From 13cbb92ad415680c9501b896cd858d3ec6de5074 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 20 Oct 2020 09:15:03 +0000
Subject: [PATCH] hostapd: Allow to make Management Frame Protection optional

WPA3 mandates MFP, but many clients do not support it at all.

Therefore this can now be set to optional and clients will
fall back to WPA2.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de  |  3 +++
 doc/language_issues.en  |  3 +++
 doc/language_issues.es  |  3 +++
 doc/language_issues.fr  |  3 +++
 doc/language_issues.it  |  3 +++
 doc/language_issues.nl  |  3 +++
 doc/language_issues.pl  |  3 +++
 doc/language_issues.ru  |  3 +++
 doc/language_issues.tr  |  3 +++
 doc/language_missings   | 24 ++++++++++++++++++++++++
 html/cgi-bin/wlanap.cgi | 20 +++++++++++---------
 langs/en/cgi-bin/en.pl  |  3 +++
 12 files changed, 65 insertions(+), 9 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 6fcafc460..f3246cd18 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -888,3 +888,6 @@ WARNING: untranslated string: show tls-auth key = Show tls-auth key
 WARNING: untranslated string: smb daemon = SMB Daemon
 WARNING: untranslated string: user management = User Management
 WARNING: untranslated string: winbind daemon = Winbind Daemon
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
diff --git a/doc/language_issues.en b/doc/language_issues.en
index c0a618da6..9efb56a39 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -2138,6 +2138,9 @@ WARNING: untranslated string: wlan client wpa mode ccmp tkip = CCMP-TKIP
 WARNING: untranslated string: wlan client wpa mode tkip tkip = TKIP-TKIP
 WARNING: untranslated string: wlan clients = Wireless clients
 WARNING: untranslated string: wlanap = Access Point
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap channel = Channel
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 689eeca7c..e01f5aa98 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1513,6 +1513,9 @@ WARNING: untranslated string: wlan client wpa mode ccmp tkip = CCMP-TKIP
 WARNING: untranslated string: wlan client wpa mode tkip tkip = TKIP-TKIP
 WARNING: untranslated string: wlan clients = Wireless clients
 WARNING: untranslated string: wlanap = Access Point
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap client isolation = Client Isolation
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 632acf938..1f5654456 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -925,3 +925,6 @@ WARNING: untranslated string: samba server role standalone = Standalone
 WARNING: untranslated string: smb daemon = SMB Daemon
 WARNING: untranslated string: user management = User Management
 WARNING: untranslated string: winbind daemon = Winbind Daemon
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 99a7f3e8d..2f41213a8 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1191,6 +1191,9 @@ WARNING: untranslated string: wlan client password = Password
 WARNING: untranslated string: wlan client tls cipher = TLS Cipher
 WARNING: untranslated string: wlan client tls version = TLS Version
 WARNING: untranslated string: wlanap = Access Point
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap client isolation = Client Isolation
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 2afa7b0f3..d486349bc 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1231,6 +1231,9 @@ WARNING: untranslated string: wlan client password = Password
 WARNING: untranslated string: wlan client tls cipher = TLS Cipher
 WARNING: untranslated string: wlan client tls version = TLS Version
 WARNING: untranslated string: wlanap = Access Point
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap client isolation = Client Isolation
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 689eeca7c..e01f5aa98 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1513,6 +1513,9 @@ WARNING: untranslated string: wlan client wpa mode ccmp tkip = CCMP-TKIP
 WARNING: untranslated string: wlan client wpa mode tkip tkip = TKIP-TKIP
 WARNING: untranslated string: wlan clients = Wireless clients
 WARNING: untranslated string: wlanap = Access Point
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap client isolation = Client Isolation
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index ac9715beb..cc2fe7489 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1508,6 +1508,9 @@ WARNING: untranslated string: wlan client wpa mode ccmp tkip = CCMP-TKIP
 WARNING: untranslated string: wlan client wpa mode tkip tkip = TKIP-TKIP
 WARNING: untranslated string: wlan clients = Wireless clients
 WARNING: untranslated string: wlanap = Access Point
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap client isolation = Client Isolation
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 7613e2ff7..99ead4c4a 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1055,6 +1055,9 @@ WARNING: untranslated string: vpn wait = WAITING
 WARNING: untranslated string: vulnerability = Vulnerability
 WARNING: untranslated string: vulnerable = Vulnerable
 WARNING: untranslated string: winbind daemon = Winbind Daemon
+WARNING: untranslated string: wlanap 802.11w disabled = Disabled
+WARNING: untranslated string: wlanap 802.11w enforced = Enforced
+WARNING: untranslated string: wlanap 802.11w optional = Optional
 WARNING: untranslated string: wlanap auto = Automatic Channel Selection
 WARNING: untranslated string: wlanap broadcast ssid = Broadcast SSID
 WARNING: untranslated string: wlanap client isolation = Client Isolation
diff --git a/doc/language_missings b/doc/language_missings
index a1fcdc334..c519c5a6a 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -61,6 +61,9 @@
 < user management
 < vpn configuration main
 < winbind daemon
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 ############################################################################
 # Checking cgi-bin translations for language: es                           #
 ############################################################################
@@ -869,6 +872,9 @@
 < winbind daemon
 < wireless network
 < wlanap
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 < wlanap auto
 < wlanap broadcast ssid
 < wlanap client isolation
@@ -958,6 +964,9 @@
 < upload fcdsl.o
 < user management
 < winbind daemon
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 ############################################################################
 # Checking cgi-bin translations for language: it                           #
 ############################################################################
@@ -1287,6 +1296,9 @@
 < winbind daemon
 < wireless network
 < wlanap
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 < wlanap auto
 < wlanap broadcast ssid
 < wlanap client isolation
@@ -1710,6 +1722,9 @@
 < winbind daemon
 < wireless network
 < wlanap
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 < wlanap auto
 < wlanap broadcast ssid
 < wlanap client isolation
@@ -2541,6 +2556,9 @@
 < winbind daemon
 < wireless network
 < wlanap
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 < wlanap auto
 < wlanap broadcast ssid
 < wlanap client isolation
@@ -3410,6 +3428,9 @@
 < winbind daemon
 < wireless network
 < wlanap
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 < wlanap auto
 < wlanap broadcast ssid
 < wlanap client isolation
@@ -3630,6 +3651,9 @@
 < vulnerable
 < Weekly
 < winbind daemon
+< wlanap 802.11w disabled
+< wlanap 802.11w enforced
+< wlanap 802.11w optional
 < wlanap auto
 < wlanap broadcast ssid
 < wlanap client isolation
diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
index 29fdd1cd5..fd7e9a679 100644
--- a/html/cgi-bin/wlanap.cgi
+++ b/html/cgi-bin/wlanap.cgi
@@ -258,9 +258,10 @@ $checked{'CLIENTISOLATION'}{'off'} = '';
 $checked{'CLIENTISOLATION'}{'on'} = '';
 $checked{'CLIENTISOLATION'}{$wlanapsettings{'CLIENTISOLATION'}} = "checked='checked'";
 
-$checked{'IEEE80211W'}{'off'} = '';
-$checked{'IEEE80211W'}{'on'} = '';
-$checked{'IEEE80211W'}{$wlanapsettings{'IEEE80211W'}} = "checked='checked'";
+$selected{'IEEE80211W'}{'off'} = '';
+$selected{'IEEE80211W'}{'optional'} = '';
+$selected{'IEEE80211W'}{'on'} = '';
+$selected{'IEEE80211W'}{$wlanapsettings{'IEEE80211W'}} = "selected";
 
 $selected{'ENC'}{$wlanapsettings{'ENC'}} = "selected='selected'";
 $selected{'CHANNEL'}{$wlanapsettings{'CHANNEL'}} = "selected='selected'";
@@ -451,12 +452,11 @@ print<<END
 <tr>
 	<td width='25%' class='base'>$Lang::tr{'wlanap management frame protection'}:&nbsp;</td>
 	<td class='base' colspan="3">
-		<label>
-			$Lang::tr{'on'} <input type='radio' name='IEEE80211W' value='on' $checked{'IEEE80211W'}{'on'} />
-		</label> |
-		<label>
-			<input type='radio' name='IEEE80211W' value='off' $checked{'IEEE80211W'}{'off'} /> $Lang::tr{'off'}
-		</label>
+		<select name="IEEE80211W">
+			<option value="off" $selected{'IEEE80211W'}{'off'}>$Lang::tr{'wlanap 802.11w disabled'}</option>
+			<option value="optional" $selected{'IEEE80211W'}{'optional'}>$Lang::tr{'wlanap 802.11w optional'}</option>
+			<option value="on" $selected{'IEEE80211W'}{'on'}>$Lang::tr{'wlanap 802.11w enforced'}</option>
+		</select>
 	</td>
 </tr>
 <tr><td colspan='4'><br></td></tr>
@@ -686,6 +686,8 @@ END
  # Management Frame Protection (802.11w)
  if ($wlanapsettings{'IEEE80211W'} eq "on") {
 	print CONFIGFILE "ieee80211w=2\n";
+ } elsif ($wlanapsettings{'IEEE80211W'} eq "optional") {
+	print CONFIGFILE "ieee80211w=1\n";
  } else {
 	print CONFIGFILE "ieee80211w=0\n";
  }
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 0b4f098a7..d00de3d03 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2962,6 +2962,9 @@
 'wlan client wpa mode tkip tkip' => 'TKIP-TKIP',
 'wlan clients' => 'Wireless clients',
 'wlanap' => 'Access Point',
+'wlanap 802.11w disabled' => 'Disabled',
+'wlanap 802.11w enforced' => 'Enforced',
+'wlanap 802.11w optional' => 'Optional',
 'wlanap auto' => 'Automatic Channel Selection',
 'wlanap broadcast ssid' => 'Broadcast SSID',
 'wlanap channel' => 'Channel',