projects / openwrt / staging / xback.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bcdb29f)
wifi-scripts: add sae_track_password option
authorRany Hany <[email protected]>
Thu, 30 Oct 2025 12:43:14 +0000 (12:43 +0000)
committerRobert Marko <[email protected]>
Fri, 7 Nov 2025 20:17:04 +0000 (21:17 +0100)
This is useful if multiple passwords were specified without
the use of a SAE password identifier. This is the only
way to get multiple passwords for a single peer to work
without resorting to password identifiers.

Unfortunately, support for password identifiers is non-existent
on Android and macOS; and possibly others. So this is the only
option in that case.

As an alternative, one could also continue to use WPA2-PSK instead
as that could easily resort to a bruteforce approach without any
complications.

Signed-off-by: Rany Hany <[email protected]>
Link: https://github.com/openwrt/openwrt/pull/20597
Signed-off-by: Robert Marko <[email protected]>
package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json patch | blob | history
package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc patch | blob | history
package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh patch | blob | history

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
index ef44baa4189139e338b6cf931780176c29a1086f..a46ecc1d0d8afe06ea72c5d4e4dc63573d0f1907 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json
@@ -961,6 +961,10 @@
                        "description": "Require MFP for all associations using SAE",
                        "type": "boolean"
                },
+               "sae_track_password": {
+                       "description": "Tracking of SAE password use",
+                       "type": "number"
+               },
                "server:host": {
                        "type": "string"
                },
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index 1c9d7ede423ef776864faa833168d651d73e8036..82ea4ba2264884b430dc494305a4662e7a0c7aa0 100644 (file)
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -170,7 +170,7 @@ function iface_auth_type(config) {
        }
 
        append_vars(config, [
-               'sae_require_mfp', 'sae_pwe', 'time_advertisement', 'time_zone',
+               'sae_require_mfp', 'sae_pwe', 'sae_track_password', 'time_advertisement', 'time_zone',
                'wpa_group_rekey', 'wpa_ptk_rekey', 'wpa_gmk_rekey', 'wpa_strict_rekey',
                'macaddr_acl', 'wpa_psk_radius', 'wpa_psk', 'wpa_passphrase', 'wpa_psk_file',
                'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period',
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index 622f8d5bcab6f569697f21bc51385a77774523cd..13d96fe2cb4c2899ba2b0c1780589f2e28dda2f9 100644 (file)
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -360,7 +360,7 @@ hostapd_common_add_bss_config() {
        config_add_array supported_rates
 
        config_add_boolean sae_require_mfp
-       config_add_int sae_pwe
+       config_add_int sae_pwe sae_track_password
 
        config_add_string 'owe_transition_bssid:macaddr' 'owe_transition_ssid:string'
        config_add_string owe_transition_ifname
@@ -549,7 +549,7 @@ hostapd_set_bss_options() {
                macfilter ssid utf8_ssid uapsd hidden short_preamble rsn_preauth \
                iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
                acct_secret acct_port acct_interval \
-               bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
+               bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe sae_track_password \
                multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
                ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
                multicast_to_unicast_all proxy_arp per_sta_vif na_mcast_to_ucast \
@@ -645,6 +645,7 @@ hostapd_set_bss_options() {
        esac
        [ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
        [ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N"
+       [ -n "$sae_track_password" ] && append bss_conf "sae_track_password=$sae_track_password" "$N"
 
        local vlan_possible=""
 
Staging tree of Koen Vandeputte