[openwrt/openwrt] wifi-scripts: add sae_track_password option

LEDE Commits lede-commits at lists.infradead.org
Fri Nov 7 12:17:08 PST 2025 

robimarko pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/8e457b69a22d1334a51dccda9471cbc2e333b00d

commit 8e457b69a22d1334a51dccda9471cbc2e333b00d
Author: Rany Hany <rany_hany at riseup.net>
AuthorDate: Thu Oct 30 12:43:14 2025 +0000

    wifi-scripts: add sae_track_password option
    
    This is useful if multiple passwords were specified without
    the use of a SAE password identifier. This is the only
    way to get multiple passwords for a single peer to work
    without resorting to password identifiers.
    
    Unfortunately, support for password identifiers is non-existent
    on Android and macOS; and possibly others. So this is the only
    option in that case.
    
    As an alternative, one could also continue to use WPA2-PSK instead
    as that could easily resort to a bruteforce approach without any
    complications.
    
    Signed-off-by: Rany Hany <rany_hany at riseup.net>
    Link: https://github.com/openwrt/openwrt/pull/20597
    Signed-off-by: Robert Marko <robimarko at gmail.com>
---
 .../files-ucode/usr/share/schema/wireless.wifi-iface.json            | 4 ++++
 .../config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc       | 2 +-
 package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh      | 5 +++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
index ef44baa418..a46ecc1d0d 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
@@ -961,6 +961,10 @@
 			"description": "Require MFP for all associations using SAE",
 			"type": "boolean"
 		},
+		"sae_track_password": {
+			"description": "Tracking of SAE password use",
+			"type": "number"
+		},
 		"server:host": {
 			"type": "string"
 		},
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index 1c9d7ede42..82ea4ba226 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -170,7 +170,7 @@ function iface_auth_type(config) {
 	}
 
 	append_vars(config, [
-		'sae_require_mfp', 'sae_pwe', 'time_advertisement', 'time_zone',
+		'sae_require_mfp', 'sae_pwe', 'sae_track_password', 'time_advertisement', 'time_zone',
 		'wpa_group_rekey', 'wpa_ptk_rekey', 'wpa_gmk_rekey', 'wpa_strict_rekey',
 		'macaddr_acl', 'wpa_psk_radius', 'wpa_psk', 'wpa_passphrase', 'wpa_psk_file',
 		'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index 622f8d5bca..13d96fe2cb 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -360,7 +360,7 @@ hostapd_common_add_bss_config() {
 	config_add_array supported_rates
 
 	config_add_boolean sae_require_mfp
-	config_add_int sae_pwe
+	config_add_int sae_pwe sae_track_password
 
 	config_add_string 'owe_transition_bssid:macaddr' 'owe_transition_ssid:string'
 	config_add_string owe_transition_ifname
@@ -549,7 +549,7 @@ hostapd_set_bss_options() {
 		macfilter ssid utf8_ssid uapsd hidden short_preamble rsn_preauth \
 		iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
 		acct_secret acct_port acct_interval \
-		bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
+		bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe sae_track_password \
 		multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
 		ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
 		multicast_to_unicast_all proxy_arp per_sta_vif na_mcast_to_ucast \
@@ -645,6 +645,7 @@ hostapd_set_bss_options() {
 	esac
 	[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
 	[ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N"
+	[ -n "$sae_track_password" ] && append bss_conf "sae_track_password=$sae_track_password" "$N"
 
 	local vlan_possible=""

More information about the lede-commits mailing list