From: Leon M. Busch-George Date: Wed, 23 Nov 2022 16:40:08 +0000 (+0100) Subject: hostapd: always use sae_password for mesh/SAE auth X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=ae751535de0cb46978bfcbacab882dd1082e59e3;p=openwrt%2Fstaging%2Fjow.git hostapd: always use sae_password for mesh/SAE auth This patch fixes a corner case when using passwords that are exactly 64 characters in length with mesh mode or passwords longer than 63 characters with SAE because 'psk' is used instead of 'sae_password'. SAE is obligatory for 802.11s (mesh point). The 'psk' option for hostapd is suited for WPA2 and enforces length restrictions on passwords. Values of 64 characters are treated as PMKs. With SAE, PMKs are always generated during the handshake and there are no length restrictions. The 'sae_password' option is more suited for SAE and should be used instead. Before this patch, the 'sae_password' option is only used with mesh mode passwords that are not 64 characters long. As a consequence: - mesh passwords can't be 64 characters in length - SAE only works with passwords with lengths >8 and <=63 (due to psk limitation). Fix this by always using 'sae_password' with SAE/mesh and applying the PMK differentiation only when PSK is used. Fixes: #11324 Signed-off-by: Leon M. Busch-George [ improve commit description ] Signed-off-by: Christian Marangi --- diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index 70ad187a81..8c233a4e60 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -1372,11 +1372,11 @@ wpa_supplicant_add_network() { key_mgmt="$wpa_key_mgmt" - if [ ${#key} -eq 64 ]; then - passphrase="psk=${key}" + if [ "$_w_mode" = "mesh" ] || [ "$auth_type" = "sae" ]; then + passphrase="sae_password=\"${key}\"" else - if [ "$_w_mode" = "mesh" ]; then - passphrase="sae_password=\"${key}\"" + if [ ${#key} -eq 64 ]; then + passphrase="psk=${key}" else passphrase="psk=\"${key}\"" fi