SAE: Allow SAE password to be configured separately (AP)

The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-10-11 23:07:08 +03:00 committed by Jouni Malinen
parent c5aeb4343e
commit 2377c1caef
5 changed files with 21 additions and 3 deletions

View file

@ -3594,6 +3594,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
} else if (os_strcmp(buf, "sae_commit_override") == 0) { } else if (os_strcmp(buf, "sae_commit_override") == 0) {
wpabuf_free(bss->sae_commit_override); wpabuf_free(bss->sae_commit_override);
bss->sae_commit_override = wpabuf_parse_bin(pos); bss->sae_commit_override = wpabuf_parse_bin(pos);
} else if (os_strcmp(buf, "sae_password") == 0) {
os_free(bss->sae_password);
bss->sae_password = os_strdup(pos);
#endif /* CONFIG_TESTING_OPTIONS */ #endif /* CONFIG_TESTING_OPTIONS */
} else if (os_strcmp(buf, "vendor_elements") == 0) { } else if (os_strcmp(buf, "vendor_elements") == 0) {
if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos)) if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))

View file

@ -1378,6 +1378,15 @@ own_ip_addr=127.0.0.1
# 1 = enabled # 1 = enabled
#okc=1 #okc=1
# SAE password
# This parameter can be used to set a password for SAE. By default, the
# wpa_passphrase value is used if this separate parameter is not used, but
# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
# SAE passwords do not have such constraints. If the BSS enabled both SAE and
# WPA-PSK and both values are set, SAE uses the sae_password value and WPA-PSK
# uses the wpa_passphrase value.
#sae_password=secret
# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
# This parameter defines how many open SAE instances can be in progress at the # This parameter defines how many open SAE instances can be in progress at the
# same time before the anti-clogging mechanism is taken into use. # same time before the anti-clogging mechanism is taken into use.

View file

@ -634,6 +634,8 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
wpabuf_free(conf->dpp_csign); wpabuf_free(conf->dpp_csign);
#endif /* CONFIG_DPP */ #endif /* CONFIG_DPP */
os_free(conf->sae_password);
os_free(conf); os_free(conf);
} }

View file

@ -582,6 +582,7 @@ struct hostapd_bss_config {
unsigned int sae_anti_clogging_threshold; unsigned int sae_anti_clogging_threshold;
int *sae_groups; int *sae_groups;
char *sae_password;
char *wowlan_triggers; /* Wake-on-WLAN triggers */ char *wowlan_triggers; /* Wake-on-WLAN triggers */

View file

@ -361,16 +361,19 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
struct sta_info *sta, int update) struct sta_info *sta, int update)
{ {
struct wpabuf *buf; struct wpabuf *buf;
const char *password;
if (hapd->conf->ssid.wpa_passphrase == NULL) { password = hapd->conf->sae_password;
if (!password)
password = hapd->conf->ssid.wpa_passphrase;
if (!password) {
wpa_printf(MSG_DEBUG, "SAE: No password available"); wpa_printf(MSG_DEBUG, "SAE: No password available");
return NULL; return NULL;
} }
if (update && if (update &&
sae_prepare_commit(hapd->own_addr, sta->addr, sae_prepare_commit(hapd->own_addr, sta->addr,
(u8 *) hapd->conf->ssid.wpa_passphrase, (u8 *) password, os_strlen(password),
os_strlen(hapd->conf->ssid.wpa_passphrase),
sta->sae) < 0) { sta->sae) < 0) {
wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE"); wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
return NULL; return NULL;