This patch series enables management frame protection (802.11w) in hostapd and wpa_supplicant. Both programs implement IEEE Std 802.11w-2009 since version 0.7.0 (1),(2). According to (3), the only driver that currently supports 802.11w is ath9k.
I have tested this on two identical OpenWrt devices, based on Ubiquiti RouterStation Pro with SR-71A (phy0: Atheros AR9160 MAC/BB Rev:0 AR5133 RF Rev:b0), running trunk r19922. MFP can be either disabled, optional or required, in both programs. For my tests, I set ieee80211w=1 (optional) on my AP and ieee80211w=2 (required) on the client. Association sometimes succeeded, but not always. With "iw dev wlan0 scan" on the client, there is also some bogus tail data in the RSN part: RSN: * Version: 1 * Group cipher: TKIP * Pairwise ciphers: CCMP TKIP * Authentication suites: PSK * Capabilities: 16-PTKSA-RC MFP-capable (0x008c) * bogus tail data (6): 00 00 00 0f ac 06 Given my first test results, this feature should imo be considered experimental, but the ability to configure it in /etc/config/wireless will allow for easier testing. (1) http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/ChangeLog (2) http://hostap.epitest.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/ChangeLog (3) http://linuxwireless.org/ (Resend on request of thepeople)
From ce41df3dc0a876436cfe0598b5e2df0557510a3d Mon Sep 17 00:00:00 2001 From: Stijn Tintel <st...@linux-ipv6.be> Date: Mon, 1 Mar 2010 17:08:59 +0100 Subject: [PATCH 1/4] wpa_supplicant: cleanup psk handling Cleanup redundant psk handling code in wpa_supplicant.sh. (I sent this one to openwrt-devel before, but I am resending it as part of this series because the next patch will also edit wpa_supplicant.sh). Signed-off-by: Stijn Tintel <st...@linux-ipv6.be> --- package/hostapd/files/wpa_supplicant.sh | 15 +++++---------- 1 files changed, 5 insertions(+), 10 deletions(-) diff --git a/package/hostapd/files/wpa_supplicant.sh b/package/hostapd/files/wpa_supplicant.sh index 97a0082..522d423 100644 --- a/package/hostapd/files/wpa_supplicant.sh +++ b/package/hostapd/files/wpa_supplicant.sh @@ -42,22 +42,17 @@ wpa_supplicant_setup_vif() { *psk*) key_mgmt='WPA-PSK' config_get_bool usepassphrase "$vif" passphrase 1 + if [ "$usepassphrase" = "1" ]; then + passphrase="psk=\"${key}\"" + else + passphrase="psk=${key}" + fi case "$enc" in *psk2*) proto='proto=RSN' - if [ "$usepassphrase" = "1" ]; then - passphrase="psk=\"${key}\"" - else - passphrase="psk=${key}" - fi ;; *psk*) proto='proto=WPA' - if [ "$usepassphrase" = "1" ]; then - passphrase="psk=\"${key}\"" - else - passphrase="psk=${key}" - fi ;; esac ;; -- 1.6.4.4
From ea403b94005a2097599f42bbe50aade173e3f0c8 Mon Sep 17 00:00:00 2001 From: Stijn Tintel <st...@linux-ipv6.be> Date: Mon, 1 Mar 2010 17:13:48 +0100 Subject: [PATCH 2/4] wpa_supplicant: enable 802.11w Enable management frame protection in wpa_supplicant, and make it configurable in /etc/config/wireless. Signed-off-by: Stijn Tintel <st...@linux-ipv6.be> --- package/hostapd/files/wpa_supplicant-full.config | 2 +- package/hostapd/files/wpa_supplicant.sh | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletions(-) diff --git a/package/hostapd/files/wpa_supplicant-full.config b/package/hostapd/files/wpa_supplicant-full.config index 5e7fd27..8d6813a 100644 --- a/package/hostapd/files/wpa_supplicant-full.config +++ b/package/hostapd/files/wpa_supplicant-full.config @@ -301,7 +301,7 @@ CONFIG_PEERKEY=y # This version is an experimental implementation based on IEEE 802.11w/D1.0 # draft and is subject to change since the standard has not yet been finalized. # Driver support is also needed for IEEE 802.11w. -#CONFIG_IEEE80211W=y +CONFIG_IEEE80211W=y # Select TLS implementation # openssl = OpenSSL (default) diff --git a/package/hostapd/files/wpa_supplicant.sh b/package/hostapd/files/wpa_supplicant.sh index 522d423..8e9b5c3 100644 --- a/package/hostapd/files/wpa_supplicant.sh +++ b/package/hostapd/files/wpa_supplicant.sh @@ -50,6 +50,7 @@ wpa_supplicant_setup_vif() { case "$enc" in *psk2*) proto='proto=RSN' + config_get ieee80211w "$vif" ieee80211w ;; *psk*) proto='proto=WPA' @@ -59,6 +60,7 @@ wpa_supplicant_setup_vif() { *wpa*|*8021x*) proto='proto=WPA2' key_mgmt='WPA-EAP' + config_get ieee80211w "$vif" ieee80211w config_get ca_cert "$vif" ca_cert ca_cert=${ca_cert:+"ca_cert=\"$ca_cert\""} case "$eap_type" in @@ -82,6 +84,13 @@ wpa_supplicant_setup_vif() { eap_type="eap=$(echo $eap_type | tr 'a-z' 'A-Z')" ;; esac + + case "$ieee80211w" in + [012]) + ieee80211w="ieee80211w=$ieee80211w" + ;; + esac + config_get ifname "$vif" ifname config_get bridge "$vif" bridge config_get ssid "$vif" ssid @@ -96,6 +105,7 @@ network={ $bssid key_mgmt=$key_mgmt $proto + $ieee80211w $passphrase $pairwise $group -- 1.6.4.4
From 8c827054cc4c63e2088d0cb134d49de20bd4cd41 Mon Sep 17 00:00:00 2001 From: Stijn Tintel <st...@linux-ipv6.be> Date: Mon, 1 Mar 2010 17:16:00 +0100 Subject: [PATCH 3/4] hostapd: enable 802.11w Enable management frame protection in hostapd, and make it configurable in /etc/config/wireless. Since ath9k is currently the only driver that supports MFP, it will only be enabled when ath9k is enabled. Signed-off-by: Stijn Tintel <st...@linux-ipv6.be> --- package/hostapd/Makefile | 3 ++- package/hostapd/files/hostapd.sh | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletions(-) diff --git a/package/hostapd/Makefile b/package/hostapd/Makefile index e6e2313..11b202e 100644 --- a/package/hostapd/Makefile +++ b/package/hostapd/Makefile @@ -54,7 +54,8 @@ DRIVER_MAKEOPTS= \ CONFIG_DRIVER_NL80211=$(CONFIG_PACKAGE_kmod-mac80211) \ CONFIG_DRIVER_MADWIFI=$(CONFIG_PACKAGE_kmod-madwifi) \ CONFIG_DRIVER_HOSTAP=$(CONFIG_PACKAGE_kmod-hostap) \ - CONFIG_IEEE80211N=$(CONFIG_PACKAGE_kmod-ath9k) + CONFIG_IEEE80211N=$(CONFIG_PACKAGE_kmod-ath9k) \ + CONFIG_IEEE80211W=$(CONFIG_PACKAGE_kmod-ath9k) ifeq ($(LOCAL_TYPE),supplicant) ifeq ($(LOCAL_VARIANT),full) diff --git a/package/hostapd/files/hostapd.sh b/package/hostapd/files/hostapd.sh index b477cd7..622eeac 100644 --- a/package/hostapd/files/hostapd.sh +++ b/package/hostapd/files/hostapd.sh @@ -106,6 +106,13 @@ hostapd_set_bss_options() { append "$var" "ssid=$ssid" "$N" [ -n "$bridge" ] && append "$var" "bridge=$bridge" "$N" [ -n "$ieee80211d" ] && append "$var" "ieee80211d=$ieee80211d" "$N" + + [ "$wpa" -ge "2" ] && config_get ieee80211w "$vif" ieee80211w + case "$ieee80211w" in + [012]) + append "$var" "ieee80211w=$ieee80211w" "$N" + ;; + esac } hostapd_setup_vif() { -- 1.6.4.4
From 5039471d3231457e5b257e5f24661c4bde72f9ce Mon Sep 17 00:00:00 2001 From: Stijn Tintel <st...@linux-ipv6.be> Date: Mon, 1 Mar 2010 19:59:06 +0100 Subject: [PATCH 4/4] hostapd: make 802.11w related options configurable When enabling MFP, hostapd will read assoc_sa_query_max_timeout and assoc_sa_query_retry_timeout from it's config file. Make these options configurable in /etc/config/wireless. To make it clear that these options are 802.11w related, I named them ieee80211w_max_timeout and ieee80211w_retry_timeout instead. Signed-off-by: Stijn Tintel <st...@linux-ipv6.be> --- package/hostapd/files/hostapd.sh | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/package/hostapd/files/hostapd.sh b/package/hostapd/files/hostapd.sh index 622eeac..2295b43 100644 --- a/package/hostapd/files/hostapd.sh +++ b/package/hostapd/files/hostapd.sh @@ -111,6 +111,14 @@ hostapd_set_bss_options() { case "$ieee80211w" in [012]) append "$var" "ieee80211w=$ieee80211w" "$N" + [ "$ieee80211w" -gt "0" ] && { + config_get ieee80211w_max_timeout "$vif" ieee80211w_max_timeout + config_get ieee80211w_retry_timeout "$vif" ieee80211w_retry_timeout + [ -n "$ieee80211w_max_timeout" ] && \ + append "$var" "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N" + [ -n "$ieee80211w_retry_timeout" ] && \ + append "$var" "assoc_sa_query_retry_timeout=$ieee80211w_retry_timeout" "$N" + } ;; esac } -- 1.6.4.4
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel