diff options
| author | Felix Fietkau | 2025-02-12 10:54:59 +0000 |
|---|---|---|
| committer | Felix Fietkau | 2025-02-12 10:57:50 +0000 |
| commit | 8118b2dace06de839e1e23f018059995f4af5e11 (patch) | |
| tree | a72207f4e5f077fb24fd2c27b1bdb3a848019ba7 | |
| parent | 4779b731d4ecbb351f1cff918a4a1a2c069fb3b1 (diff) | |
| download | openwrt-8118b2dace06de839e1e23f018059995f4af5e11.tar.gz | |
hostapd: fix sta psk index for dynamic psk auth
Depending on the config / circumstances, the get_psk call can be called
multiple times from differnt places, which can lead to wrong sta->psk_idx
values. The correct call is the one that is also interested in the vlan_id,
so use the vlan_id pointer as indication of when to set sta->psk_idx.
Also fix off-by-one error for secondary PSKs
Fixes: b2a2c286170d ("hostapd: add support for authenticating with multiple PSKs via ubus helper")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
| -rw-r--r-- | package/network/services/hostapd/patches/601-ucode_support.patch | 15 | ||||
| -rw-r--r-- | package/network/services/hostapd/patches/730-ft_iface.patch | 2 |
2 files changed, 12 insertions, 5 deletions
diff --git a/package/network/services/hostapd/patches/601-ucode_support.patch b/package/network/services/hostapd/patches/601-ucode_support.patch index 1e1f399765..cd713ea286 100644 --- a/package/network/services/hostapd/patches/601-ucode_support.patch +++ b/package/network/services/hostapd/patches/601-ucode_support.patch @@ -816,7 +816,7 @@ as adding/removing interfaces. if (vlan_id) *vlan_id = 0; if (psk_len) -@@ -449,13 +450,16 @@ static const u8 * hostapd_wpa_auth_get_p +@@ -449,13 +450,18 @@ static const u8 * hostapd_wpa_auth_get_p * returned psk which should not be returned again. * logic list (all hostapd_get_psk; all sta->psk) */ @@ -830,16 +830,23 @@ as adding/removing interfaces. *vlan_id = 0; psk = sta->psk->psk; - for (pos = sta->psk; pos; pos = pos->next) { ++ if (vlan_id) ++ sta->psk_idx = psk_idx; + for (pos = sta->psk; pos; pos = pos->next, psk_idx++) { if (pos->is_passphrase) { if (pbkdf2_sha1(pos->passphrase, hapd->conf->ssid.ssid, -@@ -472,6 +476,8 @@ static const u8 * hostapd_wpa_auth_get_p +@@ -469,9 +475,13 @@ static const u8 * hostapd_wpa_auth_get_p + } + if (pos->psk == prev_psk) { + psk = pos->next ? pos->next->psk : NULL; ++ if (vlan_id) ++ sta->psk_idx = psk_idx + 1; break; } } -+ if (psk) -+ sta->psk_idx = psk_idx; ++ if (vlan_id && !psk) ++ sta->psk_idx = 0; } return psk; } diff --git a/package/network/services/hostapd/patches/730-ft_iface.patch b/package/network/services/hostapd/patches/730-ft_iface.patch index 728411bb60..4226a59d66 100644 --- a/package/network/services/hostapd/patches/730-ft_iface.patch +++ b/package/network/services/hostapd/patches/730-ft_iface.patch @@ -29,7 +29,7 @@ a VLAN interface on top of the bridge, instead of using the bridge directly int bridge_hairpin; /* hairpin_mode on bridge members */ --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c -@@ -1825,8 +1825,12 @@ int hostapd_setup_wpa(struct hostapd_dat +@@ -1829,8 +1829,12 @@ int hostapd_setup_wpa(struct hostapd_dat wpa_key_mgmt_ft(hapd->conf->wpa_key_mgmt)) { const char *ft_iface; |