SAE passwords from a separate file

Add a new hostapd configuration parameter sae_password_file to read SAE
passwords (i.e., the entries that use the previously added sae_password
parameter) from a separate file.

sae_password_file uses the following format for storing passphrases:

<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>]
[|pk=<m:ECPrivateKey-base64>][|id=<identifier>]

Examples:

<password>
<password>|id=<pw identifier>
<password>|mac=02:03:04:05:06:01|vlanid=1
<password>|vlanid=3|id=<pw identifier>

Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 1a49292b117288896ee41bd2be81a3cca77f4ce5..1127d74f0c5eeb0d6416326455f9881735931b73 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2159,6 +2159,7 @@ static int add_airtime_weight(struct hostapd_bss_config *bss, char *value)
 
 
 #ifdef CONFIG_SAE
+
 static int parse_sae_password(struct hostapd_bss_config *bss, const char *val)
 {
        struct sae_password_entry *pw;
@@ -2262,6 +2263,38 @@ fail:
        os_free(pw);
        return -1;
 }
+
+
+static int parse_sae_password_file(struct hostapd_bss_config *bss,
+                                  const char *fname)
+{
+       FILE *f;
+       char buf[500], *pos;
+       unsigned int line = 0;
+
+       f = fopen(fname, "r");
+       if (!f) {
+               wpa_printf(MSG_ERROR, "sae_password_file '%s' not found.",
+                          fname);
+               return -1;
+       }
+
+       while (fgets(buf, sizeof(buf), f)) {
+               pos = os_strchr(buf, '\n');
+               if (pos)
+                       *pos = '\0';
+               line++;
+               if (parse_sae_password(bss, buf)) {
+                       wpa_printf(MSG_ERROR,
+                                  "Invalid SAE password at line %d in '%s'",
+                                  line, fname);
+                       return -1;
+               }
+       }
+
+       return 0;
+}
+
 #endif /* CONFIG_SAE */
 
 
@@ -4300,6 +4333,13 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                                   line);
                        return 1;
                }
+       } else if (os_strcmp(buf, "sae_password_file") == 0) {
+               if (parse_sae_password_file(bss, pos) < 0) {
+                       wpa_printf(MSG_ERROR,
+                                  "Line %d: Invalid sae_password in file",
+                                  line);
+                       return 1;
+               }
 #endif /* CONFIG_SAE */
        } else if (os_strcmp(buf, "vendor_elements") == 0) {
                if (parse_wpabuf_hex(line, buf, &bss->vendor_elements, pos))

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 99da3db3f7d7595da0898f166e0693782aa8f314..8f6165a0bd0e21e9a1c807bfe648b0d2a7af47f4 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -2041,6 +2041,10 @@ own_ip_addr=127.0.0.1
 #sae_password=really secret|mac=ff:ff:ff:ff:ff:ff
 #sae_password=example secret|mac=02:03:04:05:06:07|id=pw identifier
 #sae_password=example secret|vlanid=3|id=pw identifier
+#
+# SAE passwords can also be read from a separate file in which each line
+# contains and entry in the same format as sae_password uses.
+#sae_password_file=/tc/hostapd.sae_passwords
 
 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
 # This parameter defines how many open SAE instances can be in progress at the