Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

SAE: Allow SAE password to be configured separately (AP)

The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 7 years ago
parent
c5aeb4343e
commit
2377c1caef
5 changed files with 21 additions and 3 deletions
Split View Show Diff Stats
  1. 3 0
      hostapd/config_file.c
  2. 9 0
      hostapd/hostapd.conf
  3. 2 0
      src/ap/ap_config.c
  4. 1 0
      src/ap/ap_config.h
  5. 6 3
      src/ap/ieee802_11.c

+ 3 - 0
hostapd/config_file.c
View File 

@@ -3594,6 +3594,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 
 	} else if (os_strcmp(buf, "sae_commit_override") == 0) {
 
 		wpabuf_free(bss->sae_commit_override);
 
 		bss->sae_commit_override = wpabuf_parse_bin(pos);
 
+	} else if (os_strcmp(buf, "sae_password") == 0) {
 
+		os_free(bss->sae_password);
 
+		bss->sae_password = os_strdup(pos);
 
 #endif /* CONFIG_TESTING_OPTIONS */
 
 	} else if (os_strcmp(buf, "vendor_elements") == 0) {
 
 		if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))

+ 9 - 0
hostapd/hostapd.conf
View File 

@@ -1378,6 +1378,15 @@ own_ip_addr=127.0.0.1
 
 # 1 = enabled
 
 #okc=1
 
 
+# SAE password
 
+# This parameter can be used to set a password for SAE. By default, the
 
+# wpa_passphrase value is used if this separate parameter is not used, but
 
+# wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
 
+# SAE passwords do not have such constraints. If the BSS enabled both SAE and
 
+# WPA-PSK and both values are set, SAE uses the sae_password value and WPA-PSK
 
+# uses the wpa_passphrase value.
 
+#sae_password=secret
 
+
 
 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
 
 # This parameter defines how many open SAE instances can be in progress at the
 
 # same time before the anti-clogging mechanism is taken into use.

+ 2 - 0
src/ap/ap_config.c
View File 

@@ -634,6 +634,8 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
 
 	wpabuf_free(conf->dpp_csign);
 
 #endif /* CONFIG_DPP */
 
 
+	os_free(conf->sae_password);
 
+
 
 	os_free(conf);
 
 }

+ 1 - 0
src/ap/ap_config.h
View File 

@@ -582,6 +582,7 @@ struct hostapd_bss_config {
 
 
 	unsigned int sae_anti_clogging_threshold;
 
 	int *sae_groups;
 
+	char *sae_password;
 
 
 	char *wowlan_triggers; /* Wake-on-WLAN triggers */

+ 6 - 3
src/ap/ieee802_11.c
View File 

@@ -361,16 +361,19 @@ static struct wpabuf * auth_build_sae_commit(struct hostapd_data *hapd,
 
 					     struct sta_info *sta, int update)
 
 {
 
 	struct wpabuf *buf;
 
+	const char *password;
 
 
-	if (hapd->conf->ssid.wpa_passphrase == NULL) {
 
+	password = hapd->conf->sae_password;
 
+	if (!password)
 
+		password = hapd->conf->ssid.wpa_passphrase;
 
+	if (!password) {
 
 		wpa_printf(MSG_DEBUG, "SAE: No password available");
 
 		return NULL;
 
 	}
 
 
 	if (update &&
 
 	    sae_prepare_commit(hapd->own_addr, sta->addr,
 
-			       (u8 *) hapd->conf->ssid.wpa_passphrase,
 
-			       os_strlen(hapd->conf->ssid.wpa_passphrase),
 
+			       (u8 *) password, os_strlen(password),
 
 			       sta->sae) < 0) {
 
 		wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
 
 		return NULL;