[RFC] [PATCHv7] Use radius supplied PSK / Passphrase for WPA-PSK

Jouni Malinen j
Tue Dec 6 03:14:11 PST 2011

On Tue, Dec 06, 2011 at 11:32:24AM +0100, michael-dev at fami-braun.de wrote:
> to the dictionary file and make sure that either Hostapd-Passphrase or Hostapd-PSK (the latter has higher priority) is in the radius reply.

I agree with Alan that this is not acceptable use of RADIUS to send keys
without any kind of protection.

> diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
> @@ -57,6 +57,8 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
> +	bss->wpa_psk_radius = 0;

This is not needed - the structure is memset to 0 anyway.

> diff --git a/src/radius/radius.c b/src/radius/radius.c
> +#include "ap/ap_config.h"

This is not acceptable. The RADIUS implementation needs to be able to
live without direct access to core AP structures. In this particular
case, this seems to be just for struct hostapd_ssid and that itself
could be replaced by just passing in the SSID and SSID length. However..

> +int radius_msg_get_psk(struct radius_msg *msg, u8* psk, struct hostapd_ssid *ssid)

> +		// Passphrase found
> +		pbkdf2_sha1(strkey, ssid->ssid, ssid->ssid_len, 4096, psk, PMK_LEN);

This does not really have anything to do with RADIUS, so it should not
be in src/radius/radius.c but somewhere in src/ap.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list