Currently only for AP mode.
Signed-off-by: Peter Astrand <peter.astrand@xxxxxxxxxxxx>
---
wpa_supplicant/ap.c | 4 ++++
wpa_supplicant/config.c | 19 +++++++++++++++++
wpa_supplicant/config.h | 6 ++++++
wpa_supplicant/wpa_supplicant.conf | 33 ++++++++++++++++++++++++++++++
4 files changed, 62 insertions(+)
diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c
index ac88a7dc9..e0185ac2d 100644
--- a/wpa_supplicant/ap.c
+++ b/wpa_supplicant/ap.c
@@ -475,6 +475,10 @@ static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s,
#endif /* CONFIG_WEP */
}
#ifdef CONFIG_SAE
+
+ /* Add all global SAE passwords */
+ bss->sae_passwords = wpa_s->conf->sae_passwords;
+
if (ssid->sae_password) {
struct sae_password_entry *pw;
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 0aa92a28c..b125acce2 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -19,6 +19,7 @@
#include "p2p/p2p.h"
#include "fst/fst.h"
#include "config.h"
+#include "ap/ap_config.h"
#if !defined(CONFIG_CTRL_IFACE) && defined(CONFIG_NO_CONFIG_WRITE)
@@ -4849,6 +4850,20 @@ static int wpa_config_process_sae_groups(
}
+#ifdef CONFIG_SAE
+static int wpa_config_process_sae_password(
+ const struct global_parse_data *data,
+ struct wpa_config *config, int line, const char *pos)
+{
+ if (hostapd_parse_sae_password(&config->sae_passwords, false, pos) < 0) {
+ return -1;
+ }
+
+ return 0;
+}
+#endif /* CONFIG_SAE */
+
+
static int wpa_config_process_ap_vendor_elements(
const struct global_parse_data *data,
struct wpa_config *config, int line, const char *pos)
@@ -4965,6 +4980,7 @@ static int wpa_config_get_ipv4(const char *name, struct wpa_config *config,
#define FUNC(f) #f, wpa_config_process_ ## f, NULL, OFFSET(f), NULL, NULL
#define FUNC_NO_VAR(f) #f, wpa_config_process_ ## f, NULL, NULL, NULL, NULL
+#define FUNC_NAMED_VAR(f, v) #f, wpa_config_process_ ## f, NULL, OFFSET(v), NULL, NULL
#define _INT(f) #f, wpa_global_config_parse_int, wpa_config_get_int, OFFSET(f)
#define INT(f) _INT(f), NULL, NULL
#define INT_RANGE(f, min, max) _INT(f), (void *) min, (void *) max
@@ -5098,6 +5114,9 @@ static const struct global_parse_data global_fields[] = {
{ FUNC(sae_groups), 0 },
{ INT_RANGE(sae_pwe, 0, 3), 0 },
{ INT_RANGE(sae_pmkid_in_assoc, 0, 1), 0 },
+#ifdef CONFIG_SAE
+ { FUNC_NAMED_VAR(sae_password, sae_passwords), 0 },
+#endif
{ INT(dtim_period), 0 },
{ INT(beacon_int), 0 },
{ FUNC(ap_vendor_elements), 0 },
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index d128cd9bf..8c776cf82 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -1200,6 +1200,12 @@ struct wpa_config {
*/
int sae_pwe;
+
+ /**
+ * sae_password entries - added to a list of available passwords
+ */
+ struct sae_password_entry *sae_passwords;
+
/**
* sae_pmkid_in_assoc - Whether to include PMKID in SAE Assoc Req
*/
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 46f78755d..46a49cbce 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -409,6 +409,39 @@ fast_reauth=1
# RSN.
#pmf=0
+# SAE password
+# This parameter can be used to set passwords for SAE, in addition to
+# a sae_password in a network block.
+#
+# Each sae_password entry is added to a list of available passwords. This
+# corresponds to the dot11RSNAConfigPasswordValueEntry. sae_password value
+# starts with the password (dot11RSNAConfigPasswordCredential). That value can
+# be followed by optional peer MAC address (dot11RSNAConfigPasswordPeerMac) and
+# by optional password identifier (dot11RSNAConfigPasswordIdentifier). In
+# addition, an optional VLAN ID specification can be used to bind the station
+# to the specified VLAN whenever the specific SAE password entry is used.
+#
+# If the peer MAC address is not included or is set to the wildcard address
+# (ff:ff:ff:ff:ff:ff), the entry is available for any station to use. If a
+# specific peer MAC address is included, only a station with that MAC address
+# is allowed to use the entry.
+#
+# If the password identifier (with non-zero length) is included, the entry is
+# limited to be used only with that specified identifier.
+
+# The last matching (based on peer MAC address and identifier) entry is used to
+# select which password to use. Setting sae_password to an empty string has a
+# special meaning of removing all previously added entries.
+#
+# sae_password uses the following encoding:
+#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>]
+#[|pk=<m:ECPrivateKey-base64>][|id=<identifier>]
+# Examples:
+#sae_password=secret
+#sae_password=really secret|mac=ff:ff:ff:ff:ff:ff
+#sae_password=example secret|mac=02:03:04:05:06:07|id=pw identifier
+#sae_password=example secret|vlanid=3|id=pw identifier
+
# Enabled SAE finite cyclic groups in preference order
# By default (if this parameter is not set), the mandatory group 19 (ECC group
# defined over a 256-bit prime order field, NIST P-256) is preferred and groups
--
2.17.1
Br,
Peter Åstrand
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap