Re: [PATCH 2/3] wifi-scripts: save wpa_psk_file on permanent storage by default
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.--- Begin Message ---
On Monday, March 4th, 2024 at 13:42, Christian Marangi
wrote:
> Save wpa_psk_file on permanent storage by default. Currently it's always
> created in /var/run with the hostapd files.
>
> Any user that would use this option would save this file on permanent
> storage to declare specific PSK per devices or for each VLAN.
>
> The file is also used for WPS to store the per-device PSK and keeping it
> on /var/run on normal installation (excluding installation with
> permanent /var) would result in the wpa_psk_file getting wiped on
> reboot, losing all the per-device PSK saved by hostapd.
>
> To fix this, move the wpa_psk_file to /etc/hostapd and set the default
> value for the wpa_psk_file option to point to this directory.
>
> Signed-off-by: Christian Marangi ansuels...@gmail.com
>
> ---
> package/network/config/wifi-scripts/Makefile | 2 +-
> .../config/wifi-scripts/files/lib/netifd/hostapd.sh | 9 -
> 2 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/package/network/config/wifi-scripts/Makefile
> b/package/network/config/wifi-scripts/Makefile
> index 085860d7c6..539d9a03c3 100644
> --- a/package/network/config/wifi-scripts/Makefile
> +++ b/package/network/config/wifi-scripts/Makefile
> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>
> PKG_NAME:=wifi-scripts
> PKG_VERSION:=1.0
> -PKG_RELEASE:=1
> +PKG_RELEASE:=2
> PKG_LICENSE:=GPL-2.0
>
> PKG_MAINTAINER:=Felix Fietkau n...@nbd.name
>
> diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
> b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
> index a357418fe1..71be4db67d 100644
> --- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
> +++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
> @@ -687,7 +687,14 @@ hostapd_set_bss_options() {
> wireless_setup_vif_failed INVALID_WPA_PSK
> return 1
> fi
> - [ -z "$wpa_psk_file" ] && set_default wpa_psk_file
> /var/run/hostapd-$ifname.psk
> + [ -z "$wpa_psk_file" ] && {
> + [ -d /etc/hostapd ] || {
> + mkdir /etc/hostapd
> + chown network:netwrok /etc/hostapd
Typo: network:network
> + }
> + set_default wpa_psk_file /etc/hostapd/hostapd-$ifname.psk
> + ln -s /etc/hostapd/hostapd-$ifname.psk /var/run/hostapd-$ifname.psk
> + }
> [ -n "$wpa_psk_file" ] && {
> [ -e "$wpa_psk_file" ] || {
> touch "$wpa_psk_file"
> --
> 2.43.0
--- End Message ---
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 3/3] hostapd: restore /etc/hostapd directory on sysupgrade
Restore /etc/hostapd directory on sysupgrade since it does contain per-device PSK handled by hostapd for WPS usage. Signed-off-by: Christian Marangi --- package/network/services/hostapd/Makefile | 40 --- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index c8f476f7b8..a1cd2416fb 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git @@ -679,23 +679,39 @@ define Install/hostapd/full $(INSTALL_DATA) ./files/radius.users $(1)/etc/radius/users endef +define Package/hostapd/conffiles +/etc/hostapd +endef + +Package/wpad-mesh-openssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd/conffiles) +Package/wpad/conffiles = $(Package/hostapd/conffiles) +Package/wpad-openssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-wolfssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-mbedtls/conffiles = $(Package/hostapd/conffiles) +Package/hostapd-openssl/conffiles = $(Package/hostapd/conffiles) +Package/hostapd-wolfssl/conffiles = $(Package/hostapd/conffiles) +Package/hostapd-mbedtls/conffiles = $(Package/hostapd/conffiles) + define Package/hostapd-full/conffiles +$(Package/hostapd/conffiles) /etc/config/radius /etc/radius endef ifeq ($(CONFIG_VARIANT),full) -Package/wpad-mesh-openssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-openssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-wolfssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-mbedtls/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd-openssl/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd-wolfssl/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd-mbedtls/conffiles = $(Package/hostapd-full/conffiles) +Package/wpad-mesh-openssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-mesh-wolfssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-mesh-mbedtls/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-openssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-wolfssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-mbedtls/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd-openssl/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd-wolfssl/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd-mbedtls/conffiles += $(Package/hostapd-full/conffiles) endif define Install/hostapd -- 2.43.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/3] wifi-scripts: permit hostapd to access wpa_psk_file
Hostapd require access to the wpa_psk_file to insert data in the context
of WPS usage.
>From hostapd.conf documentation:
Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the
default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of
per-device PSKs is recommended as the more secure option (i.e., make sure to
set wpa_psk_file when using WPS with WPA-PSK).
Since we set the option by default, we involuntary enabled also this WPS
feature, that was broken all this time because we create the
wpa_psk_file as root and hostapd doesn't have access to it to write the
per-device psk.
Giving correct permission makes hostapd correctly write the entry and
permits devices connected with WPS Push-Button to re-authenticate on
next connection.
Signed-off-by: Christian Marangi
---
.../network/config/wifi-scripts/files/lib/netifd/hostapd.sh | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index 763702e76b..a357418fe1 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -689,7 +689,10 @@ hostapd_set_bss_options() {
fi
[ -z "$wpa_psk_file" ] && set_default wpa_psk_file
/var/run/hostapd-$ifname.psk
[ -n "$wpa_psk_file" ] && {
- [ -e "$wpa_psk_file" ] || touch "$wpa_psk_file"
+ [ -e "$wpa_psk_file" ] || {
+ touch "$wpa_psk_file"
+ chown network:network "$wpa_psk_file"
+ }
append bss_conf "wpa_psk_file=$wpa_psk_file"
"$N"
}
[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2"
] && append bss_conf "eapol_version=$eapol_version" "$N"
--
2.43.0
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 2/3] wifi-scripts: save wpa_psk_file on permanent storage by default
Save wpa_psk_file on permanent storage by default. Currently it's always
created in /var/run with the hostapd files.
Any user that would use this option would save this file on permanent
storage to declare specific PSK per devices or for each VLAN.
The file is also used for WPS to store the per-device PSK and keeping it
on /var/run on normal installation (excluding installation with
permanent /var) would result in the wpa_psk_file getting wiped on
reboot, losing all the per-device PSK saved by hostapd.
To fix this, move the wpa_psk_file to /etc/hostapd and set the default
value for the wpa_psk_file option to point to this directory.
Signed-off-by: Christian Marangi
---
package/network/config/wifi-scripts/Makefile | 2 +-
.../config/wifi-scripts/files/lib/netifd/hostapd.sh | 9 -
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/package/network/config/wifi-scripts/Makefile
b/package/network/config/wifi-scripts/Makefile
index 085860d7c6..539d9a03c3 100644
--- a/package/network/config/wifi-scripts/Makefile
+++ b/package/network/config/wifi-scripts/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wifi-scripts
PKG_VERSION:=1.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_LICENSE:=GPL-2.0
PKG_MAINTAINER:=Felix Fietkau
diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
index a357418fe1..71be4db67d 100644
--- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
+++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh
@@ -687,7 +687,14 @@ hostapd_set_bss_options() {
wireless_setup_vif_failed INVALID_WPA_PSK
return 1
fi
- [ -z "$wpa_psk_file" ] && set_default wpa_psk_file
/var/run/hostapd-$ifname.psk
+ [ -z "$wpa_psk_file" ] && {
+ [ -d /etc/hostapd ] || {
+ mkdir /etc/hostapd
+ chown network:netwrok /etc/hostapd
+ }
+ set_default wpa_psk_file
/etc/hostapd/hostapd-$ifname.psk
+ ln -s /etc/hostapd/hostapd-$ifname.psk
/var/run/hostapd-$ifname.psk
+ }
[ -n "$wpa_psk_file" ] && {
[ -e "$wpa_psk_file" ] || {
touch "$wpa_psk_file"
--
2.43.0
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/3] wifi-scripts: fix WPS usage
This is a long lasting problem (like 4 years)... It was something I notice a looong time ago but never had time to actually bisect this, as I was convinced it was a problem with hostapd due to the fact that it was an insecure option. But then I notice that hostapd have hwsim testing for this feature hence it seems unlikely they never notice the feature was broken all along... That made me push to understand how this actually works and discover the funny case. With the VLAN support for per-device PSK we broke WPS feature. The wpa_psk_file option enebales a side effect for WPS where they generate per-device PSK and store them in the wpa_psk_file. (having this option disabled, cause the real PSK getting enrolled to the final device) A later change also switched the user of hostapd from root to network but we never tweaked the wpa_psk_file on beeing owned by hostapd user. Hostapd write the per-device entry in the wpa_psk_file to permit devices to reconnect. As hostapd didn't had permission to access this file, this step always failed making device connects only once and never again. While this is easy to fix, handling the per-device persistent across wpad restart is a bigger beast. My current solution is very easy, we just move the file in /etc/hostapd but maybe a better solution would be move these in uci config? Problem is that I didn't find a clear example on how to do that in a correct way. (Is my solution ok? Or should we have this with ubus? For wpa_supplicant we used to emit and event and react on it but I didn't find a good way to register persistent listner for it) tl;dr WPS is broken, permission problem and psk are dropped on restart. Christian Marangi (3): wifi-scripts: permit hostapd to access wpa_psk_file wifi-scripts: save wpa_psk_file on permanent storage by default hostapd: restore /etc/hostapd directory on sysupgrade package/network/config/wifi-scripts/Makefile | 2 +- .../wifi-scripts/files/lib/netifd/hostapd.sh | 14 ++- package/network/services/hostapd/Makefile | 40 +-- 3 files changed, 41 insertions(+), 15 deletions(-) -- 2.43.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] base-files: sysupgrade: fix generating backup to stdout
On 4.03.2024 08:15, Rafał Miłecki wrote:
From: Rafał Miłecki
Before recent change "tar" command was called with an "-f" argument
which accepts "-" for stdout output. Bring back support for that feature
with new code.
Fixes: e36cc530927c ("base-files: sysupgrade: use tar helper to include
installed_packages.txt")
Fixes: https://github.com/openwrt/openwrt/issues/14773
Cc: Jo-Philipp Wich
Signed-off-by: Rafał Miłecki
Obsoleted by the commit 6f6406a1321b ("base-files: sysupgrade: fix streaming backup
archives to stdout")
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=6f6406a1321b4ead1d61abdea450d7c76bd5a927
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] base-files: sysupgrade: handle errors when generating backup
From: Rafał Miłecki
1. Return error if any step of generating tar file fails
2. Use pipefail to avoid calling "gzip" if tar failed
Fixes: e36cc530927c ("base-files: sysupgrade: use tar helper to include
installed_packages.txt")
Reported-by: Luiz Angelo Daros de Luca
Cc: Luiz Angelo Daros de Luca
Cc: Jo-Philipp Wich
Signed-off-by: Rafał Miłecki
---
package/base-files/files/sbin/sysupgrade | 45 +++-
1 file changed, 29 insertions(+), 16 deletions(-)
diff --git a/package/base-files/files/sbin/sysupgrade
b/package/base-files/files/sbin/sysupgrade
index 720f3da3fa..80e65b199a 100755
--- a/package/base-files/files/sbin/sysupgrade
+++ b/package/base-files/files/sbin/sysupgrade
@@ -237,6 +237,7 @@ include /lib/upgrade
create_backup_archive() {
local conf_tar="$1"
local disabled
+ local err
[ "$(rootfs_type)" = "tmpfs" ] && {
echo "Cannot save config while running from ramdisk." >&2
@@ -251,31 +252,43 @@ create_backup_archive() {
v "Saving config files..."
[ "$VERBOSE" -gt 1 ] && TAR_V="v" || TAR_V=""
sed -i -e 's,^/,,' "$CONFFILES"
+ set -o pipefail
{
- for service in /etc/init.d/*; do
- if ! $service enabled; then
+ local ret=0
+
+ if [ $ret -eq 0 ]; then
+ for service in /etc/init.d/*; do
+ if ! $service enabled; then
disabled="$disabled$service disable\n"
- fi
- done
- disabled="$disabled\nexit 0"
- tar_print_member "/etc/uci-defaults/10_disable_services"
"$(echo -e $disabled)"
+ fi
+ done
+ disabled="$disabled\nexit 0"
+ tar_print_member
"/etc/uci-defaults/10_disable_services" "$(echo -e $disabled)" || ret=1
+ fi
# Part of archive with installed packages info
- if [ "$SAVE_INSTALLED_PKGS" -eq 1 ]; then
- # Format: pkg-name{rom,overlay,unknown}
- # rom is used for pkgs in /rom, even if updated later
- tar_print_member "$INSTALLED_PACKAGES" "$(find
/usr/lib/opkg/info -name "*.control" \( \
- \( -exec test -f /rom/{} \; -exec echo {} rom
\; \) -o \
- \( -exec test -f /overlay/upper/{} \; -exec
echo {} overlay \; \) -o \
- \( -exec echo {} unknown \; \) \
- \) | sed -e 's,.*/,,;s/\.control /\t/')"
+ if [ $ret -eq 0 ]; then
+ if [ "$SAVE_INSTALLED_PKGS" -eq 1 ]; then
+ # Format: pkg-name{rom,overlay,unknown}
+ # rom is used for pkgs in /rom, even if updated
later
+ tar_print_member "$INSTALLED_PACKAGES" "$(find
/usr/lib/opkg/info -name "*.control" \( \
+ \( -exec test -f /rom/{} \; -exec echo
{} rom \; \) -o \
+ \( -exec test -f /overlay/upper/{} \;
-exec echo {} overlay \; \) -o \
+ \( -exec echo {} unknown \; \) \
+ \) | sed -e 's,.*/,,;s/\.control
/\t/')" || ret=1
+ fi
fi
# Rest of archive with config files and ending padding
- tar c${TAR_V} -C / -T "$CONFFILES"
+ if [ $ret -eq 0 ]; then
+ tar c${TAR_V} -C / -T "$CONFFILES" || ret=1
+ fi
+
+ [ $ret -eq 0 ]
} | gzip > "${conf_tar:-/proc/self/fd/1}"
+ err=$?
+ set +o pipefail
- local err=$?
if [ "$err" -ne 0 ]; then
echo "Failed to create the configuration backup."
[ -f "$conf_tar" ] && rm -f "$conf_tar"
--
2.35.3
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
