hostapd: Activate Simultaneous Authentication of Equals (SAE)

This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.

This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.

The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.

This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile
index a5c53797382644a2bcc450069cb6906ba5c07660..3f9b776f55bb6f8c0917871c27dabb9a73760b24 100644 (file)
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -97,11 +97,11 @@ endif
 
 ifeq ($(LOCAL_VARIANT),full)
   ifeq ($(SSL_VARIANT),openssl)
-    DRIVER_MAKEOPTS += CONFIG_TLS=openssl
+    DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_SAE=y
     TARGET_LDFLAGS += -lcrypto -lssl
   endif
   ifeq ($(SSL_VARIANT),wolfssl)
-    DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1
+    DRIVER_MAKEOPTS += CONFIG_TLS=wolfssl CONFIG_WPS_NFC=1 CONFIG_SAE=y
     TARGET_LDFLAGS += -lwolfssl
   endif
 endif

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 7ffff4e7e10854844efea8c0b034ffb6e9f87b38..c9882701faed23aebf774dddd61dc663939edd35 100644 (file)
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -37,11 +37,26 @@ hostapd_append_wep_key() {
 }
 
 hostapd_append_wpa_key_mgmt() {
-       local auth_type="$(echo $auth_type | tr 'a-z' 'A-Z')"
+       local auth_type_l="$(echo $auth_type | tr 'a-z' 'A-Z')"
 
-       append wpa_key_mgmt "WPA-$auth_type"
-       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type}"
-       [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type}-SHA256"
+       case "$auth_type" in
+               psk|eap)
+                       append wpa_key_mgmt "WPA-$auth_type_l"
+                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
+                       [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
+               ;;
+               sae)
+                       append wpa_key_mgmt "SAE"
+                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
+               ;;
+               psk-sae)
+                       append wpa_key_mgmt "WPA-PSK"
+                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
+                       [ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
+                       append wpa_key_mgmt "SAE"
+                       [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
+               ;;
+       esac
 }
 
 hostapd_add_log_config() {
@@ -209,6 +224,8 @@ hostapd_common_add_bss_config() {
        config_add_int mcast_rate
        config_add_array basic_rate
        config_add_array supported_rates
+       
+       config_add_boolean sae_require_mfp
 }
 
 hostapd_set_bss_options() {
@@ -230,7 +247,7 @@ hostapd_set_bss_options() {
                macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
                iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
                acct_server acct_secret acct_port acct_interval \
-               bss_load_update_period chan_util_avg_period
+               bss_load_update_period chan_util_avg_period sae_require_mfp
 
        set_default isolate 0
        set_default maxassoc 0
@@ -284,6 +301,18 @@ hostapd_set_bss_options() {
                        append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
        }
 
+       case "$auth_type" in
+               sae)
+                       set_default ieee80211w 2
+                       set_default sae_require_mfp 1
+               ;;
+               psk-sae)
+                       set_default ieee80211w 1
+                       set_default sae_require_mfp 1
+               ;;
+       esac
+       [ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
+
        local vlan_possible=""
 
        case "$auth_type" in
@@ -293,7 +322,7 @@ hostapd_set_bss_options() {
                        # with WPS enabled, we got to be in unconfigured state.
                        wps_not_configured=1
                ;;
-               psk)
+               psk|sae|psk-sae)
                        json_get_vars key wpa_psk_file
                        if [ ${#key} -lt 8 ]; then
                                wireless_setup_vif_failed INVALID_WPA_PSK
@@ -709,7 +738,7 @@ wpa_supplicant_add_network() {
                        hostapd_append_wep_key network_data
                        append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T"
                ;;
-               psk)
+               psk|sae|psk-sae)
                        local passphrase
 
                        if [ "$_w_mode" != "mesh" ]; then

diff --git a/package/network/services/hostapd/src/src/utils/build_features.h b/package/network/services/hostapd/src/src/utils/build_features.h
index ba082dea14a445bf5aa5247ef6ecfb304fefba00..328c76c67e5c14f9664a37d2989cb6beb8582749 100644 (file)
--- a/package/network/services/hostapd/src/src/utils/build_features.h
+++ b/package/network/services/hostapd/src/src/utils/build_features.h
@@ -26,6 +26,10 @@ static inline int has_feature(const char *feat)
 #ifdef CONFIG_ACS
        if (!strcmp(feat, "acs"))
                return 1;
+#endif
+#ifdef CONFIG_SAE
+       if (!strcmp(feat, "sae"))
+               return 1;
 #endif
        return 0;
 }