openwrt/package/network/config
Rany Hany 65a1c666f2 hostapd: add SAE support for wifi-station and optimize PSK file creation
Regarding SAE support in wifi-station:

Important Note: Unlike PSK wifi-stations, both `mac` and `key` options are required
to make it work. With PSK, hostapd used to perform a brute-force match to find which
PSK entry to use, but with SAE this is infeasible due to SAE's design.

When `mac` is omitted, it will allow any MAC address to use the SAE password if it
didn't have a MAC address assigned to it, but this could only be done once.
The last wildcard entry would be used.

Also, unlike "hostapd: add support for SAE in PPSK option" (commit 913368a),
it is not required to set `sae_pwe` to `0`. This gives it a slight advantage
over using PPSK that goes beyond not needing RADIUS.

Example Configuration:

```
config wifi-vlan
        option iface default_radio0
        option name 999
        option vid 999
        option network management

config wifi-station
        # Allow user with MAC address 00:11:22:33:44:55 and matching
        # key "secretadminpass" to access the management network.
        option iface default_radio0
        option vid 999
        option mac '00:11:22:33:44:55'
        option key secretadminpass

config wifi-vlan
        option iface default_radio0
        option name 100
        option vid 100
        option network guest

config wifi-station
        # With SAE, when 'mac' is omitted it will be the fallback in case no
        # other MAC address matches. It won't be possible for a user that
        # has a matching MAC to use this network (i.e., 00:11:22:33:44:55
        # in this example).
        option iface default_radio0
        option vid 100
        option key guestpass
```

Regarding PSK file creation optimization:

This patch now conditionally runs `hostapd_set_psk_file` depending on `auth_type`.
Previously, `hostapd_set_psk` would always execute `hostapd_set_psk_file`, which
would create a new file if `wifi-station` was in use even if PSK was not enabled.
This change checks the `auth_type` to ensure that it is appropriate to parse the
`wifi-station` entries and create those files.

Furthermore, we now only configure `wpa_psk_file` when it is a supported option
(i.e., psk or psk-sae is used). Previously, we used to configure it when it was
not necessary. While it didn't cause any issues, it would litter `/var/run` with
unnecessary files. This patch fixes that case by configuring it depending on the
`auth_type`.

The new SAE support is aligned with these PSK file changes.

Signed-off-by: Rany Hany <rany_hany@riseup.net>

Link: https://github.com/openwrt/openwrt/pull/17145
Signed-off-by: John Crispin <john@phrozen.org>
2024-12-12 09:46:38 +01:00
..
firewall firewall: update to Git HEAD (2024-10-18) 2024-10-18 08:03:34 +02:00
firewall4 firewall4: update to Git HEAD (2024-05-21) 2024-05-21 08:59:13 +02:00
gre gre: use alternative way to check if kernel support is enabled 2021-03-13 20:58:55 +01:00
ipip ipip: add 'nohostroute' option 2022-01-19 20:57:59 +01:00
ltq-adsl-app ltq-adsl-app: add dsl_cpe_pipe.sh script 2024-10-21 01:04:05 +02:00
ltq-vdsl-vr9-app ltq-vdsl-vr9-app: always disconnect on exit 2024-08-31 19:40:21 +02:00
ltq-vdsl-vr11-app ltq-vdsl-vr11-app: perform orderly shutdown on exit 2024-08-31 19:40:21 +02:00
netifd netifd: check if /sbin/wifi exists before calling it 2024-11-30 19:23:29 +01:00
qos-scripts treewide: replace AUTORELEASE with real PKG_RELEASE 2023-05-18 11:35:29 +02:00
qosify qosify: update to Git HEAD (2024-09-20) 2024-09-20 23:17:43 +02:00
soloscli soloscli: fix uci-defaults file 2020-06-11 01:49:24 +02:00
swconfig swconfig: fix memory leak when cli call swlib_get_attr() 2023-06-11 02:42:31 +02:00
vti vti: squash vtiv4 and vtiv6 packages into vti 2021-11-03 20:34:43 +01:00
vxlan vxlan: allow for dynamic source ip selection (FS#3426) 2020-12-31 11:53:21 +01:00
wifi-scripts hostapd: add SAE support for wifi-station and optimize PSK file creation 2024-12-12 09:46:38 +01:00
xfrm xfrm: remove requirement for underlying device 2024-08-19 18:49:49 +02:00