SAE-PK: Add support to skip sae_pk password check for testing purposes

Add support to skip sae_pk password check under compile flag
CONFIG_TESTING_OPTIONS which allows AP to be configured with
sae_pk enabled but a password that is invalid for sae_pk.

Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
This commit is contained in:
Shaakir Mohamed 2020-09-08 14:08:38 -07:00 committed by Jouni Malinen
parent a71b100c3b
commit 41f8189057
3 changed files with 17 additions and 2 deletions

View file

@ -2245,7 +2245,11 @@ static int parse_sae_password(struct hostapd_bss_config *bss, const char *val)
} }
#ifdef CONFIG_SAE_PK #ifdef CONFIG_SAE_PK
if (pw->pk && !sae_pk_valid_password(pw->password)) { if (pw->pk &&
#ifdef CONFIG_TESTING_OPTIONS
!bss->sae_pk_password_check_skip &&
#endif /* CONFIG_TESTING_OPTIONS */
!sae_pk_valid_password(pw->password)) {
wpa_printf(MSG_INFO, wpa_printf(MSG_INFO,
"Invalid SAE password for a SAE-PK sae_password entry"); "Invalid SAE password for a SAE-PK sae_password entry");
goto fail; goto fail;
@ -4137,6 +4141,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->sae_commit_status = atoi(pos); bss->sae_commit_status = atoi(pos);
} else if (os_strcmp(buf, "sae_pk_omit") == 0) { } else if (os_strcmp(buf, "sae_pk_omit") == 0) {
bss->sae_pk_omit = atoi(pos); bss->sae_pk_omit = atoi(pos);
} else if (os_strcmp(buf, "sae_pk_password_check_skip") == 0) {
bss->sae_pk_password_check_skip = atoi(pos);
} else if (os_strcmp(buf, "sae_commit_override") == 0) { } else if (os_strcmp(buf, "sae_commit_override") == 0) {
wpabuf_free(bss->sae_commit_override); wpabuf_free(bss->sae_commit_override);
bss->sae_commit_override = wpabuf_parse_bin(pos); bss->sae_commit_override = wpabuf_parse_bin(pos);

View file

@ -1126,12 +1126,20 @@ static bool hostapd_sae_pk_password_without_pk(struct hostapd_bss_config *bss)
bool res = false; bool res = false;
if (bss->ssid.wpa_passphrase && if (bss->ssid.wpa_passphrase &&
#ifdef CONFIG_TESTING_OPTIONS
!bss->sae_pk_password_check_skip &&
#endif /* CONFIG_TESTING_OPTIONS */
sae_pk_valid_password(bss->ssid.wpa_passphrase)) sae_pk_valid_password(bss->ssid.wpa_passphrase))
res = true; res = true;
for (pw = bss->sae_passwords; pw; pw = pw->next) { for (pw = bss->sae_passwords; pw; pw = pw->next) {
if (!pw->pk && sae_pk_valid_password(pw->password)) if (!pw->pk &&
#ifdef CONFIG_TESTING_OPTIONS
!bss->sae_pk_password_check_skip &&
#endif /* CONFIG_TESTING_OPTIONS */
sae_pk_valid_password(pw->password))
return true; return true;
if (bss->ssid.wpa_passphrase && res && pw->pk && if (bss->ssid.wpa_passphrase && res && pw->pk &&
os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0) os_strcmp(bss->ssid.wpa_passphrase, pw->password) == 0)
res = false; res = false;

View file

@ -671,6 +671,7 @@ struct hostapd_bss_config {
int sae_reflection_attack; int sae_reflection_attack;
int sae_commit_status; int sae_commit_status;
int sae_pk_omit; int sae_pk_omit;
int sae_pk_password_check_skip;
struct wpabuf *sae_commit_override; struct wpabuf *sae_commit_override;
struct wpabuf *rsne_override_eapol; struct wpabuf *rsne_override_eapol;
struct wpabuf *rsnxe_override_eapol; struct wpabuf *rsnxe_override_eapol;