd/files/hostapd.sh b/package/hostapd/files/hostapd.sh
index 622eeac..2295b43 100644
--- a/package/hostapd/files/hostapd.sh
+++ b/package/hostapd/files/hostapd.sh
@@ -111,6 +111,14 @@ hostapd_set_bss_options() {
case "$ieee80211w" in
[012])
append "$var" "ieee80211w=$ieee80211w" "$N"
+ [ "$ieee80211w" -gt "0" ] && {
+ config_get ieee80211w_max_timeout "$vif"
ieee80211w_max_timeout
+ config_get ieee80211w_retry_timeout "$vif"
ieee80211w_retry_timeout
+ [ -n "$ieee80211w_max_timeout" ] && \
+ append "$var"
"assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
+ [ -n "$ieee80211w_retry_timeout" ] && \
+ append "$var"
"assoc_sa_query_retry_timeout=$ieee80211w_retry_timeout" "$N"
+ }
;;
esac
}
--
1.6.4.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
