Re: [PATCH 2/3] wifi-scripts: save wpa_psk_file on permanent storage by default
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software.--- Begin Message --- On Monday, March 4th, 2024 at 13:42, Christian Marangi wrote: > Save wpa_psk_file on permanent storage by default. Currently it's always > created in /var/run with the hostapd files. > > Any user that would use this option would save this file on permanent > storage to declare specific PSK per devices or for each VLAN. > > The file is also used for WPS to store the per-device PSK and keeping it > on /var/run on normal installation (excluding installation with > permanent /var) would result in the wpa_psk_file getting wiped on > reboot, losing all the per-device PSK saved by hostapd. > > To fix this, move the wpa_psk_file to /etc/hostapd and set the default > value for the wpa_psk_file option to point to this directory. > > Signed-off-by: Christian Marangi ansuels...@gmail.com > > --- > package/network/config/wifi-scripts/Makefile | 2 +- > .../config/wifi-scripts/files/lib/netifd/hostapd.sh | 9 - > 2 files changed, 9 insertions(+), 2 deletions(-) > > diff --git a/package/network/config/wifi-scripts/Makefile > b/package/network/config/wifi-scripts/Makefile > index 085860d7c6..539d9a03c3 100644 > --- a/package/network/config/wifi-scripts/Makefile > +++ b/package/network/config/wifi-scripts/Makefile > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > PKG_NAME:=wifi-scripts > PKG_VERSION:=1.0 > -PKG_RELEASE:=1 > +PKG_RELEASE:=2 > PKG_LICENSE:=GPL-2.0 > > PKG_MAINTAINER:=Felix Fietkau n...@nbd.name > > diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh > b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh > index a357418fe1..71be4db67d 100644 > --- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh > +++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh > @@ -687,7 +687,14 @@ hostapd_set_bss_options() { > wireless_setup_vif_failed INVALID_WPA_PSK > return 1 > fi > - [ -z "$wpa_psk_file" ] && set_default wpa_psk_file > /var/run/hostapd-$ifname.psk > + [ -z "$wpa_psk_file" ] && { > + [ -d /etc/hostapd ] || { > + mkdir /etc/hostapd > + chown network:netwrok /etc/hostapd Typo: network:network > + } > + set_default wpa_psk_file /etc/hostapd/hostapd-$ifname.psk > + ln -s /etc/hostapd/hostapd-$ifname.psk /var/run/hostapd-$ifname.psk > + } > [ -n "$wpa_psk_file" ] && { > [ -e "$wpa_psk_file" ] || { > touch "$wpa_psk_file" > -- > 2.43.0 --- End Message --- ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 3/3] hostapd: restore /etc/hostapd directory on sysupgrade
Restore /etc/hostapd directory on sysupgrade since it does contain per-device PSK handled by hostapd for WPS usage. Signed-off-by: Christian Marangi --- package/network/services/hostapd/Makefile | 40 --- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile index c8f476f7b8..a1cd2416fb 100644 --- a/package/network/services/hostapd/Makefile +++ b/package/network/services/hostapd/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=hostapd -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_PROTO:=git @@ -679,23 +679,39 @@ define Install/hostapd/full $(INSTALL_DATA) ./files/radius.users $(1)/etc/radius/users endef +define Package/hostapd/conffiles +/etc/hostapd +endef + +Package/wpad-mesh-openssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd/conffiles) +Package/wpad/conffiles = $(Package/hostapd/conffiles) +Package/wpad-openssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-wolfssl/conffiles = $(Package/hostapd/conffiles) +Package/wpad-mbedtls/conffiles = $(Package/hostapd/conffiles) +Package/hostapd-openssl/conffiles = $(Package/hostapd/conffiles) +Package/hostapd-wolfssl/conffiles = $(Package/hostapd/conffiles) +Package/hostapd-mbedtls/conffiles = $(Package/hostapd/conffiles) + define Package/hostapd-full/conffiles +$(Package/hostapd/conffiles) /etc/config/radius /etc/radius endef ifeq ($(CONFIG_VARIANT),full) -Package/wpad-mesh-openssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-mesh-wolfssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-mesh-mbedtls/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-openssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-wolfssl/conffiles = $(Package/hostapd-full/conffiles) -Package/wpad-mbedtls/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd-openssl/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd-wolfssl/conffiles = $(Package/hostapd-full/conffiles) -Package/hostapd-mbedtls/conffiles = $(Package/hostapd-full/conffiles) +Package/wpad-mesh-openssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-mesh-wolfssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-mesh-mbedtls/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-openssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-wolfssl/conffiles += $(Package/hostapd-full/conffiles) +Package/wpad-mbedtls/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd-openssl/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd-wolfssl/conffiles += $(Package/hostapd-full/conffiles) +Package/hostapd-mbedtls/conffiles += $(Package/hostapd-full/conffiles) endif define Install/hostapd -- 2.43.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/3] wifi-scripts: permit hostapd to access wpa_psk_file
Hostapd require access to the wpa_psk_file to insert data in the context of WPS usage. >From hostapd.conf documentation: Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of per-device PSKs is recommended as the more secure option (i.e., make sure to set wpa_psk_file when using WPS with WPA-PSK). Since we set the option by default, we involuntary enabled also this WPS feature, that was broken all this time because we create the wpa_psk_file as root and hostapd doesn't have access to it to write the per-device psk. Giving correct permission makes hostapd correctly write the entry and permits devices connected with WPS Push-Button to re-authenticate on next connection. Signed-off-by: Christian Marangi --- .../network/config/wifi-scripts/files/lib/netifd/hostapd.sh | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh index 763702e76b..a357418fe1 100644 --- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh +++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh @@ -689,7 +689,10 @@ hostapd_set_bss_options() { fi [ -z "$wpa_psk_file" ] && set_default wpa_psk_file /var/run/hostapd-$ifname.psk [ -n "$wpa_psk_file" ] && { - [ -e "$wpa_psk_file" ] || touch "$wpa_psk_file" + [ -e "$wpa_psk_file" ] || { + touch "$wpa_psk_file" + chown network:network "$wpa_psk_file" + } append bss_conf "wpa_psk_file=$wpa_psk_file" "$N" } [ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N" -- 2.43.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 2/3] wifi-scripts: save wpa_psk_file on permanent storage by default
Save wpa_psk_file on permanent storage by default. Currently it's always created in /var/run with the hostapd files. Any user that would use this option would save this file on permanent storage to declare specific PSK per devices or for each VLAN. The file is also used for WPS to store the per-device PSK and keeping it on /var/run on normal installation (excluding installation with permanent /var) would result in the wpa_psk_file getting wiped on reboot, losing all the per-device PSK saved by hostapd. To fix this, move the wpa_psk_file to /etc/hostapd and set the default value for the wpa_psk_file option to point to this directory. Signed-off-by: Christian Marangi --- package/network/config/wifi-scripts/Makefile | 2 +- .../config/wifi-scripts/files/lib/netifd/hostapd.sh | 9 - 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/package/network/config/wifi-scripts/Makefile b/package/network/config/wifi-scripts/Makefile index 085860d7c6..539d9a03c3 100644 --- a/package/network/config/wifi-scripts/Makefile +++ b/package/network/config/wifi-scripts/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wifi-scripts PKG_VERSION:=1.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-2.0 PKG_MAINTAINER:=Felix Fietkau diff --git a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh index a357418fe1..71be4db67d 100644 --- a/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh +++ b/package/network/config/wifi-scripts/files/lib/netifd/hostapd.sh @@ -687,7 +687,14 @@ hostapd_set_bss_options() { wireless_setup_vif_failed INVALID_WPA_PSK return 1 fi - [ -z "$wpa_psk_file" ] && set_default wpa_psk_file /var/run/hostapd-$ifname.psk + [ -z "$wpa_psk_file" ] && { + [ -d /etc/hostapd ] || { + mkdir /etc/hostapd + chown network:netwrok /etc/hostapd + } + set_default wpa_psk_file /etc/hostapd/hostapd-$ifname.psk + ln -s /etc/hostapd/hostapd-$ifname.psk /var/run/hostapd-$ifname.psk + } [ -n "$wpa_psk_file" ] && { [ -e "$wpa_psk_file" ] || { touch "$wpa_psk_file" -- 2.43.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/3] wifi-scripts: fix WPS usage
This is a long lasting problem (like 4 years)... It was something I notice a looong time ago but never had time to actually bisect this, as I was convinced it was a problem with hostapd due to the fact that it was an insecure option. But then I notice that hostapd have hwsim testing for this feature hence it seems unlikely they never notice the feature was broken all along... That made me push to understand how this actually works and discover the funny case. With the VLAN support for per-device PSK we broke WPS feature. The wpa_psk_file option enebales a side effect for WPS where they generate per-device PSK and store them in the wpa_psk_file. (having this option disabled, cause the real PSK getting enrolled to the final device) A later change also switched the user of hostapd from root to network but we never tweaked the wpa_psk_file on beeing owned by hostapd user. Hostapd write the per-device entry in the wpa_psk_file to permit devices to reconnect. As hostapd didn't had permission to access this file, this step always failed making device connects only once and never again. While this is easy to fix, handling the per-device persistent across wpad restart is a bigger beast. My current solution is very easy, we just move the file in /etc/hostapd but maybe a better solution would be move these in uci config? Problem is that I didn't find a clear example on how to do that in a correct way. (Is my solution ok? Or should we have this with ubus? For wpa_supplicant we used to emit and event and react on it but I didn't find a good way to register persistent listner for it) tl;dr WPS is broken, permission problem and psk are dropped on restart. Christian Marangi (3): wifi-scripts: permit hostapd to access wpa_psk_file wifi-scripts: save wpa_psk_file on permanent storage by default hostapd: restore /etc/hostapd directory on sysupgrade package/network/config/wifi-scripts/Makefile | 2 +- .../wifi-scripts/files/lib/netifd/hostapd.sh | 14 ++- package/network/services/hostapd/Makefile | 40 +-- 3 files changed, 41 insertions(+), 15 deletions(-) -- 2.43.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] base-files: sysupgrade: fix generating backup to stdout
On 4.03.2024 08:15, Rafał Miłecki wrote: From: Rafał Miłecki Before recent change "tar" command was called with an "-f" argument which accepts "-" for stdout output. Bring back support for that feature with new code. Fixes: e36cc530927c ("base-files: sysupgrade: use tar helper to include installed_packages.txt") Fixes: https://github.com/openwrt/openwrt/issues/14773 Cc: Jo-Philipp Wich Signed-off-by: Rafał Miłecki Obsoleted by the commit 6f6406a1321b ("base-files: sysupgrade: fix streaming backup archives to stdout") https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=6f6406a1321b4ead1d61abdea450d7c76bd5a927 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] base-files: sysupgrade: handle errors when generating backup
From: Rafał Miłecki 1. Return error if any step of generating tar file fails 2. Use pipefail to avoid calling "gzip" if tar failed Fixes: e36cc530927c ("base-files: sysupgrade: use tar helper to include installed_packages.txt") Reported-by: Luiz Angelo Daros de Luca Cc: Luiz Angelo Daros de Luca Cc: Jo-Philipp Wich Signed-off-by: Rafał Miłecki --- package/base-files/files/sbin/sysupgrade | 45 +++- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade index 720f3da3fa..80e65b199a 100755 --- a/package/base-files/files/sbin/sysupgrade +++ b/package/base-files/files/sbin/sysupgrade @@ -237,6 +237,7 @@ include /lib/upgrade create_backup_archive() { local conf_tar="$1" local disabled + local err [ "$(rootfs_type)" = "tmpfs" ] && { echo "Cannot save config while running from ramdisk." >&2 @@ -251,31 +252,43 @@ create_backup_archive() { v "Saving config files..." [ "$VERBOSE" -gt 1 ] && TAR_V="v" || TAR_V="" sed -i -e 's,^/,,' "$CONFFILES" + set -o pipefail { - for service in /etc/init.d/*; do - if ! $service enabled; then + local ret=0 + + if [ $ret -eq 0 ]; then + for service in /etc/init.d/*; do + if ! $service enabled; then disabled="$disabled$service disable\n" - fi - done - disabled="$disabled\nexit 0" - tar_print_member "/etc/uci-defaults/10_disable_services" "$(echo -e $disabled)" + fi + done + disabled="$disabled\nexit 0" + tar_print_member "/etc/uci-defaults/10_disable_services" "$(echo -e $disabled)" || ret=1 + fi # Part of archive with installed packages info - if [ "$SAVE_INSTALLED_PKGS" -eq 1 ]; then - # Format: pkg-name{rom,overlay,unknown} - # rom is used for pkgs in /rom, even if updated later - tar_print_member "$INSTALLED_PACKAGES" "$(find /usr/lib/opkg/info -name "*.control" \( \ - \( -exec test -f /rom/{} \; -exec echo {} rom \; \) -o \ - \( -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; \) -o \ - \( -exec echo {} unknown \; \) \ - \) | sed -e 's,.*/,,;s/\.control /\t/')" + if [ $ret -eq 0 ]; then + if [ "$SAVE_INSTALLED_PKGS" -eq 1 ]; then + # Format: pkg-name{rom,overlay,unknown} + # rom is used for pkgs in /rom, even if updated later + tar_print_member "$INSTALLED_PACKAGES" "$(find /usr/lib/opkg/info -name "*.control" \( \ + \( -exec test -f /rom/{} \; -exec echo {} rom \; \) -o \ + \( -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; \) -o \ + \( -exec echo {} unknown \; \) \ + \) | sed -e 's,.*/,,;s/\.control /\t/')" || ret=1 + fi fi # Rest of archive with config files and ending padding - tar c${TAR_V} -C / -T "$CONFFILES" + if [ $ret -eq 0 ]; then + tar c${TAR_V} -C / -T "$CONFFILES" || ret=1 + fi + + [ $ret -eq 0 ] } | gzip > "${conf_tar:-/proc/self/fd/1}" + err=$? + set +o pipefail - local err=$? if [ "$err" -ne 0 ]; then echo "Failed to create the configuration backup." [ -f "$conf_tar" ] && rm -f "$conf_tar" -- 2.35.3 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel