openwrt/package/network/services
Rany Hany 65a1c666f2 hostapd: add SAE support for wifi-station and optimize PSK file creation
Regarding SAE support in wifi-station:

Important Note: Unlike PSK wifi-stations, both `mac` and `key` options are required
to make it work. With PSK, hostapd used to perform a brute-force match to find which
PSK entry to use, but with SAE this is infeasible due to SAE's design.

When `mac` is omitted, it will allow any MAC address to use the SAE password if it
didn't have a MAC address assigned to it, but this could only be done once.
The last wildcard entry would be used.

Also, unlike "hostapd: add support for SAE in PPSK option" (commit 913368a),
it is not required to set `sae_pwe` to `0`. This gives it a slight advantage
over using PPSK that goes beyond not needing RADIUS.

Example Configuration:

```
config wifi-vlan
        option iface default_radio0
        option name 999
        option vid 999
        option network management

config wifi-station
        # Allow user with MAC address 00:11:22:33:44:55 and matching
        # key "secretadminpass" to access the management network.
        option iface default_radio0
        option vid 999
        option mac '00:11:22:33:44:55'
        option key secretadminpass

config wifi-vlan
        option iface default_radio0
        option name 100
        option vid 100
        option network guest

config wifi-station
        # With SAE, when 'mac' is omitted it will be the fallback in case no
        # other MAC address matches. It won't be possible for a user that
        # has a matching MAC to use this network (i.e., 00:11:22:33:44:55
        # in this example).
        option iface default_radio0
        option vid 100
        option key guestpass
```

Regarding PSK file creation optimization:

This patch now conditionally runs `hostapd_set_psk_file` depending on `auth_type`.
Previously, `hostapd_set_psk` would always execute `hostapd_set_psk_file`, which
would create a new file if `wifi-station` was in use even if PSK was not enabled.
This change checks the `auth_type` to ensure that it is appropriate to parse the
`wifi-station` entries and create those files.

Furthermore, we now only configure `wpa_psk_file` when it is a supported option
(i.e., psk or psk-sae is used). Previously, we used to configure it when it was
not necessary. While it didn't cause any issues, it would litter `/var/run` with
unnecessary files. This patch fixes that case by configuring it depending on the
`auth_type`.

The new SAE support is aligned with these PSK file changes.

Signed-off-by: Rany Hany <rany_hany@riseup.net>

Link: https://github.com/openwrt/openwrt/pull/17145
Signed-off-by: John Crispin <john@phrozen.org>
2024-12-12 09:46:38 +01:00
..
bridger bridger: update to Git HEAD (2024-04-22) 2024-04-22 11:02:52 +02:00
dnsmasq dnsmasq: gate configdir usage behind absolute path check 2024-10-20 21:56:16 +02:00
dropbear dropbear: bump to 2024.86 2024-11-24 20:08:12 +01:00
ead ead: fix resource leak in tinysrp 2020-01-05 19:36:46 +01:00
hostapd hostapd: add SAE support for wifi-station and optimize PSK file creation 2024-12-12 09:46:38 +01:00
ipset-dns treewide: update PKG_MIRROR_HASH to zst 2024-04-06 11:24:18 +02:00
lldpd lldpd: fix reload bug: advertisements shall default to on 2024-04-27 12:11:27 +02:00
odhcpd odhcpd: update to Git HEAD (2024-05-08) 2024-05-08 00:11:19 +02:00
omcproxy treewide: update PKG_MIRROR_HASH to zst 2024-04-06 11:24:18 +02:00
ppp ppp: remove more unnecessary kernel checks 2024-11-16 14:26:47 +01:00
relayd treewide: update PKG_MIRROR_HASH to zst 2024-04-06 11:24:18 +02:00
uhttpd uhttpd: restart daemon if certificate has changed 2024-08-19 18:46:08 +02:00
umdns umdns: update to latest HEAD 2024-12-11 15:41:21 +01:00
unetd treewide: update PKG_MIRROR_HASH to zst 2024-04-06 11:24:18 +02:00
ustp ustp: update to Git HEAD (2023-05-29) 2024-04-27 11:40:04 +02:00