[PATCH] hostapd: disable logging of wpa_passphrase

Jouni Malinen j at w1.fi
Sun Dec 22 10:06:31 PST 2024


On Tue, Dec 17, 2024 at 09:46:48AM +0100, Christian Korber wrote:
> During the initialization of hostapd, the configuration file is logged in
> the syslog and the wpa_passphrase is also logged.

What do you mean with the configuration file being logged? And in
particular, where do you see wpa_passphrase being logged?

> This is not ideal from a security point of view. Therefore this commit allows
> the output if compiled in debug mode.

I don't see how this would really be doing that..

>  .../804-disable-logging-of-passphrase.patch       | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>  create mode 100644 package/network/services/hostapd/patches/804-disable-logging-of-passphrase.patch

This is not really a style that would be used for the upstream
hostap.git repository.. Instead of adding patches to file some files,
the changes should modify the files themselves..

> diff --git a/package/network/services/hostapd/patches/804-disable-logging-of-passphrase.patch b/package/network/services/hostapd/patches/804-disable-logging-of-passphrase.patch

> +--- a/src/ap/hostapd.c
> ++++ b/src/ap/hostapd.c
> +@@ -3378,8 +3378,11 @@ hostapd_interface_init_bss(struct hapd_i
> + 		}
> + 	}
> + 
> +-	wpa_printf(MSG_INFO, "Configuration file: %s (phy %s)%s",
> ++	if (CONFIG_MSG_MIN_PRIORITY <= MSG_DEBUG){
> ++		wpa_printf(MSG_INFO, "Configuration file: %s (phy %s)%s",
> + 		   config_fname, phy, iface ? "" : " --> new PHY");
> ++	}

This does not really log the configuration file; it logs only its name.
In other words, no passphrases are logged here..

CONFIG_MSG_MIN_PRIORITY is not defined in hostap.git, so this change
would not even compile.

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list