From 2377c1caef77c9c309681ad419b87cafc1c10e28 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 11 Oct 2017 23:07:08 +0300 Subject: [PATCH] SAE: Allow SAE password to be configured separately (AP) The new sae_password hostapd configuration parameter can now be used to set the SAE password instead of the previously used wpa_passphrase parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. In addition, this makes it possible to configure a BSS with both WPA-PSK and SAE enabled to use different passphrase/password based on which AKM is selected. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 3 +++ hostapd/hostapd.conf | 9 +++++++++ src/ap/ap_config.c | 2 ++ src/ap/ap_config.h | 1 + src/ap/ieee802_11.c | 9 ++++++--- 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index fd3ad0a73..cd72f7a31 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -3594,6 +3594,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "sae_commit_override") == 0) { wpabuf_free(bss->sae_commit_override); bss->sae_commit_override = wpabuf_parse_bin(pos); + } else if (os_strcmp(buf, "sae_password") == 0) { + os_free(bss->sae_password); + bss->sae_password = os_strdup(pos); #endif /* CONFIG_TESTING_OPTIONS */ } else if (os_strcmp(buf, "vendor_elements") == 0) { if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos)) diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index d2e884c59..c25f2e494 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1378,6 +1378,15 @@ own_ip_addr=127.0.0.1 # 1 = enabled #okc=1 +# SAE password +# This parameter can be used to set a password for SAE. By default, the +# wpa_passphrase value is used if this separate parameter is not used, but +# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though +# SAE passwords do not have such constraints. If the BSS enabled both SAE and +# WPA-PSK and both values are set, SAE uses the sae_password value and WPA-PSK +# uses the wpa_passphrase value. +#sae_password=secret + # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) # This parameter defines how many open SAE instances can be in progress at the # same time before the anti-clogging mechanism is taken into use. diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 0e1ab02b5..10cacfb8a 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -634,6 +634,8 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf) wpabuf_free(conf->dpp_csign); #endif /* CONFIG_DPP */ + os_free(conf->sae_password); + os_free(conf); } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 76929250a..124ff4a07 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -582,6 +582,7 @@ struct hostapd_bss_config { unsigned int sae_anti_clogging_threshold; int *sae_groups; + char *sae_password; char *wowlan_triggers; /* Wake-on-WLAN triggers */ diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index e0edcc53c..7146d3dcf 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -361,16 +361,19 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd, struct sta_info *sta, int update) { struct wpabuf *buf; + const char *password; - if (hapd->conf->ssid.wpa_passphrase == NULL) { + password = hapd->conf->sae_password; + if (!password) + password = hapd->conf->ssid.wpa_passphrase; + if (!password) { wpa_printf(MSG_DEBUG, "SAE: No password available"); return NULL; } if (update && sae_prepare_commit(hapd->own_addr, sta->addr, - (u8 *) hapd->conf->ssid.wpa_passphrase, - os_strlen(hapd->conf->ssid.wpa_passphrase), + (u8 *) password, os_strlen(password), sta->sae) < 0) { wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); return NULL;