From c23f774936ce4ac1c3c7584a65c20c6a63db7069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=81LI=20G=C3=A1bor=20J=C3=A1nos?= Date: Tue, 19 Mar 2024 11:16:34 +0100 Subject: wpa_supplicant: add support for pregenerated MAC References: - https://w1.fi/cgit/hostap/patch/?id=9025def55cfdcdfa43cfb8712cd4befbf9fb4534 Hinted by: Anton Saietskii --- .../0003-Add-support-for-pregenerated-MAC.patch | 244 +++++++++++++++++++++ aports/wpa_supplicant/APKBUILD | 4 +- .../wpa_supplicant/wpa_supplicant.conf.sample | 15 ++ 3 files changed, 262 insertions(+), 1 deletion(-) create mode 100644 aports/wpa_supplicant/0003-Add-support-for-pregenerated-MAC.patch diff --git a/aports/wpa_supplicant/0003-Add-support-for-pregenerated-MAC.patch b/aports/wpa_supplicant/0003-Add-support-for-pregenerated-MAC.patch new file mode 100644 index 0000000..041999a --- /dev/null +++ b/aports/wpa_supplicant/0003-Add-support-for-pregenerated-MAC.patch @@ -0,0 +1,244 @@ +From 9025def55cfdcdfa43cfb8712cd4befbf9fb4534 Mon Sep 17 00:00:00 2001 +From: Andrzej Ostruszka +Date: Wed, 10 Nov 2021 19:16:35 +0000 +Subject: wpa_supplicant: Add support for pregenerated MAC + +Add new 'mac_addr' policy (3) with which supplicant expects to also +obtain 'mac_value' with pregenerated value of MAC address to be used for +given SSID. + +The main difference between this policy and policy 1 is the ability to +control persistence of the MAC address used. For example if there is +a requirement to always use the same (but random) MAC address for given +SSID (even if user removes/forgets the network) this could be handled +outside of the wpa_supplicant by using some SSID based hashing scheme to +generate MAC (or by just storing the randomly generated one) and +providing it to wpa_supplicant together with mac_addr=3 policy. + +Signed-off-by: Andrzej Ostruszka +--- + wpa_supplicant/config.c | 47 ++++++++++++++++++++++++++++++++- + wpa_supplicant/config_ssid.h | 9 +++++++ + wpa_supplicant/dbus/dbus_new_handlers.c | 22 ++++++++++++++- + wpa_supplicant/wpa_supplicant.c | 18 ++++++++++--- + wpa_supplicant/wpa_supplicant_i.h | 3 ++- + 5 files changed, 93 insertions(+), 6 deletions(-) + +diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c +index 2754ad833..a2e21431c 100644 +--- a/wpa_supplicant/config.c ++++ b/wpa_supplicant/config.c +@@ -2345,6 +2345,50 @@ static char * wpa_config_write_peerkey(const struct parse_data *data, + #endif /* NO_CONFIG_WRITE */ + + ++static int wpa_config_parse_mac_value(const struct parse_data *data, ++ struct wpa_ssid *ssid, int line, ++ const char *value) ++{ ++ u8 mac_value[ETH_ALEN]; ++ ++ if (hwaddr_aton(value, mac_value) == 0) { ++ if (os_memcmp(mac_value, ssid->mac_value, ETH_ALEN) == 0) ++ return 1; ++ os_memcpy(ssid->mac_value, mac_value, ETH_ALEN); ++ return 0; ++ } ++ ++ wpa_printf(MSG_ERROR, "Line %d: Invalid MAC address '%s'", ++ line, value); ++ return -1; ++} ++ ++ ++#ifndef NO_CONFIG_WRITE ++static char * wpa_config_write_mac_value(const struct parse_data *data, ++ struct wpa_ssid *ssid) ++{ ++ const size_t size = 3 * ETH_ALEN; ++ char *value; ++ int res; ++ ++ if (ssid->mac_addr != 3) ++ return NULL; ++ ++ value = os_malloc(size); ++ if (!value) ++ return NULL; ++ res = os_snprintf(value, size, MACSTR, MAC2STR(ssid->mac_value)); ++ if (os_snprintf_error(size, res)) { ++ os_free(value); ++ return NULL; ++ } ++ value[size - 1] = '\0'; ++ return value; ++} ++#endif /* NO_CONFIG_WRITE */ ++ ++ + /* Helper macros for network block parser */ + + #ifdef OFFSET +@@ -2643,7 +2687,8 @@ static const struct parse_data ssid_fields[] = { + { INT(update_identifier) }, + { STR_RANGE(roaming_consortium_selection, 0, MAX_ROAMING_CONS_OI_LEN) }, + #endif /* CONFIG_HS20 */ +- { INT_RANGE(mac_addr, 0, 2) }, ++ { INT_RANGE(mac_addr, 0, 3) }, ++ { FUNC_KEY(mac_value) }, + { INT_RANGE(pbss, 0, 2) }, + { INT_RANGE(wps_disabled, 0, 1) }, + { INT_RANGE(fils_dh_group, 0, 65535) }, +diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h +index c77ffa11a..7bf208237 100644 +--- a/wpa_supplicant/config_ssid.h ++++ b/wpa_supplicant/config_ssid.h +@@ -974,6 +974,7 @@ struct wpa_ssid { + * 0 = use permanent MAC address + * 1 = use random MAC address for each ESS connection + * 2 = like 1, but maintain OUI (with local admin bit set) ++ * 3 = use dedicated/pregenerated MAC address (see mac_value) + * + * Internally, special value -1 is used to indicate that the parameter + * was not specified in the configuration (i.e., default behavior is +@@ -981,6 +982,14 @@ struct wpa_ssid { + */ + int mac_addr; + ++ /** ++ * mac_value - Specific MAC address to be used ++ * ++ * When mac_addr policy is equal to 3 this is the value of the MAC ++ * address that should be used. ++ */ ++ u8 mac_value[ETH_ALEN]; ++ + /** + * no_auto_peer - Do not automatically peer with compatible mesh peers + * +diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c +index f99aafa4d..b45ab4022 100644 +--- a/wpa_supplicant/dbus/dbus_new_handlers.c ++++ b/wpa_supplicant/dbus/dbus_new_handlers.c +@@ -152,7 +152,7 @@ static const char * const dont_quote[] = { + #ifdef CONFIG_INTERWORKING + "roaming_consortium", "required_roaming_consortium", + #endif /* CONFIG_INTERWORKING */ +- NULL ++ "mac_value", NULL + }; + + static dbus_bool_t should_quote_opt(const char *key) +@@ -206,6 +206,8 @@ dbus_bool_t set_network_properties(struct wpa_supplicant *wpa_s, + struct wpa_dbus_dict_entry entry = { .type = DBUS_TYPE_STRING }; + DBusMessageIter iter_dict; + char *value = NULL; ++ bool mac_addr3_set = false; ++ bool mac_value_set = false; + + if (!wpa_dbus_dict_open_read(iter, &iter_dict, error)) + return FALSE; +@@ -315,12 +317,30 @@ dbus_bool_t set_network_properties(struct wpa_supplicant *wpa_s, + else if (os_strcmp(entry.key, "priority") == 0) + wpa_config_update_prio_list(wpa_s->conf); + ++ /* ++ * MAC address policy "3" needs to come with mac_value in ++ * the message so make sure that it is present (checked after ++ * the loop - here we just note what has been supplied). ++ */ ++ if (os_strcmp(entry.key, "mac_addr") == 0 && ++ atoi(value) == 3) ++ mac_addr3_set = true; ++ if (os_strcmp(entry.key, "mac_value") == 0) ++ mac_value_set = true; ++ + skip_update: + os_free(value); + value = NULL; + wpa_dbus_dict_entry_clear(&entry); + } + ++ if (mac_addr3_set && !mac_value_set) { ++ wpa_printf(MSG_INFO, "dbus: Invalid mac_addr policy config"); ++ dbus_set_error_const(error, DBUS_ERROR_INVALID_ARGS, ++ "Invalid mac_addr policy config"); ++ return FALSE; ++ } ++ + return TRUE; + + error: +diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c +index 2739e93df..e29fcc2c3 100644 +--- a/wpa_supplicant/wpa_supplicant.c ++++ b/wpa_supplicant/wpa_supplicant.c +@@ -2222,13 +2222,16 @@ void wpas_connect_work_done(struct wpa_supplicant *wpa_s) + } + + +-int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int style) ++int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int style, ++ struct wpa_ssid *ssid) + { + struct os_reltime now; + u8 addr[ETH_ALEN]; + + os_get_reltime(&now); + if (wpa_s->last_mac_addr_style == style && ++ /* Pregenerated addresses do not expire */ ++ wpa_s->last_mac_addr_style != 3 && + wpa_s->last_mac_addr_change.sec != 0 && + !os_reltime_expired(&now, &wpa_s->last_mac_addr_change, + wpa_s->conf->rand_addr_lifetime)) { +@@ -2247,6 +2250,14 @@ int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int style) + if (random_mac_addr_keep_oui(addr) < 0) + return -1; + break; ++ case 3: ++ if (!ssid) { ++ wpa_msg(wpa_s, MSG_INFO, ++ "Invalid 'ssid' for address policy 3"); ++ return -1; ++ } ++ os_memcpy(addr, ssid->mac_value, ETH_ALEN); ++ break; + default: + return -1; + } +@@ -2280,7 +2291,8 @@ int wpas_update_random_addr_disassoc(struct wpa_supplicant *wpa_s) + !wpa_s->conf->preassoc_mac_addr) + return 0; + +- return wpas_update_random_addr(wpa_s, wpa_s->conf->preassoc_mac_addr); ++ return wpas_update_random_addr(wpa_s, wpa_s->conf->preassoc_mac_addr, ++ NULL); + } + + +@@ -2417,7 +2429,7 @@ void wpa_supplicant_associate(struct wpa_supplicant *wpa_s, + #endif /* CONFIG_SAE */ + + if (rand_style > 0 && !wpa_s->reassoc_same_ess) { +- if (wpas_update_random_addr(wpa_s, rand_style) < 0) ++ if (wpas_update_random_addr(wpa_s, rand_style, ssid) < 0) + return; + wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid); + } else if (rand_style == 0 && wpa_s->mac_addr_changed) { +diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h +index 330b80f4d..c1ed21dcc 100644 +--- a/wpa_supplicant/wpa_supplicant_i.h ++++ b/wpa_supplicant/wpa_supplicant_i.h +@@ -1640,7 +1640,8 @@ int disallowed_ssid(struct wpa_supplicant *wpa_s, const u8 *ssid, + void wpas_request_connection(struct wpa_supplicant *wpa_s); + void wpas_request_disconnection(struct wpa_supplicant *wpa_s); + int wpas_build_ext_capab(struct wpa_supplicant *wpa_s, u8 *buf, size_t buflen); +-int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int style); ++int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int style, ++ struct wpa_ssid *ssid); + int wpas_update_random_addr_disassoc(struct wpa_supplicant *wpa_s); + void add_freq(int *freqs, int *num_freqs, int freq); + +-- +cgit v1.2.3-18-g5258 + diff --git a/aports/wpa_supplicant/APKBUILD b/aports/wpa_supplicant/APKBUILD index 58c5cce..4729316 100644 --- a/aports/wpa_supplicant/APKBUILD +++ b/aports/wpa_supplicant/APKBUILD @@ -2,7 +2,7 @@ pkgname=wpa_supplicant pkgver=2.10 -pkgrel=6 # base: 10 +pkgrel=7 # base: 10 pkgdesc="utility providing key negotiation for WPA wireless networks" url="https://w1.fi/wpa_supplicant/" arch="all" @@ -21,6 +21,7 @@ source="https://w1.fi/releases/wpa_supplicant-$pkgver.tar.gz 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch + 0003-Add-support-for-pregenerated-MAC.patch lower-security-level-for-tls-1.patch no-tools.patch @@ -92,6 +93,7 @@ c7e4041fe41743c5e63a07edc9234d0c44c4c0f193a180b27342b43f3be45fb87b42ee0f9e4a2061 a92ba3ed3f41022a8af9396d2b703ee47f78aa05c1fddb42919a7fe6a6fad71e3515c63457e97e252ae0a32c6c34d67ea6efe0278df1e141cf36e650237e5295 unsafe-renegotiation-2.patch fb328872087268056b035802f71df2f7af8d11699822fe68611201a07dc693c4fdb8c50dd4fd509ed6db4cca89f6003ce3303770951686a35633977f466f4fb5 0001-nl80211-add-extra-ies-only-if-allowed-by-driver.patch f8a5f5e18509b61ad6fb7ce78207c039fccfca6b71f494cbe9853bcb1b09025364554a45b6129a5b992f6327f72c8a97b660088d9c542f0e62a1c370a3c628a8 0002-AP-guard-FT-SAE-code-with-CONFIG_IEEE80211R_AP.patch +693d1a7917ff18a3692c1e530c20013bd18d08194c840e5dba8c6f80a7e7022e37f49b1b75dbc434a3176243c062f7719df0e1bcf1d786c8cf87e95e5cbf17c0 0003-Add-support-for-pregenerated-MAC.patch b1217eff6fbdba5a4c7302ea33bec64290d26745967b24e825c100de9b0e9b6400f0769c3cfac3c761596bb01079c31b632f14bd3374735200385f38557d8cad lower-security-level-for-tls-1.patch 3278eff7118f9dc9e177adc3ed91cad562a8edde396af8619321ac8552a86e9c7de25212d5578ea17cbe4b6dc928d83cd6e9a7f0d41e07576656e6e9274107d6 no-tools.patch 450563b68fd99740cfae49521439e876e67b94c50f5ea20a84a96411713e5b93fbe428284105d13e4616a3d10d5bb0e6a9d752be1a939fb342fa3ea935210c7c config diff --git a/etc/wpa_supplicant/wpa_supplicant/wpa_supplicant.conf.sample b/etc/wpa_supplicant/wpa_supplicant/wpa_supplicant.conf.sample index 7ff2639..bb1430d 100644 --- a/etc/wpa_supplicant/wpa_supplicant/wpa_supplicant.conf.sample +++ b/etc/wpa_supplicant/wpa_supplicant/wpa_supplicant.conf.sample @@ -2,6 +2,21 @@ # /usr/share/examples/etc/wpa_supplicant.conf or import an existing one # from the /etc directory. +# Wifibox/Alpine extensions: +# +# There is a new `mac_addr` policy, 3, which needs to be configured +# along with `mac_value` that holds the pregenerated value of MAC +# address to be used for given SSID. +# +# The main difference between this policy and policy 1 is the ability +# to control persistence of the MAC address used. For example, if +# there is a requirement to always use the same (but random) MAC +# address for given SSID (even if user removes/forgets the network) +# this could be handled outside of WPA Supplicant by using some +# SSID-based hashing scheme to generate MAC (or by just storing the +# randomly generated one) and providing it to WPA Supplicant together +# with the `mac_addr=3` policy setting. + # Mind that the `ctrl_interface` parameter, when in use, has to be # kept in sync with UDS pass-through definitions in uds_passthru.conf. # The default values are aligned with these settings below. -- cgit v1.2.3