From a453e92ae2f17bfa07cb6b7278f50767a59ad367 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 27 Aug 2025 11:40:42 +0300 Subject: [PATCH] SAE: Allow use of wpa_passphrase to be disabled for SAE hostapd used to allow the configured wpa_passphrase value to be used for either WPA2-Personal or WPA3-Personal (SAE). This was allowed in all cases for SAE other than when there was a matching sae_password entry for the STA. Add a new configuration option, sae_password_psk=1, to allow use of wpa_passphrase for SAE to be disabled. This leaves wpa_passphrase to be used only for WPA2-Personal cases while WPA3-Personal will use only the SAE-specific password configuration options. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 5 +++++ src/ap/ap_config.h | 1 + src/ap/ieee802_11.c | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index e37579efc..c5b839cc7 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -4369,6 +4369,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, line); return 1; } + } else if (os_strcmp(buf, "sae_password_psk") == 0) { + bss->sae_password_psk = atoi(pos); } else if (os_strcmp(buf, "sae_track_password") == 0) { bss->sae_track_password = atoi(pos); #endif /* CONFIG_SAE */ diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 338a16c82..ffe6b5a6e 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -2134,6 +2134,11 @@ own_ip_addr=127.0.0.1 # contains and entry in the same format as sae_password uses. #sae_password_file=/tc/hostapd.sae_passwords +# Whether to use wpa_passphrase as an SAE password +# 0 = enabled if no matching sae_password is set (default) +# 1 = disabled in all cases +#sae_password_psk=0 + # Tracking of SAE password use # While SAE design does not allow the AP to determine the used password robustly # if multiple password are configured without use of password identifiers, a diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index af0d785be..f38676ad8 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -660,6 +660,7 @@ struct hostapd_bss_config { enum sae_pwe sae_pwe; int *sae_groups; struct sae_password_entry *sae_passwords; + int sae_password_psk; int sae_track_password; char *wowlan_triggers; /* Wake-on-WLAN triggers */ diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c index f157c9492..38b8d4101 100644 --- a/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c @@ -720,7 +720,7 @@ const char * sae_get_password(struct hostapd_data *hapd, pk = pw->pk; break; } - if (!password && !rx_id) { + if (!password && !rx_id && !hapd->conf->sae_password_psk) { password = hapd->conf->ssid.wpa_passphrase; pt = hapd->conf->ssid.pt; } -- 2.47.3