RADIUS: Allow RADIUS server to provide PSK instead of passphrase

If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.

This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 492df6cc8fdcffecf9191cba35e144f0b9d2d6df..fcd97328734c8d646f99c8a384fed97be35260d8 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -128,6 +128,7 @@ struct hostapd_vlan {
 };
 
 #define PMK_LEN 32
+#define MIN_PASSPHRASE_LEN 8
 #define MAX_PASSPHRASE_LEN 63
 struct hostapd_sta_wpa_psk_short {
        struct hostapd_sta_wpa_psk_short *next;

diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index 1ed8e7f471e55a4cf81cbbc7a53e6e604d859081..96091526b9d5c0d1ee46d13bb306e2e43be95e53 100644 (file)
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -449,20 +449,40 @@ static void decode_tunnel_passwords(struct hostapd_data *hapd,
                 */
                if (passphrase == NULL)
                        break;
+
+               /*
+                * Passphase should be 8..63 chars (to be hashed with SSID)
+                * or 64 chars hex string (no separate hashing with SSID).
+                */
+
+               if (passphraselen < MIN_PASSPHRASE_LEN ||
+                   passphraselen > MAX_PASSPHRASE_LEN + 1)
+                       continue;
+
                /*
                 * passphrase does not contain the NULL termination.
                 * Add it here as pbkdf2_sha1() requires it.
                 */
                psk = os_zalloc(sizeof(struct hostapd_sta_wpa_psk_short));
                if (psk) {
-                       if (passphraselen > MAX_PASSPHRASE_LEN)
-                               passphraselen = MAX_PASSPHRASE_LEN;
-                       os_memcpy(psk->passphrase, passphrase, passphraselen);
-                       psk->is_passphrase = 1;
+                       if ((passphraselen == MAX_PASSPHRASE_LEN + 1) &&
+                           (hexstr2bin(passphrase, psk->psk, PMK_LEN) < 0)) {
+                               hostapd_logger(hapd, cache->addr,
+                                              HOSTAPD_MODULE_RADIUS,
+                                              HOSTAPD_LEVEL_WARNING,
+                                              "invalid hex string (%d chars) in Tunnel-Password",
+                                              passphraselen);
+                               goto skip;
+                       } else if (passphraselen <= MAX_PASSPHRASE_LEN) {
+                               os_memcpy(psk->passphrase, passphrase,
+                                         passphraselen);
+                               psk->is_passphrase = 1;
+                       }
                        psk->next = cache->psk;
                        cache->psk = psk;
                        psk = NULL;
                }
+skip:
                os_free(psk);
                os_free(passphrase);
        }