Re: [OpenWrt-Devel] [PATCH] hostapd: enable PMKSA and OK caching for WPA3-Personal

2019-10-30 Thread David Bauer 
Hello Hauke,

On 10/30/19 8:47 PM, Hauke Mehrtens wrote:
> Do you know which, PMKSA or OKC, is needed for the iPhone?

PMKSA caching is the one required to work with the iPhone (however OKC should 
not be harmful).

> 
> I do not understand why the iPhone only works when one of these options
> is set, you should probably ask on the hostapd mailing list for help,
> this could be also a bug in hostapd.

This is due to the fact, that Apple sends the PMKID in the first association 
request
(before the EAPOL handshake).

In case PMKID caching is disabled, the association is rejected at this point.

An OpenWrt / Android (probably all wpa_supplicant based clients without 
sae_pmkid_in_assoc
enabled) will send an empty PMKID list, thus not triggering the issue.

As the PMKID in association seems not to be against the spec, we either have to

a) ignore the PMKID list in the association request
b) enable caching for WPA3-personal / OWE

(I'm not an expert in this field, so feel free to point out wrong assumptions 
here)

Best wishes
David

> 
>> ---
>>  package/network/services/hostapd/files/hostapd.sh | 9 -
>>  1 file changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/package/network/services/hostapd/files/hostapd.sh 
>> b/package/network/services/hostapd/files/hostapd.sh
>> index 8da8539e8a..fdbce815df 100644
>> --- a/package/network/services/hostapd/files/hostapd.sh
>> +++ b/package/network/services/hostapd/files/hostapd.sh
>> @@ -540,7 +540,14 @@ hostapd_set_bss_options() {
>>  append bss_conf "rsn_preauth=1" "$N"
>>  append bss_conf 
>> "rsn_preauth_interfaces=$network_bridge" "$N"
>>  else
>> -set_default auth_cache 0
>> +case "$auth_type" in
>> +sae|psk-sae|owe)
>> +set_default auth_cache 1
>> +;;
>> +*)
>> +set_default auth_cache 0
>> +;;
>> +esac
>>  fi
>>  
>>  append bss_conf "okc=$auth_cache" "$N"
>>
> 
> 

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] hostapd: enable PMKSA and OK caching for WPA3-Personal

2019-10-30 Thread Hauke Mehrtens 
On 10/29/19 11:42 PM, David Bauer wrote:
> This enables PMKSA and opportunistic key caching by default for
> WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
> Otherwise, Apple devices won't connect to the WPA3 network.
> 
> This should not degrade security, as there's no external authentication
> provider.
> 
> Tested with OCEDO Koala and iPhone 7 (iOS 13.1).
> 
> Signed-off-by: David Bauer 

Do you know which, PMKSA or OKC, is needed for the iPhone?

I do not understand why the iPhone only works when one of these options
is set, you should probably ask on the hostapd mailing list for help,
this could be also a bug in hostapd.

> ---
>  package/network/services/hostapd/files/hostapd.sh | 9 -
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/package/network/services/hostapd/files/hostapd.sh 
> b/package/network/services/hostapd/files/hostapd.sh
> index 8da8539e8a..fdbce815df 100644
> --- a/package/network/services/hostapd/files/hostapd.sh
> +++ b/package/network/services/hostapd/files/hostapd.sh
> @@ -540,7 +540,14 @@ hostapd_set_bss_options() {
>   append bss_conf "rsn_preauth=1" "$N"
>   append bss_conf 
> "rsn_preauth_interfaces=$network_bridge" "$N"
>   else
> - set_default auth_cache 0
> + case "$auth_type" in
> + sae|psk-sae|owe)
> + set_default auth_cache 1
> + ;;
> + *)
> + set_default auth_cache 0
> + ;;
> + esac
>   fi
>  
>   append bss_conf "okc=$auth_cache" "$N"
> 




signature.asc
Description: OpenPGP digital signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] hostapd: enable PMKSA and OK caching for WPA3-Personal

2019-10-29 Thread David Bauer 
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Signed-off-by: David Bauer 
---
 package/network/services/hostapd/files/hostapd.sh | 9 -
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh 
b/package/network/services/hostapd/files/hostapd.sh
index 8da8539e8a..fdbce815df 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -540,7 +540,14 @@ hostapd_set_bss_options() {
append bss_conf "rsn_preauth=1" "$N"
append bss_conf 
"rsn_preauth_interfaces=$network_bridge" "$N"
else
-   set_default auth_cache 0
+   case "$auth_type" in
+   sae|psk-sae|owe)
+   set_default auth_cache 1
+   ;;
+   *)
+   set_default auth_cache 0
+   ;;
+   esac
fi
 
append bss_conf "okc=$auth_cache" "$N"
-- 
2.23.0


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel