[openwrt/openwrt] hostapd: fix 11r defaults when using WPA

Wed Mar 6 05:05:29 PST 2024

jow pushed a commit to openwrt/openwrt.git, branch openwrt-23.05:
https://git.openwrt.org/503f78f91cddd4ba77731b5fc872b23455d45264

commit 503f78f91cddd4ba77731b5fc872b23455d45264
Author: Jesus Fernandez Manzano <jesus.manzano at galgus.ai>
AuthorDate: Mon Jan 22 13:46:14 2024 +0100

    hostapd: fix 11r defaults when using WPA
    
    802.11r can not be used when selecting WPA. It needs at least WPA2.
    
    This is because 802.11r advertises FT support in-part through the
    Authentication and Key Management (AKM) suites in the Robust
    Security Network (RSN) Information Element, which was included in
    the 802.11i amendment and WPA2 certification program.
    
    Pre-standard WPA did not include the RSN IE, but the WPA IE.
    This IE can not advertise the AKM suite for FT.
    
    Signed-off-by: Jesus Fernandez Manzano <jesus.manzano at galgus.ai>
    (cherry picked from commit cdc4c551755115e0e1047a0c90a658e6238e96ee)
---
 package/network/services/hostapd/files/hostapd.sh | 28 +++++++++++------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 73bd1bbeeb..8e0cf4f091 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -43,7 +43,7 @@ hostapd_append_wpa_key_mgmt() {
 	case "$auth_type" in
 		psk|eap)
 			append wpa_key_mgmt "WPA-$auth_type_l"
-			[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
+			[ "${wpa:-2}" -ge 2 ] && [ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
 			[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
 		;;
 		eap192)
@@ -897,10 +897,21 @@ hostapd_set_bss_options() {
 		}
 	fi
 
+	json_get_vars ieee80211r
+	set_default ieee80211r 0
 	if [ "$wpa" -ge "1" ]; then
-		json_get_vars ieee80211r
-		set_default ieee80211r 0
+		if [ "$fils" -gt 0 ]; then
+			json_get_vars fils_realm
+			set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
+		fi
+
+		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
+
+		hostapd_append_wpa_key_mgmt
+		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
+	fi
 
+	if [ "$wpa" -ge "2" ]; then
 		if [ "$ieee80211r" -gt "0" ]; then
 			json_get_vars mobility_domain ft_psk_generate_local ft_over_ds reassociation_deadline
 
@@ -950,18 +961,7 @@ hostapd_set_bss_options() {
 				done
 			fi
 		fi
-		if [ "$fils" -gt 0 ]; then
-			json_get_vars fils_realm
-			set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
-		fi
-
-		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
 
-		hostapd_append_wpa_key_mgmt
-		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
-	fi
-
-	if [ "$wpa" -ge "2" ]; then
 		if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
 			set_default auth_cache 1
 			append bss_conf "rsn_preauth=1" "$N"


