SAE: Allow SAE password to be configured separately (AP)
The new sae_password hostapd configuration parameter can now be used to set the SAE password instead of the previously used wpa_passphrase parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. In addition, this makes it possible to configure a BSS with both WPA-PSK and SAE enabled to use different passphrase/password based on which AKM is selected. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
c5aeb4343e
commit
2377c1caef
5 changed files with 21 additions and 3 deletions
|
@ -3594,6 +3594,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
|
||||||
} else if (os_strcmp(buf, "sae_commit_override") == 0) {
|
} else if (os_strcmp(buf, "sae_commit_override") == 0) {
|
||||||
wpabuf_free(bss->sae_commit_override);
|
wpabuf_free(bss->sae_commit_override);
|
||||||
bss->sae_commit_override = wpabuf_parse_bin(pos);
|
bss->sae_commit_override = wpabuf_parse_bin(pos);
|
||||||
|
} else if (os_strcmp(buf, "sae_password") == 0) {
|
||||||
|
os_free(bss->sae_password);
|
||||||
|
bss->sae_password = os_strdup(pos);
|
||||||
#endif /* CONFIG_TESTING_OPTIONS */
|
#endif /* CONFIG_TESTING_OPTIONS */
|
||||||
} else if (os_strcmp(buf, "vendor_elements") == 0) {
|
} else if (os_strcmp(buf, "vendor_elements") == 0) {
|
||||||
if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))
|
if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))
|
||||||
|
|
|
@ -1378,6 +1378,15 @@ own_ip_addr=127.0.0.1
|
||||||
# 1 = enabled
|
# 1 = enabled
|
||||||
#okc=1
|
#okc=1
|
||||||
|
|
||||||
|
# SAE password
|
||||||
|
# This parameter can be used to set a password for SAE. By default, the
|
||||||
|
# wpa_passphrase value is used if this separate parameter is not used, but
|
||||||
|
# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
|
||||||
|
# SAE passwords do not have such constraints. If the BSS enabled both SAE and
|
||||||
|
# WPA-PSK and both values are set, SAE uses the sae_password value and WPA-PSK
|
||||||
|
# uses the wpa_passphrase value.
|
||||||
|
#sae_password=secret
|
||||||
|
|
||||||
# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
|
# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
|
||||||
# This parameter defines how many open SAE instances can be in progress at the
|
# This parameter defines how many open SAE instances can be in progress at the
|
||||||
# same time before the anti-clogging mechanism is taken into use.
|
# same time before the anti-clogging mechanism is taken into use.
|
||||||
|
|
|
@ -634,6 +634,8 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
|
||||||
wpabuf_free(conf->dpp_csign);
|
wpabuf_free(conf->dpp_csign);
|
||||||
#endif /* CONFIG_DPP */
|
#endif /* CONFIG_DPP */
|
||||||
|
|
||||||
|
os_free(conf->sae_password);
|
||||||
|
|
||||||
os_free(conf);
|
os_free(conf);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -582,6 +582,7 @@ struct hostapd_bss_config {
|
||||||
|
|
||||||
unsigned int sae_anti_clogging_threshold;
|
unsigned int sae_anti_clogging_threshold;
|
||||||
int *sae_groups;
|
int *sae_groups;
|
||||||
|
char *sae_password;
|
||||||
|
|
||||||
char *wowlan_triggers; /* Wake-on-WLAN triggers */
|
char *wowlan_triggers; /* Wake-on-WLAN triggers */
|
||||||
|
|
||||||
|
|
|
@ -361,16 +361,19 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
|
||||||
struct sta_info *sta, int update)
|
struct sta_info *sta, int update)
|
||||||
{
|
{
|
||||||
struct wpabuf *buf;
|
struct wpabuf *buf;
|
||||||
|
const char *password;
|
||||||
|
|
||||||
if (hapd->conf->ssid.wpa_passphrase == NULL) {
|
password = hapd->conf->sae_password;
|
||||||
|
if (!password)
|
||||||
|
password = hapd->conf->ssid.wpa_passphrase;
|
||||||
|
if (!password) {
|
||||||
wpa_printf(MSG_DEBUG, "SAE: No password available");
|
wpa_printf(MSG_DEBUG, "SAE: No password available");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (update &&
|
if (update &&
|
||||||
sae_prepare_commit(hapd->own_addr, sta->addr,
|
sae_prepare_commit(hapd->own_addr, sta->addr,
|
||||||
(u8 *) hapd->conf->ssid.wpa_passphrase,
|
(u8 *) password, os_strlen(password),
|
||||||
os_strlen(hapd->conf->ssid.wpa_passphrase),
|
|
||||||
sta->sae) < 0) {
|
sta->sae) < 0) {
|
||||||
wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
|
wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
Loading…
Reference in a new issue