SAE: Allow SAE password to be configured separately (AP)

The new sae_password hostapd configuration parameter can now be used to set the SAE password instead of the previously used wpa_passphrase parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. In addition, this makes it possible to configure a BSS with both WPA-PSK and SAE enabled to use different passphrase/password based on which AKM is selected. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2024-11-25 00:38:24 -05:00 · 2017-10-11 23:07:08 +03:00 · 2017-10-11 23:07:08 +03:00 · 2377c1caef
commit 2377c1caef
parent c5aeb4343e
5 changed files with 21 additions and 3 deletions
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@ -3594,6 +3594,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 	} else if (os_strcmp(buf, "sae_commit_override") == 0) {
 		wpabuf_free(bss->sae_commit_override);
 		bss->sae_commit_override = wpabuf_parse_bin(pos);
+	} else if (os_strcmp(buf, "sae_password") == 0) {
+		os_free(bss->sae_password);
+		bss->sae_password = os_strdup(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
 	} else if (os_strcmp(buf, "vendor_elements") == 0) {
 		if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@ -1378,6 +1378,15 @@ own_ip_addr=127.0.0.1
 # 1 = enabled
 #okc=1

+# SAE password
+# This parameter can be used to set a password for SAE. By default, the
+# wpa_passphrase value is used if this separate parameter is not used, but
+# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
+# SAE passwords do not have such constraints. If the BSS enabled both SAE and
+# WPA-PSK and both values are set, SAE uses the sae_password value and WPA-PSK
+# uses the wpa_passphrase value.
+#sae_password=secret
+
 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
 # This parameter defines how many open SAE instances can be in progress at the
 # same time before the anti-clogging mechanism is taken into use.
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -634,6 +634,8 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 	wpabuf_free(conf->dpp_csign);
 #endif /* CONFIG_DPP */

+	os_free(conf->sae_password);
+
 	os_free(conf);
 }

--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@ -582,6 +582,7 @@ struct hostapd_bss_config {

 	unsigned int sae_anti_clogging_threshold;
 	int *sae_groups;
+	char *sae_password;

 	char *wowlan_triggers; /* Wake-on-WLAN triggers */

--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@ -361,16 +361,19 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
 					     struct sta_info *sta, int update)
 {
 	struct wpabuf *buf;
+	const char *password;

-	if (hapd->conf->ssid.wpa_passphrase == NULL) {
+	password = hapd->conf->sae_password;
+	if (!password)
+		password = hapd->conf->ssid.wpa_passphrase;
+	if (!password) {
 		wpa_printf(MSG_DEBUG, "SAE: No password available");
 		return NULL;
 	}

 	if (update &&
 	    sae_prepare_commit(hapd->own_addr, sta->addr,
-			       (u8 *) hapd->conf->ssid.wpa_passphrase,
-			       os_strlen(hapd->conf->ssid.wpa_passphrase),
+			       (u8 *) password, os_strlen(password),
 			       sta->sae) < 0) {
 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
 		return NULL;