From patchwork Fri Jan 7 20:19:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eneas U de Queiroz X-Patchwork-Id: 1576890 X-Patchwork-Delegate: mail@david-bauer.net Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=E5rT2PmL; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=S9B9oqVh; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JVvm034Hkz9sXM for ; Sat, 8 Jan 2022 07:22:37 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=fx8JxSHWo6++9i8tzUwsUzMLBYZzFs9G/3/Nt81hemY=; b=E5rT2PmL2j3GqR WU0jFpPhRLb74egkzEBF2Tha4+OUrQ2G9iK7Q2PN88YzkFefOFcYhpemfSABJPmpyCB6mTZeK3CKJ gEe3n/V9DPjPAVUOZWF23Jyt1VCLgNGLj3V9tE+RCt3qrRN81099G0hTXNs21sgvwEgKU5QB5SI2b kLvBr2PJjlCn3f6gpELcjGv5O6SKFqR9xha989g5KlEcvFC231LkfQDbNdfRMBGMuIrba63tTSA68 /ghjKVH7FoeBX4NmNSPoH+pakNXS/nal4E7KOUyixjnOQ64vFt1x6DVeVXPO2jq3tx6Jyj0jeJBbG EZomAqhrinmrFyxB7Oyg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1n5viS-005CNO-Si; Fri, 07 Jan 2022 20:20:01 +0000 Received: from mail-qk1-x736.google.com ([2607:f8b0:4864:20::736]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1n5viP-005CMu-Ro for openwrt-devel@lists.openwrt.org; Fri, 07 Jan 2022 20:19:59 +0000 Received: by mail-qk1-x736.google.com with SMTP id r139so7059744qke.9 for ; Fri, 07 Jan 2022 12:19:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xpxKR555xpz5zRsQft7VQ5V1OcoIj17tiD3nVl4yvpM=; b=S9B9oqVhmArKeYHklvcxaFI2EReYt88Nl5JD9hGV+vqFVbtBC5tQvloeCGM3mqM4Db Lwm77nzK7BvxGaAyiYSxWZ0tHEEVJbVo1vaEorfRNJN7HbU5zsJFbxQyveeqtZ0kWgkI Bn0l9UH6SNF4/12SALdxJzcl/rs8Y11tN8GBfY2BuqgqAHegGINSzzJNm7u6Iw+Dya3f /GhN/oGl2DzE9xf0DM/gQ6Y6KZXH/zd4OqBWcmseTK8njE3S7dHUQxwwk5OpD1z/wUto wUhoxc0DAAbfLmJj6Igaq7K3BRmPx1DAhSi3WHLLmpQfISaitcb5OTPDkZlBAZt9QDP4 b6Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xpxKR555xpz5zRsQft7VQ5V1OcoIj17tiD3nVl4yvpM=; b=gxdpFnILBXAdRmEeigx/GzIC3f6vxJUAWJL5QA0HiibAd8KT6ghfovGGq602RiNvae cTxPkHXYlR93+GKtSP35BbkhYRhKhI4P9kbWHUSxIiSG55b0NjLioNz2rADZYWfHqRX5 RyfzQpnqZ8we1EfFeMFdU2l7+0CLZAR7Iyoa9e2XZgqoHYlF70ypSYUd4M4S8Sac6SJp 25WhbcqYKkEjaIxMH00Po2YKjUT5W4vLWFdOrCjTcBtM74Oxa5mW+ZNxLEju0NhE8Azg TtFZ8VthYB57dLA3q7U9nLcdpY9LEoONbMAukDmfoLuEKur+Ly6At9RyfVyHuJQMNQFl hPiQ== X-Gm-Message-State: AOAM533avw7a/yiYcOxXTcdCY6R4AYlOczRgGZdGcw3Dy+8X0hgHKNUi wkpYJMTRPXMrDVQ6fWKs2DmzNPK7gHr/UA== X-Google-Smtp-Source: ABdhPJxUoH/nEkEQJFrnWkuNWczVtWzi9kAY2+f+8/Mv4cX8pSBJ3W6d7yS07WXKLhTaFgE8fuC+/g== X-Received: by 2002:a37:9e85:: with SMTP id h127mr44789290qke.11.1641586795629; Fri, 07 Jan 2022 12:19:55 -0800 (PST) Received: from TRIBSUPORT-421.troianet.com.br ([177.75.175.22]) by smtp.gmail.com with ESMTPSA id c25sm4217450qkp.31.2022.01.07.12.19.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 07 Jan 2022 12:19:55 -0800 (PST) From: Eneas U de Queiroz To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz Subject: [PATCH] hostapd: fallback to psk when generating r0kh/r1kh Date: Fri, 7 Jan 2022 17:19:36 -0300 Message-Id: <20220107201936.6704-1-cotequeiroz@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220107_121957_943719_556C40EB X-CRM114-Status: UNSURE ( 9.94 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The 80211r r0kh and r1kh defaults are generated from the md5sum of "$mobility_domain/$auth_secret". auth_secret is only set when using EAP authentication, but the default key is used for SAE/PSK as we [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:736 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [cotequeiroz[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The 80211r r0kh and r1kh defaults are generated from the md5sum of "$mobility_domain/$auth_secret". auth_secret is only set when using EAP authentication, but the default key is used for SAE/PSK as well. In this case, auth_secret is empty, and the default value of the key can be computed from the SSID alone. Fallback to using $key when auth_secret is empty. While at it, rename the variable holding the generated key from 'key' to 'ft_key', to avoid clobbering the PSK. Signed-off-by: Eneas U de Queiroz --- This should be cherry-picked to 21.02 as well. package/network/services/hostapd/files/hostapd.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index d9d5f34877..e00fc21cd9 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -876,10 +876,10 @@ hostapd_set_bss_options() { set_default pmk_r1_push 0 [ -n "$r0kh" -a -n "$r1kh" ] || { - key=`echo -n "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'` + ft_key=`echo -n "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'` - set_default r0kh "ff:ff:ff:ff:ff:ff,*,$key" - set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$key" + set_default r0kh "ff:ff:ff:ff:ff:ff,*,$ft_key" + set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key" } [ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N"