Currently netifd only knows 2 wpa3/eap modes, wpa3 and wpa3-mixed.
Accoring to the spec there are however 3 mode, wpa3, wpa3-192 and wpa3-mixed.
In addition the mode currently called "incorrectly" setups up wpa3-192 and there
is currently no wpa3(-only) mode.
Fix hostapd.sh s.T. the now corretly passed values from netifd are honoured.
Tested-on: iPhone 12, Samsung S10/S20
Signed-off-by: John Crispin <j...@phrozen.org>
---
.../network/services/hostapd/files/hostapd.sh | 35 +++++++++++++------
1 file changed, 24 insertions(+), 11 deletions(-)
diff --git a/package/network/services/hostapd/files/hostapd.sh
b/package/network/services/hostapd/files/hostapd.sh
index 4f306317c7..efb06427ca 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -48,14 +48,18 @@ hostapd_append_wpa_key_mgmt() {
;;
eap192)
append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
+ append wpa_key_mgmt "WPA-EAP-SHA256"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt
"FT-EAP"
- ;;
- eap-eap192)
- append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
+ ;;
+ eap-eap256)
append wpa_key_mgmt "WPA-EAP"
+ append wpa_key_mgmt "WPA-EAP-SHA256"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt
"FT-EAP"
- [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt
"WPA-EAP-SHA256"
- ;;
+ ;;
+ eap256)
+ append wpa_key_mgmt "WPA-EAP-SHA256"
+ [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt
"FT-EAP"
+ ;;
sae)
append wpa_key_mgmt "SAE"
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt
"FT-SAE"
@@ -602,11 +606,11 @@ hostapd_set_bss_options() {
}
case "$auth_type" in
- sae|owe|eap192|eap-eap192)
+ sae|owe|eap192|eap256)
set_default ieee80211w 2
set_default sae_require_mfp 1
;;
- psk-sae)
+ psk-sae|eap-eap256)
set_default ieee80211w 1
set_default sae_require_mfp 1
;;
@@ -649,7 +653,7 @@ hostapd_set_bss_options() {
vlan_possible=1
wps_possible=1
;;
- eap|eap192|eap-eap192)
+ eap|eap192|eap-eap256|eap256)
json_get_vars \
auth_server auth_secret auth_port \
dae_client dae_secret dae_port \
@@ -885,7 +889,16 @@ hostapd_set_bss_options() {
json_get_vars ieee80211w_mgmt_cipher
ieee80211w_max_timeout ieee80211w_retry_timeout
append bss_conf "ieee80211w=$ieee80211w" "$N"
[ "$ieee80211w" -gt "0" ] && {
- append bss_conf
"group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N"
+ case "$auth_type" in
+ eap192)
+ append bss_conf
"group_mgmt_cipher=BIP-GMAC-256" "$N"
+ append bss_conf
"group_cipher=GCMP-256" "$N"
+ ;;
+ *)
+ append bss_conf
"group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N"
+ ;;
+ esac
+
[ -n "$ieee80211w_max_timeout" ] && \
append bss_conf
"assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
[ -n "$ieee80211w_retry_timeout" ] && \
@@ -1197,7 +1210,7 @@ wpa_supplicant_add_network() {
default_disabled
case "$auth_type" in
- sae|owe|eap192|eap-eap192)
+ sae|owe|eap192|eap-eap256|eap256)
set_default ieee80211w 2
;;
psk-sae)
@@ -1278,7 +1291,7 @@ wpa_supplicant_add_network() {
fi
append network_data "$passphrase" "$N$T"
;;
- eap|eap192|eap-eap192)
+ eap|eap192|eap-eap256|eap256)
hostapd_append_wpa_key_mgmt
key_mgmt="$wpa_key_mgmt"
--
2.25.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
