Re: [OpenWrt-Devel] WPS patch set overlooked
On Mon, Oct 15, 2012 at 3:11 PM, Bas Mevissen ab...@basmevissen.nl wrote: Does this WPS patch set contain a way to mitigate the security design flaw? Not yet. Reading the Wikipedia article (http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Security), it looks to me a compatible fix should be possible. I'm not an expert, but, from the picture of the whole system I gained by reading here and there, it is possible. In particular, the brute force attack can be brought from feasible to computationally impossible with the following precautions: - increase the wait time between one attempt and a new one - enable a setup time window by mean of a (virtual) button to be pressed on the router - move away from label setup method to a more secure one such as keypad method. The last point is my final goal. My plan is to have a web page securely accessible on the router where one can enter random PINs generated by devices that want to connect to my network. I hope some maintainer on this list will read my posts and make the commits. -- Lorenzo ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] WPS patch set overlooked
Hi everyone, I posted my first patch set on October 1. Since then, it hasn't been acknowledged. I must conclude it got overlooked. The patch set regards WPS (Wi-Fi Protected Setup) support. Could anyone have a look at it (maybe Felix, who recently moved hostapd directory under network?). It's not over yet, but I'll be submitting more patches if these get committed. Thanks. Lorenzo. Links to my patch set posts: https://lists.openwrt.org/pipermail/openwrt-devel/2012-October/016870.html https://lists.openwrt.org/pipermail/openwrt-devel/2012-October/016871.html https://lists.openwrt.org/pipermail/openwrt-devel/2012-October/016872.html https://lists.openwrt.org/pipermail/openwrt-devel/2012-October/016873.html ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/4] [package] hostapd: revamped WPS support
Moved WPS code to new function The WPS implementation is going to have a bigger code base which justifies a dedicated function with less indentation levels. Signed-off-by: Lorenzo Cappelletti lorenzo.cappelle...@gmail.com --- Hi everyone, I'm a senior embedded C programmer and I'd like to contribute with my 2 cents to this great project. My final goal consists in implementing a WPS (http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup) based guest network which my friends coming by can connect to and have access to my entire network resources. Of course, without compromising on security. I already started documenting the code on the wiki last month. My next step was preparing the ground for a couple of new WPS methods, label and keypad. What I'm submitting here is the result of this first effort. I hope you'll accept it in the trunk. Next, I'll move on to implement the keypad method which requires user inputs. I think I'll create a dynamic web page here. Not sure because I'm new to this. diff --git a/hostapd/files/hostapd.sh b/hostapd/files/hostapd.sh --- a/hostapd/files/hostapd.sh +++ b/hostapd/files/hostapd.sh @@ -1,3 +1,29 @@ +hostapd_set_wps_options() { + local config_methods device_name device_type manufacturer\ + wps_label wps_pbc + + config_get_bool wps_pbc $vif wps_pushbutton 0 + config_get_bool wps_label $vif wps_label 0 + + config_get config_methods $vif wps_config + [ $wps_pbc -gt 0 ] append config_methods push_button + + [ -z $config_methods ] return + + # common options + config_get device_type $vif wps_device_type 6-0050F204-1 + config_get device_name $vif wps_device_name OpenWrt AP + config_get manufacturer $vif wps_manufacturer openwrt.org + + append $var eap_server=1 $N + append $var wps_state=2 $N + append $var ap_setup_locked=1 $N + append $var device_type=$device_type $N + append $var device_name=$device_name $N + append $var manufacturer=$manufacturer $N + append $var config_methods=$config_methods $N +} + hostapd_set_bss_options() { local var=$1 local vif=$2 @@ -159,25 +185,7 @@ config_get ieee80211d $vif ieee80211d config_get iapp_interface $vif iapp_interface - config_get_bool wps_pbc $vif wps_pushbutton 0 - config_get_bool wps_label $vif wps_label 0 - - config_get config_methods $vif wps_config - [ $wps_pbc -gt 0 ] append config_methods push_button - - [ -n $wps_possible -a -n $config_methods ] { - config_get device_type $vif wps_device_type 6-0050F204-1 - config_get device_name $vif wps_device_name OpenWrt AP - config_get manufacturer $vif wps_manufacturer openwrt.org - - append $var eap_server=1 $N - append $var wps_state=2 $N - append $var ap_setup_locked=1 $N - append $var device_type=$device_type $N - append $var device_name=$device_name $N - append $var manufacturer=$manufacturer $N - append $var config_methods=$config_methods $N - } + [ -n $wps_possible ] hostapd_set_wps_options append $var ssid=$ssid $N [ -n $bridge ] append $var bridge=$bridge $N ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/4] [package] hostapd: revamped WPS support
Deprecated config options 'wps_label' and 'wps_pbc' The use of a list option 'wps_pushbutton' is more scalable. Signed-off-by: Lorenzo Cappelletti lorenzo.cappelle...@gmail.com --- diff --git a/hostapd/files/hostapd.sh b/hostapd/files/hostapd.sh --- a/hostapd/files/hostapd.sh +++ b/hostapd/files/hostapd.sh @@ -1,12 +1,14 @@ hostapd_set_wps_options() { - local config_methods device_name device_type manufacturer\ - wps_label wps_pbc + local config_methods device_name device_type manufacturer + config_get config_methods $vif wps_config_methods + + # deprecated options + local wps_label wps_pbc config_get_bool wps_pbc $vif wps_pushbutton 0 + [ $wps_pbc -gt 0 ] append config_methods push_button config_get_bool wps_label $vif wps_label 0 - - config_get config_methods $vif wps_config - [ $wps_pbc -gt 0 ] append config_methods push_button + $wps_label -gt 0 ] append config_methods label [ -z $config_methods ] return @@ -22,6 +24,18 @@ append $var device_name=$device_name $N append $var manufacturer=$manufacturer $N append $var config_methods=$config_methods $N + + # per-method options + list_contains config_methods label { + list_remove config_methods label + } + + list_contains config_methods push_button { + list_remove config_methods push_button + } + + [ -z $config_methods ] ||\ + logger -t $vif WPS config methods not supported: $config_methods } hostapd_set_bss_options() { ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 4/4] [package] hostapd: revamped WPS support
Added 'wps_ap_pin' option along with a default pin for 'label' method Signed-off-by: Lorenzo Cappelletti lorenzo.cappelle...@gmail.com --- diff --git a/hostapd/files/hostapd.sh b/hostapd/files/hostapd.sh --- a/hostapd/files/hostapd.sh +++ b/hostapd/files/hostapd.sh @@ -35,7 +35,11 @@ # per-method options list_contains config_methods label { + local ap_pin + list_remove config_methods label + + config_get ap_pin $vif wps_ap_pin 12345670 } list_contains config_methods push_button { ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/4] [package] hostapd: revamped WPS support
Enabled random per-device PSK generation for WPS clients Signed-off-by: Lorenzo Cappelletti lorenzo.cappelle...@gmail.com --- diff --git a/hostapd/files/hostapd.sh b/hostapd/files/hostapd.sh --- a/hostapd/files/hostapd.sh +++ b/hostapd/files/hostapd.sh @@ -1,5 +1,6 @@ hostapd_set_wps_options() { - local config_methods device_name device_type manufacturer + local config_methods device_name device_type manufacturer\ + wpa_psk_file config_get config_methods $vif wps_config_methods @@ -13,6 +14,7 @@ [ -z $config_methods ] return # common options + config_get ifname $vif ifname config_get device_type $vif wps_device_type 6-0050F204-1 config_get device_name $vif wps_device_name OpenWrt AP config_get manufacturer $vif wps_manufacturer openwrt.org @@ -25,6 +27,12 @@ append $var manufacturer=$manufacturer $N append $var config_methods=$config_methods $N + # enable random per-device PSK generation for WPS clients + # (file has to exists for hostapd to start) + wpa_psk_file=/var/run/hostapd-$ifname.psk + append $var wpa_psk_file=$wpa_psk_file $N + [ ! -e $wpa_psk_file ] : $wpa_psk_file + # per-method options list_contains config_methods label { list_remove config_methods label ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel