hostapd: Activate Simultaneous Authentication of Equals (SAE)
This build the full openssl and wolfssl versions with SAE support which is the main part of WPA3 PSK. This needs elliptic curve cryptography which is only provided by these two external cryptographic libraries and not by the internal implementation. The WPA3_Specification_v1.0.pdf file says that in SAE only mode Protected Management Frames (PMF) is required, in mixed mode with WPA2-PSK PMF should be required for clients using SAE, and optional for clients using WPA2-PSK. The defaults are set now accordingly. This increases the ipkg size by 8.515 Bytes. Old: 394.026 Bytes New: 402.541 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
parent
a1ad1144b6
commit
4a009a16d2
3 changed files with 42 additions and 9 deletions
|
@ -97,11 +97,11 @@ endif
|
||||||
|
|
||||||
ifeq ($(LOCAL_VARIANT),full)
|
ifeq ($(LOCAL_VARIANT),full)
|
||||||
ifeq ($(SSL_VARIANT),openssl)
|
ifeq ($(SSL_VARIANT),openssl)
|
||||||
DRIVER_MAKEOPTS += CONFIG_TLS=openssl
|
DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y
|
||||||
TARGET_LDFLAGS += -lcrypto -lssl
|
TARGET_LDFLAGS += -lcrypto -lssl
|
||||||
endif
|
endif
|
||||||
ifeq ($(SSL_VARIANT),wolfssl)
|
ifeq ($(SSL_VARIANT),wolfssl)
|
||||||
DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1
|
DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1 CONFIG_SAE=y
|
||||||
TARGET_LDFLAGS += -lwolfssl
|
TARGET_LDFLAGS += -lwolfssl
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
|
@ -37,11 +37,26 @@ hostapd_append_wep_key() {
|
||||||
}
|
}
|
||||||
|
|
||||||
hostapd_append_wpa_key_mgmt() {
|
hostapd_append_wpa_key_mgmt() {
|
||||||
local auth_type="$(echo $auth_type | tr 'a-z' 'A-Z')"
|
local auth_type_l="$(echo $auth_type | tr 'a-z' 'A-Z')"
|
||||||
|
|
||||||
append wpa_key_mgmt "WPA-$auth_type"
|
case "$auth_type" in
|
||||||
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type}"
|
psk|eap)
|
||||||
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type}-SHA256"
|
append wpa_key_mgmt "WPA-$auth_type_l"
|
||||||
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
|
||||||
|
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
|
||||||
|
;;
|
||||||
|
sae)
|
||||||
|
append wpa_key_mgmt "SAE"
|
||||||
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
|
||||||
|
;;
|
||||||
|
psk-sae)
|
||||||
|
append wpa_key_mgmt "WPA-PSK"
|
||||||
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
|
||||||
|
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
|
||||||
|
append wpa_key_mgmt "SAE"
|
||||||
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
hostapd_add_log_config() {
|
hostapd_add_log_config() {
|
||||||
|
@ -209,6 +224,8 @@ hostapd_common_add_bss_config() {
|
||||||
config_add_int mcast_rate
|
config_add_int mcast_rate
|
||||||
config_add_array basic_rate
|
config_add_array basic_rate
|
||||||
config_add_array supported_rates
|
config_add_array supported_rates
|
||||||
|
|
||||||
|
config_add_boolean sae_require_mfp
|
||||||
}
|
}
|
||||||
|
|
||||||
hostapd_set_bss_options() {
|
hostapd_set_bss_options() {
|
||||||
|
@ -230,7 +247,7 @@ hostapd_set_bss_options() {
|
||||||
macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
|
macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
|
||||||
iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
|
iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
|
||||||
acct_server acct_secret acct_port acct_interval \
|
acct_server acct_secret acct_port acct_interval \
|
||||||
bss_load_update_period chan_util_avg_period
|
bss_load_update_period chan_util_avg_period sae_require_mfp
|
||||||
|
|
||||||
set_default isolate 0
|
set_default isolate 0
|
||||||
set_default maxassoc 0
|
set_default maxassoc 0
|
||||||
|
@ -284,6 +301,18 @@ hostapd_set_bss_options() {
|
||||||
append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
|
append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case "$auth_type" in
|
||||||
|
sae)
|
||||||
|
set_default ieee80211w 2
|
||||||
|
set_default sae_require_mfp 1
|
||||||
|
;;
|
||||||
|
psk-sae)
|
||||||
|
set_default ieee80211w 1
|
||||||
|
set_default sae_require_mfp 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
|
||||||
|
|
||||||
local vlan_possible=""
|
local vlan_possible=""
|
||||||
|
|
||||||
case "$auth_type" in
|
case "$auth_type" in
|
||||||
|
@ -293,7 +322,7 @@ hostapd_set_bss_options() {
|
||||||
# with WPS enabled, we got to be in unconfigured state.
|
# with WPS enabled, we got to be in unconfigured state.
|
||||||
wps_not_configured=1
|
wps_not_configured=1
|
||||||
;;
|
;;
|
||||||
psk)
|
psk|sae|psk-sae)
|
||||||
json_get_vars key wpa_psk_file
|
json_get_vars key wpa_psk_file
|
||||||
if [ ${#key} -lt 8 ]; then
|
if [ ${#key} -lt 8 ]; then
|
||||||
wireless_setup_vif_failed INVALID_WPA_PSK
|
wireless_setup_vif_failed INVALID_WPA_PSK
|
||||||
|
@ -709,7 +738,7 @@ wpa_supplicant_add_network() {
|
||||||
hostapd_append_wep_key network_data
|
hostapd_append_wep_key network_data
|
||||||
append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T"
|
append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T"
|
||||||
;;
|
;;
|
||||||
psk)
|
psk|sae|psk-sae)
|
||||||
local passphrase
|
local passphrase
|
||||||
|
|
||||||
if [ "$_w_mode" != "mesh" ]; then
|
if [ "$_w_mode" != "mesh" ]; then
|
||||||
|
|
|
@ -26,6 +26,10 @@ static inline int has_feature(const char *feat)
|
||||||
#ifdef CONFIG_ACS
|
#ifdef CONFIG_ACS
|
||||||
if (!strcmp(feat, "acs"))
|
if (!strcmp(feat, "acs"))
|
||||||
return 1;
|
return 1;
|
||||||
|
#endif
|
||||||
|
#ifdef CONFIG_SAE
|
||||||
|
if (!strcmp(feat, "sae"))
|
||||||
|
return 1;
|
||||||
#endif
|
#endif
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue