Mesh with multiple passwords

Peter Astrand astrand at lysator.liu.se
Fri Jan 22 09:56:26 EST 2021 

I have now managed to implement this, as well as make H2E work. A patch 
set of 6 patches follows. To be honest, I have only tested these in the 
mesh case. Also, I'm a bit unsure of what is actually correct behaviour 
wrt the SAE state machine etc: With multiple password IDs, a negotiation 
needs to take place. Currently, I only have access to the 2016 version of 
the 802.11 standard; not the recent REVmd versions which adds support for 
password identifiers. I was also a bit surprised to learn that there are 
quite a few special cases wrt Mesh and SAE.

Grateful for any feedback. 

Br,
Peter Åstrand

On Fri, 15 Jan 2021, Peter Astrand wrote:

> 
> Hi. I'm building a 802.11s solution where it is not acceptable to use a single
> SAE password on all mesh nodes. To handle this, my idea is to use SAE Password
> Identifiers and extend wpa_supplicant to support multiple sae_password:s,
> using the same syntax as for hostapd. Then, use a node unique password. During
> this development, I noticed this commit:
> 
> commit 6a673d0fb05557d149e4ff50430991979e476f2a
> Author: Jouni Malinen <jouni at codeaurora.org>
> Date:   Tue Jan 21 12:57:07 2020 +0200
> 
>     tests: Remove mesh SAE Password Identifier test cases for now
> 
>     IEEE P802.11-REVmd was modified to require H2E to be used whenever
>     Password Identifier is used with SAE. Since wpa_supplicant and mac80211
>     do not yet support SAE H2E in mesh, Password Identifier cannot be used
>     in mesh cases. Remove the test cases that verified this behavior for now
>     to allow H2E to be required per updated REVmd definition. These test
>     cases will be restored once H2E is fully functionality in mesh cases.
> 
> Any updates on this; when can one expect that wpa_supplicant and mac80211
> supports SAE H2E in mesh? I have confirmed that it does not work with latest
> wpa_supplicant master on Linux 5.4, but perhaps it will if
> https://patchwork.kernel.org/project/linux-wireless/patch/20200731183830.18735-1-jouni@codeaurora.org/
> is applied?
> 
> Otherwise, I need to find some other solution. EAP-PWD looks interesting, but
> as I understand it, SAE is the only option for Mesh right now.
> 
> 
> Best regards,
> Peter Åstrand
>

More information about the Hostap mailing list