[openwrt/openwrt] hostapd: always use sae_password for mesh/SAE auth

LEDE Commits lede-commits at lists.infradead.org
Sun Feb 19 10:44:04 PST 2023 

ansuel pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/ae751535de0cb46978bfcbacab882dd1082e59e3

commit ae751535de0cb46978bfcbacab882dd1082e59e3
Author: Leon M. Busch-George <leon at georgemail.eu>
AuthorDate: Wed Nov 23 17:40:08 2022 +0100

    hostapd: always use sae_password for mesh/SAE auth
    
    This patch fixes a corner case when using passwords that are exactly 64
    characters in length with mesh mode or passwords longer than 63 characters
    with SAE because 'psk' is used instead of 'sae_password'.
    SAE is obligatory for 802.11s (mesh point).
    
    The 'psk' option for hostapd is suited for WPA2 and enforces length
    restrictions on passwords. Values of 64 characters are treated as PMKs.
    With SAE, PMKs are always generated during the handshake and there are no
    length restrictions.
    The 'sae_password' option is more suited for SAE and should be used
    instead.
    
    Before this patch, the 'sae_password' option is only used with mesh mode
    passwords that are not 64 characters long.
    As a consequence:
    - mesh passwords can't be 64 characters in length
    - SAE only works with passwords with lengths >8 and <=63 (due to psk
      limitation).
    
    Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
    differentiation only when PSK is used.
    
    Fixes: #11324
    Signed-off-by: Leon M. Busch-George <leon at georgemail.eu>
    [ improve commit description ]
    Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
---
 package/network/services/hostapd/files/hostapd.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 70ad187a81..8c233a4e60 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -1372,11 +1372,11 @@ wpa_supplicant_add_network() {
 
 			key_mgmt="$wpa_key_mgmt"
 
-			if [ ${#key} -eq 64 ]; then
-				passphrase="psk=${key}"
+			if [ "$_w_mode" = "mesh" ] || [ "$auth_type" = "sae" ]; then
+				passphrase="sae_password=\"${key}\""
 			else
-				if [ "$_w_mode" = "mesh" ]; then
-					passphrase="sae_password=\"${key}\""
+				if [ ${#key} -eq 64 ]; then
+					passphrase="psk=${key}"
 				else
 					passphrase="psk=\"${key}\""
 				fi

More information about the lede-commits mailing list