hostapd: always use sae_password for mesh/SAE auth

This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).

The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.

Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
  limitation).

Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.

Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>

1 files changed, 4 insertions, 4 deletions

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 70ad187a81..8c233a4e60 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -1372,11 +1372,11 @@ wpa_supplicant_add_network() {
 
 			key_mgmt="$wpa_key_mgmt"
 
-			if [ ${#key} -eq 64 ]; then
-				passphrase="psk=${key}"
+			if [ "$_w_mode" = "mesh" ] || [ "$auth_type" = "sae" ]; then
+				passphrase="sae_password=\"${key}\""
 			else
-				if [ "$_w_mode" = "mesh" ]; then
-					passphrase="sae_password=\"${key}\""
+				if [ ${#key} -eq 64 ]; then
+					passphrase="psk=${key}"
 				else
 					passphrase="psk=\"${key}\""
 				fi