SAE: Allow SAE password to be configured separately (STA)
The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
2377c1caef
commit
a34ca59e4d
8 changed files with 39 additions and 6 deletions
|
|
@ -2115,6 +2115,7 @@ static const struct parse_data ssid_fields[] = {
|
||||||
{ FUNC(bssid_whitelist) },
|
{ FUNC(bssid_whitelist) },
|
||||||
{ FUNC_KEY(psk) },
|
{ FUNC_KEY(psk) },
|
||||||
{ INT(mem_only_psk) },
|
{ INT(mem_only_psk) },
|
||||||
|
{ STR_KEY(sae_password) },
|
||||||
{ FUNC(proto) },
|
{ FUNC(proto) },
|
||||||
{ FUNC(key_mgmt) },
|
{ FUNC(key_mgmt) },
|
||||||
{ INT(bg_scan_period) },
|
{ INT(bg_scan_period) },
|
||||||
|
|
@ -2450,6 +2451,7 @@ void wpa_config_free_ssid(struct wpa_ssid *ssid)
|
||||||
os_free(ssid->ssid);
|
os_free(ssid->ssid);
|
||||||
str_clear_free(ssid->passphrase);
|
str_clear_free(ssid->passphrase);
|
||||||
os_free(ssid->ext_psk);
|
os_free(ssid->ext_psk);
|
||||||
|
str_clear_free(ssid->sae_password);
|
||||||
#ifdef IEEE8021X_EAPOL
|
#ifdef IEEE8021X_EAPOL
|
||||||
eap_peer_config_free(&ssid->eap);
|
eap_peer_config_free(&ssid->eap);
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
|
|
|
||||||
|
|
@ -745,6 +745,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
||||||
write_str(f, "bssid_whitelist", ssid);
|
write_str(f, "bssid_whitelist", ssid);
|
||||||
write_psk(f, ssid);
|
write_psk(f, ssid);
|
||||||
INT(mem_only_psk);
|
INT(mem_only_psk);
|
||||||
|
STR(sae_password);
|
||||||
write_proto(f, ssid);
|
write_proto(f, ssid);
|
||||||
write_key_mgmt(f, ssid);
|
write_key_mgmt(f, ssid);
|
||||||
INT_DEF(bg_scan_period, DEFAULT_BG_SCAN_PERIOD);
|
INT_DEF(bg_scan_period, DEFAULT_BG_SCAN_PERIOD);
|
||||||
|
|
|
||||||
|
|
@ -183,6 +183,16 @@ struct wpa_ssid {
|
||||||
*/
|
*/
|
||||||
char *passphrase;
|
char *passphrase;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* sae_password - SAE password
|
||||||
|
*
|
||||||
|
* This parameter can be used to set a password for SAE. By default, the
|
||||||
|
* passphrase value is used if this separate parameter is not used, but
|
||||||
|
* passphrase follows the WPA-PSK constraints (8..63 characters) even
|
||||||
|
* though SAE passwords do not have such constraints.
|
||||||
|
*/
|
||||||
|
char *sae_password;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ext_psk - PSK/passphrase name in external storage
|
* ext_psk - PSK/passphrase name in external storage
|
||||||
*
|
*
|
||||||
|
|
|
||||||
|
|
@ -870,6 +870,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
|
||||||
INT(scan_ssid);
|
INT(scan_ssid);
|
||||||
write_bssid(netw, ssid);
|
write_bssid(netw, ssid);
|
||||||
write_psk(netw, ssid);
|
write_psk(netw, ssid);
|
||||||
|
STR(sae_password);
|
||||||
write_proto(netw, ssid);
|
write_proto(netw, ssid);
|
||||||
write_key_mgmt(netw, ssid);
|
write_key_mgmt(netw, ssid);
|
||||||
write_pairwise(netw, ssid);
|
write_pairwise(netw, ssid);
|
||||||
|
|
|
||||||
|
|
@ -317,7 +317,12 @@ static int mesh_rsn_build_sae_commit(struct wpa_supplicant *wpa_s,
|
||||||
struct wpa_ssid *ssid,
|
struct wpa_ssid *ssid,
|
||||||
struct sta_info *sta)
|
struct sta_info *sta)
|
||||||
{
|
{
|
||||||
if (ssid->passphrase == NULL) {
|
const char *password;
|
||||||
|
|
||||||
|
password = ssid->sae_password;
|
||||||
|
if (!password)
|
||||||
|
password = ssid->passphrase;
|
||||||
|
if (!password) {
|
||||||
wpa_msg(wpa_s, MSG_DEBUG, "SAE: No password available");
|
wpa_msg(wpa_s, MSG_DEBUG, "SAE: No password available");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
@ -328,8 +333,8 @@ static int mesh_rsn_build_sae_commit(struct wpa_supplicant *wpa_s,
|
||||||
}
|
}
|
||||||
|
|
||||||
return sae_prepare_commit(wpa_s->own_addr, sta->addr,
|
return sae_prepare_commit(wpa_s->own_addr, sta->addr,
|
||||||
(u8 *) ssid->passphrase,
|
(u8 *) password, os_strlen(password),
|
||||||
os_strlen(ssid->passphrase), sta->sae);
|
sta->sae);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -87,6 +87,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
|
||||||
{
|
{
|
||||||
struct wpabuf *buf;
|
struct wpabuf *buf;
|
||||||
size_t len;
|
size_t len;
|
||||||
|
const char *password;
|
||||||
|
|
||||||
#ifdef CONFIG_TESTING_OPTIONS
|
#ifdef CONFIG_TESTING_OPTIONS
|
||||||
if (wpa_s->sae_commit_override) {
|
if (wpa_s->sae_commit_override) {
|
||||||
|
|
@ -101,7 +102,10 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
|
||||||
}
|
}
|
||||||
#endif /* CONFIG_TESTING_OPTIONS */
|
#endif /* CONFIG_TESTING_OPTIONS */
|
||||||
|
|
||||||
if (ssid->passphrase == NULL) {
|
password = ssid->sae_password;
|
||||||
|
if (!password)
|
||||||
|
password = ssid->passphrase;
|
||||||
|
if (!password) {
|
||||||
wpa_printf(MSG_DEBUG, "SAE: No password available");
|
wpa_printf(MSG_DEBUG, "SAE: No password available");
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
@ -112,8 +116,7 @@ static struct wpabuf * sme_auth_build_sae_commit(struct wpa_supplicant *wpa_s,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sae_prepare_commit(wpa_s->own_addr, bssid,
|
if (sae_prepare_commit(wpa_s->own_addr, bssid,
|
||||||
(u8 *) ssid->passphrase,
|
(u8 *) password, os_strlen(password),
|
||||||
os_strlen(ssid->passphrase),
|
|
||||||
&wpa_s->sme.sae) < 0) {
|
&wpa_s->sme.sae) < 0) {
|
||||||
wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
|
wpa_printf(MSG_DEBUG, "SAE: Could not pick PWE");
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
||||||
|
|
@ -1446,6 +1446,10 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s,
|
||||||
NULL);
|
NULL);
|
||||||
psk_set = 1;
|
psk_set = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (wpa_key_mgmt_sae(ssid->key_mgmt) && ssid->sae_password)
|
||||||
|
psk_set = 1;
|
||||||
|
|
||||||
#ifndef CONFIG_NO_PBKDF2
|
#ifndef CONFIG_NO_PBKDF2
|
||||||
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
|
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
|
||||||
ssid->passphrase) {
|
ssid->passphrase) {
|
||||||
|
|
@ -6414,6 +6418,7 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
||||||
|
|
||||||
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
|
if (wpa_key_mgmt_wpa_psk(ssid->key_mgmt) && !ssid->psk_set &&
|
||||||
(!ssid->passphrase || ssid->ssid_len != 0) && !ssid->ext_psk &&
|
(!ssid->passphrase || ssid->ssid_len != 0) && !ssid->ext_psk &&
|
||||||
|
!(wpa_key_mgmt_sae(ssid->key_mgmt) && ssid->sae_password) &&
|
||||||
!ssid->mem_only_psk)
|
!ssid->mem_only_psk)
|
||||||
return 1;
|
return 1;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -934,6 +934,12 @@ fast_reauth=1
|
||||||
# 1 = do not store psk/passphrase to the configuration file
|
# 1 = do not store psk/passphrase to the configuration file
|
||||||
#mem_only_psk=0
|
#mem_only_psk=0
|
||||||
#
|
#
|
||||||
|
# sae_password: SAE password
|
||||||
|
# This parameter can be used to set a password for SAE. By default, the
|
||||||
|
# passphrase value is used if this separate parameter is not used, but
|
||||||
|
# passphrase follows the WPA-PSK constraints (8..63 characters) even
|
||||||
|
# though SAE passwords do not have such constraints.
|
||||||
|
#
|
||||||
# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
|
# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
|
||||||
# Dynamic WEP key required for non-WPA mode
|
# Dynamic WEP key required for non-WPA mode
|
||||||
# bit0 (1): require dynamically generated unicast WEP key
|
# bit0 (1): require dynamically generated unicast WEP key
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue