From 8e457b69a22d1334a51dccda9471cbc2e333b00d Mon Sep 17 00:00:00 2001 From: Rany Hany Date: Thu, 30 Oct 2025 12:43:14 +0000 Subject: [PATCH] wifi-scripts: add sae_track_password option This is useful if multiple passwords were specified without the use of a SAE password identifier. This is the only way to get multiple passwords for a single peer to work without resorting to password identifiers. Unfortunately, support for password identifiers is non-existent on Android and macOS; and possibly others. So this is the only option in that case. As an alternative, one could also continue to use WPA2-PSK instead as that could easily resort to a bruteforce approach without any complications. Signed-off-by: Rany Hany Link: https://github.com/openwrt/openwrt/pull/20597 Signed-off-by: Robert Marko --- .../files-ucode/usr/share/schema/wireless.wifi-iface.json | 4 ++++ .../wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc | 2 +- .../network/config/wifi-scripts/files/lib/netifd/hostapd.sh | 5 +++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json index ef44baa418..a46ecc1d0d 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/schema/wireless.wifi-iface.json @@ -961,6 +961,10 @@ "description": "Require MFP for all associations using SAE", "type": "boolean" }, + "sae_track_password": { + "description": "Tracking of SAE password use", + "type": "number" + }, "server:host": { "type": "string" }, diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc index 1c9d7ede42..82ea4ba226 100644 --- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc +++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc @@ -170,7 +170,7 @@ function iface_auth_type(config) { } append_vars(config, [ - 'sae_require_mfp', 'sae_pwe', 'time_advertisement', 'time_zone', + 'sae_require_mfp', 'sae_pwe', 'sae_track_password', 'time_advertisement', 'time_zone', 'wpa_group_rekey', 'wpa_ptk_rekey', 'wpa_gmk_rekey', 'wpa_strict_rekey', 'macaddr_acl', 'wpa_psk_radius', 'wpa_psk', 'wpa_passphrase', 'wpa_psk_file', 'eapol_version', 'dynamic_vlan', 'radius_request_cui', 'eap_reauth_period', diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh index 622f8d5bca..13d96fe2cb 100644 --- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh +++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh @@ -360,7 +360,7 @@ hostapd_common_add_bss_config() { config_add_array supported_rates config_add_boolean sae_require_mfp - config_add_int sae_pwe + config_add_int sae_pwe sae_track_password config_add_string 'owe_transition_bssid:macaddr' 'owe_transition_ssid:string' config_add_string owe_transition_ifname @@ -549,7 +549,7 @@ hostapd_set_bss_options() { macfilter ssid utf8_ssid uapsd hidden short_preamble rsn_preauth \ iapp_interface eapol_version dynamic_vlan ieee80211w nasid \ acct_secret acct_port acct_interval \ - bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \ + bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe sae_track_password \ multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \ ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \ multicast_to_unicast_all proxy_arp per_sta_vif na_mcast_to_ucast \ @@ -645,6 +645,7 @@ hostapd_set_bss_options() { esac [ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N" [ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N" + [ -n "$sae_track_password" ] && append bss_conf "sae_track_password=$sae_track_password" "$N" local vlan_possible="" -- 2.30.2