[OpenWrt-Devel] [PATCH] hostapd/wpa_supplicant: Fix PMF_Cert_Programm (802.11w) stronger algorithm

Bima Hutama Sat, 04 Jun 2016 14:41:54 -0700

  -Changed:
        1) Moving variable ieee80211w within hostapd_set_bss_options() function 
to json_get_vars


        2) Changes in netifd.sh (for wpa_supplicant):
        2.1) Adding 2 AKMs (key_mgmt=WPA-PSK WPA-PSK-SHA256) if 802.11w=1 
(pmf_optional)
        2.2) Adding 2 AKMs (key_mgmt=WPA-EAP WPA-EAP-SHA256) if 802.11w=1 
(pmf_optional)
        2.3) Changing to 1 AKM (key_mgmt=WPA-PSK-SHA256) to support only 
WPA-PSK-SHA256 if 802.11w=2 (pmf_required)
        2.4) Changing to 1 AKM (key_mgmt=WPA-EAP-SHA256) to support only 
WPA-EAP-SHA256 if 802.11w=2 (pmf_required)

        3) Deleting json_get_var ieee80211w ieee80211w, as it was moved to 
json_get_vars

        4) Changes in netifd.sh (for hostapd):
        4.1) Adding 2 AKMs (wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256) if 802.11w=1 
(pmf_optional)
        4.2) Adding 2 AKMs (wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256) if 802.11w=1 
(pmf_optional)
        4.3) Changing to 1 AKM (wpa_key_mgmt=WPA-PSK-SHA256) to support only 
WPA-PSK-SHA256 if 802.11w=2 (pmf_required)
        4.4) Changing to 1 AKM (wpa_key_mgmt=WPA-EAP-SHA256) to support only 
WPA-EAP-SHA256 if 802.11w=2 (pmf_required)

  -Description:
        I tested 802.11w (Protected Management Frame) by setting it to 
required-mode (ieee802.11w=2) and some clients which
        strictly obeys the PMF Certification Programm will not connect to the 
AP (like windows 10 with PMF enabled driver).
        It is caused by the hostapd doesn't correctly implement the standards 
of 802.11w according to PMF Certification
        Programm. After I hacked it, It works flawlessly and there is no more 
problem with windows 10 clients.
        According to:
                
https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

        ,with the search keyword "certification program", the PMF Certification 
Programm defined standards 2 AKMs for
        pmf-optional and only 1 AKM for pmf-required, rather than only 1 AKM 
(WPA-PSK or WPA-EAP) for all situations.
        This patch also adds automatically support for the stronger 
SHA-256-based algorithm.

Signed-off-by: Bima Hutama <[email protected]>
---
 package/network/services/hostapd/files/netifd.sh | 51 +++++++++++++++++++++---
 1 file changed, 45 insertions(+), 6 deletions(-)

diff --git a/package/network/services/hostapd/files/netifd.sh 
b/package/network/services/hostapd/files/netifd.sh
index 005112d..21caaf8 100644
--- a/package/network/services/hostapd/files/netifd.sh
+++ b/package/network/services/hostapd/files/netifd.sh
@@ -186,7 +186,7 @@ hostapd_set_bss_options() {
                wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 \
                wps_device_type wps_device_name wps_manufacturer wps_pin \
                macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
-               iapp_interface eapol_version
+               iapp_interface eapol_version ieee80211w
 
        set_default isolate 0
        set_default maxassoc 0
@@ -245,7 +245,17 @@ hostapd_set_bss_options() {
                        [ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" 
] && append bss_conf "eapol_version=$eapol_version" "$N"
 
                        wps_possible=1
-                       append wpa_key_mgmt "WPA-PSK"
+                       case "$ieee80211w" in
+                               1)
+                                       append wpa_key_mgmt "WPA-PSK 
WPA-PSK-SHA256"
+                               ;;
+                               2)
+                                       append wpa_key_mgmt "WPA-PSK-SHA256"
+                               ;;
+                               *)
+                                       append wpa_key_mgmt "WPA-PSK"
+                               ;;
+                       esac
                ;;
                eap)
                        json_get_vars \
@@ -289,7 +299,17 @@ hostapd_set_bss_options() {
                        [ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" 
"$N"
                        append bss_conf "eapol_key_index_workaround=1" "$N"
                        append bss_conf "ieee8021x=1" "$N"
-                       append wpa_key_mgmt "WPA-EAP"
+                       case "$ieee80211w" in
+                               1)
+                                       append wpa_key_mgmt "WPA-EAP 
WPA-EAP-SHA256"
+                               ;;
+                               2)
+                                       append wpa_key_mgmt "WPA-EAP-SHA256"
+                               ;;
+                               *)
+                                       append wpa_key_mgmt "WPA-EAP"
+                               ;;
+                       esac
 
                        [ -n "$dynamic_vlan" ] && {
                                append bss_conf "dynamic_vlan=$dynamic_vlan" 
"$N"
@@ -408,7 +428,6 @@ hostapd_set_bss_options() {
                [ "$auth_cache" = 0 ] && append bss_conf 
"disable_pmksa_caching=1" "$N"
 
                # RSN -> allow management frame protection
-               json_get_var ieee80211w ieee80211w
                case "$ieee80211w" in
                        [012])
                                json_get_vars ieee80211w_max_timeout 
ieee80211w_retry_timeout
@@ -611,7 +630,17 @@ wpa_supplicant_add_network() {
                psk)
                        local passphrase
 
-                       key_mgmt="$wpa_key_mgmt"
+                       case "$ieee80211w" in
+                               1)
+                                       key_mgmt='WPA-PSK WPA-PSK-SHA256'
+                               ;;
+                               2)
+                                       key_mgmt='WPA-PSK-SHA256'
+                               ;;
+                               *)
+                                       key_mgmt="$wpa_key_mgmt"
+                               ;;
+                       esac
                        if [ ${#key} -eq 64 ]; then
                                passphrase="psk=${key}"
                        else
@@ -620,7 +649,17 @@ wpa_supplicant_add_network() {
                        append network_data "$passphrase" "$N$T"
                ;;
                eap)
-                       key_mgmt='WPA-EAP'
+                       case "$ieee80211w" in
+                               1)
+                                       key_mgmt='WPA-EAP WPA-EAP-SHA256'
+                               ;;
+                               2)
+                                       key_mgmt='WPA-EAP-SHA256'
+                               ;;
+                               *)
+                                       key_mgmt='WPA-EAP'
+                               ;;
+                       esac
                        [ "$ieee80211r" -gt 0 ] && key_mgmt="FT-EAP $key_mgmt"
 
                        json_get_vars eap_type identity anonymous_identity 
ca_cert
-- 
2.1.4
_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] hostapd/wpa_supplicant: Fix PMF_Cert_Programm (802.11w) stronger algorithm

Reply via email to