diff mbox series

[3/6] wpa_supplicant: Added support for multiple global sae_passwords

Message ID 11e347ec-7b47-e139-4ddf-97c77def21a@lysator.liu.se
State Changes Requested
Headers show
Series [1/6] mesh: Set BSS sae_pwe from config | expand

Commit Message

Peter ├ůstrand Jan. 22, 2021, 2:58 p.m. UTC
Currently only for AP mode.

Signed-off-by: Peter Astrand <peter.astrand@etteplan.com>
---
 wpa_supplicant/ap.c                |  4 ++++
 wpa_supplicant/config.c            | 19 +++++++++++++++++
 wpa_supplicant/config.h            |  6 ++++++
 wpa_supplicant/wpa_supplicant.conf | 33 ++++++++++++++++++++++++++++++
 4 files changed, 62 insertions(+)

Comments

Jouni Malinen Feb. 6, 2021, 10:53 a.m. UTC | #1
On Fri, Jan 22, 2021 at 03:58:20PM +0100, Peter ├ůstrand wrote:
> diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
> @@ -1200,6 +1200,12 @@ struct wpa_config {
> +	/**
> +	 * sae_password entries - added to a list of available passwords
> +	 */
> +	struct sae_password_entry *sae_passwords;

This is not the proper place for configuring SAE passwords in
wpa_supplicant. These would apply to all network blocks while the
configuration should be specific to a single network block just like the
existing sae_password parameter.

> diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
> @@ -409,6 +409,39 @@ fast_reauth=1
> +# SAE password
> +# This parameter can be used to set passwords for SAE, in addition to
> +# a sae_password in a network block.

I don't think this would be acceptable as a global parameter.
diff mbox series

Patch

diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c
index ac88a7dc9..e0185ac2d 100644
--- a/wpa_supplicant/ap.c
+++ b/wpa_supplicant/ap.c
@@ -475,6 +475,10 @@  static int wpa_supplicant_conf_ap(struct wpa_supplicant *wpa_s,
 #endif /* CONFIG_WEP */
 	}
 #ifdef CONFIG_SAE
+
+	/* Add all global SAE passwords */
+	bss->sae_passwords = wpa_s->conf->sae_passwords;
+
 	if (ssid->sae_password) {
 		struct sae_password_entry *pw;
 
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 0aa92a28c..b125acce2 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -19,6 +19,7 @@ 
 #include "p2p/p2p.h"
 #include "fst/fst.h"
 #include "config.h"
+#include "ap/ap_config.h"
 
 
 #if !defined(CONFIG_CTRL_IFACE) && defined(CONFIG_NO_CONFIG_WRITE)
@@ -4849,6 +4850,20 @@  static int wpa_config_process_sae_groups(
 }
 
 
+#ifdef CONFIG_SAE
+static int wpa_config_process_sae_password(
+	const struct global_parse_data *data,
+	struct wpa_config *config, int line, const char *pos)
+{
+	if (hostapd_parse_sae_password(&config->sae_passwords, false, pos) < 0) {
+		return -1;
+	}
+
+	return 0;
+}
+#endif /* CONFIG_SAE */
+
+
 static int wpa_config_process_ap_vendor_elements(
 	const struct global_parse_data *data,
 	struct wpa_config *config, int line, const char *pos)
@@ -4965,6 +4980,7 @@  static int wpa_config_get_ipv4(const char *name, struct wpa_config *config,
 
 #define FUNC(f) #f, wpa_config_process_ ## f, NULL, OFFSET(f), NULL, NULL
 #define FUNC_NO_VAR(f) #f, wpa_config_process_ ## f, NULL, NULL, NULL, NULL
+#define FUNC_NAMED_VAR(f, v) #f, wpa_config_process_ ## f, NULL, OFFSET(v), NULL, NULL
 #define _INT(f) #f, wpa_global_config_parse_int, wpa_config_get_int, OFFSET(f)
 #define INT(f) _INT(f), NULL, NULL
 #define INT_RANGE(f, min, max) _INT(f), (void *) min, (void *) max
@@ -5098,6 +5114,9 @@  static const struct global_parse_data global_fields[] = {
 	{ FUNC(sae_groups), 0 },
 	{ INT_RANGE(sae_pwe, 0, 3), 0 },
 	{ INT_RANGE(sae_pmkid_in_assoc, 0, 1), 0 },
+#ifdef CONFIG_SAE
+	{ FUNC_NAMED_VAR(sae_password, sae_passwords), 0 },
+#endif
 	{ INT(dtim_period), 0 },
 	{ INT(beacon_int), 0 },
 	{ FUNC(ap_vendor_elements), 0 },
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index d128cd9bf..8c776cf82 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -1200,6 +1200,12 @@  struct wpa_config {
 	 */
 	int sae_pwe;
 
+
+	/**
+	 * sae_password entries - added to a list of available passwords
+	 */
+	struct sae_password_entry *sae_passwords;
+
 	/**
 	 * sae_pmkid_in_assoc - Whether to include PMKID in SAE Assoc Req
 	 */
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 46f78755d..46a49cbce 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -409,6 +409,39 @@  fast_reauth=1
 # RSN.
 #pmf=0
 
+# SAE password
+# This parameter can be used to set passwords for SAE, in addition to
+# a sae_password in a network block.
+#
+# Each sae_password entry is added to a list of available passwords. This
+# corresponds to the dot11RSNAConfigPasswordValueEntry. sae_password value
+# starts with the password (dot11RSNAConfigPasswordCredential). That value can
+# be followed by optional peer MAC address (dot11RSNAConfigPasswordPeerMac) and
+# by optional password identifier (dot11RSNAConfigPasswordIdentifier). In
+# addition, an optional VLAN ID specification can be used to bind the station
+# to the specified VLAN whenever the specific SAE password entry is used.
+#
+# If the peer MAC address is not included or is set to the wildcard address
+# (ff:ff:ff:ff:ff:ff), the entry is available for any station to use. If a
+# specific peer MAC address is included, only a station with that MAC address
+# is allowed to use the entry.
+#
+# If the password identifier (with non-zero length) is included, the entry is
+# limited to be used only with that specified identifier.
+
+# The last matching (based on peer MAC address and identifier) entry is used to
+# select which password to use. Setting sae_password to an empty string has a
+# special meaning of removing all previously added entries.
+#
+# sae_password uses the following encoding:
+#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>]
+#[|pk=<m:ECPrivateKey-base64>][|id=<identifier>]
+# Examples:
+#sae_password=secret
+#sae_password=really secret|mac=ff:ff:ff:ff:ff:ff
+#sae_password=example secret|mac=02:03:04:05:06:07|id=pw identifier
+#sae_password=example secret|vlanid=3|id=pw identifier
+
 # Enabled SAE finite cyclic groups in preference order
 # By default (if this parameter is not set), the mandatory group 19 (ECC group
 # defined over a 256-bit prime order field, NIST P-256) is preferred and groups