From patchwork Mon Mar 4 21:42:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Marangi X-Patchwork-Id: 1907895 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=PfJjJX0K; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=jGunXu1s; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=patchwork.ozlabs.org) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TpXKs0fj3z23qm for ; Tue, 5 Mar 2024 08:45:02 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=XNAv56xnMNTIT3T72U+prKJlPMuvMkcIHaI7BlxIosQ=; b=PfJjJX0KkGh1LF 5rSZLZ4wyKtdr6frbZs6yztsHj4VbD6Ylv3iLUt77dbP17vYd3xHAsijSl59h3kPb64EDQ7jIHb2Q K8FbKajx1xBJNhpC4zA0p5tEGgIecm2wmEM5hSygHi7M2RKiBEFGzg3vc/OhoTPplq58YA1UABfZe us1gGB8v6zOl6vTIKyQZtcDo08qihPYuU5LOra27JYesNQ+xFrJrfOnDgrmbH+C/VpuhKuZ4YphTB nZdtI/iXwh95zMUiOLgw74lp3mw4G0R5Vm8sa6hUmYY/0+YJhgyTpoiDYoJoALDltW7pZ7fkfVXXB FOZK1SQj2Ibo6UJtZ8Dw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhG5R-0000000AoYc-30Y4; Mon, 04 Mar 2024 21:43:05 +0000 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rhG5K-0000000AoWx-0PNB for openwrt-devel@lists.openwrt.org; Mon, 04 Mar 2024 21:42:59 +0000 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-33e2774bdc7so2712806f8f.0 for ; Mon, 04 Mar 2024 13:42:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709588576; x=1710193376; darn=lists.openwrt.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=CXZXsSGISgeVqTEUbUM8Eusam73SYCqeP07DYegtOWU=; b=jGunXu1svswyulUcI86RucSo/hZx4HtiaY4UTEMJH3w83JOmCIyTIx5mnb/b4xD+4e YMp1xAGrS2PdWFVawZPCE9D9PL+hfV80nzCemQ3SyoLrcEqwwZM/dLQhhfHY+gBVg3Ab HvbveVhSFvzq1HJMzC68aPL7MbCdzFqpauE80VCDUWNK77BJcOpGO1Z5WpeWxFbOVv6F M9eAde9tCRO62up1ZccnEtlBzZpKrsaUcGNtmIL2gcZwqBYDCBCXMjxoCOvrGkOVOMKi BNt/pD5X58DQwftEIoH09TSa2/6fr8Kmq4o2mcn6h0jD7SRpzmrNkFYp7oZWlXDQ1CXa Y4DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709588576; x=1710193376; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CXZXsSGISgeVqTEUbUM8Eusam73SYCqeP07DYegtOWU=; b=qTEfbWKf1V6CLeUbVw7qEaw+o+eXq7RcXZGSv/ZPBHLZYKvhd9J3o2GIHnvIMsbw89 r2laT9GlDsmEhPXobhmuNJwIImIyHxHAa7iY9RVO1/NTcp3YB0MD448oCSiKNB764NK1 jCVlHB0jeMYV6GUvp0VYZc4drumbHhl3crrqwCYz/1KgnJN860ewTy4srCzwFw3t07gj YD1gYagitV89fW6XT7T3/OBjvn987YCAAII1IhJ9MjB/PVYOAOjFVLJm9eabx1yXxAlu QOeDHwwfsyeAmnuCXJX4B3NshisCxSPsN9TFCFbgTTyjaRe3bhChMERFoyFUZXvVWwno AWvg== X-Gm-Message-State: AOJu0YwrQUEqyAzDkDOFlwF3u4rnvBXbyYDmTVqxRPayxPDG6Ua8H0Nf xwFPursL9SdqirfypmW3/QYX8325fX/CKpK2tq2yECJGg+gD4IlqYjqGsTeHVV0= X-Google-Smtp-Source: AGHT+IFo3mUavC+w1wSj9544jk2/Ufso/n+040tQQzLnBD0vsjHt0f4MSvdicJOFVmdEttDL5IPMfA== X-Received: by 2002:adf:9d93:0:b0:33d:9232:5aed with SMTP id p19-20020adf9d93000000b0033d92325aedmr7125761wre.52.1709588575526; Mon, 04 Mar 2024 13:42:55 -0800 (PST) Received: from localhost.localdomain (93-34-89-13.ip49.fastwebnet.it. [93.34.89.13]) by smtp.googlemail.com with ESMTPSA id bo16-20020a056000069000b0033e422d0963sm2611565wrb.41.2024.03.04.13.42.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Mar 2024 13:42:55 -0800 (PST) From: Christian Marangi To: OpenWrt Development List Cc: Christian Marangi Subject: [PATCH 0/3] wifi-scripts: fix WPS usage Date: Mon, 4 Mar 2024 22:42:15 +0100 Message-ID: <20240304214243.3677-1-ansuelsmth@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240304_134258_169527_691145DD X-CRM114-Status: GOOD ( 14.76 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is a long lasting problem (like 4 years)... It was something I notice a looong time ago but never had time to actually bisect this, as I was convinced it was a problem with hostapd due to the fact that it was an insecure option. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:42c listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [ansuelsmth(at)gmail.com] -0.0 T_SCC_BODY_TEXT_LINE No description available. X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This is a long lasting problem (like 4 years)... It was something I notice a looong time ago but never had time to actually bisect this, as I was convinced it was a problem with hostapd due to the fact that it was an insecure option. But then I notice that hostapd have hwsim testing for this feature hence it seems unlikely they never notice the feature was broken all along... That made me push to understand how this actually works and discover the funny case. With the VLAN support for per-device PSK we broke WPS feature. The wpa_psk_file option enebales a side effect for WPS where they generate per-device PSK and store them in the wpa_psk_file. (having this option disabled, cause the real PSK getting enrolled to the final device) A later change also switched the user of hostapd from root to network but we never tweaked the wpa_psk_file on beeing owned by hostapd user. Hostapd write the per-device entry in the wpa_psk_file to permit devices to reconnect. As hostapd didn't had permission to access this file, this step always failed making device connects only once and never again. While this is easy to fix, handling the per-device persistent across wpad restart is a bigger beast. My current solution is very easy, we just move the file in /etc/hostapd but maybe a better solution would be move these in uci config? Problem is that I didn't find a clear example on how to do that in a correct way. (Is my solution ok? Or should we have this with ubus? For wpa_supplicant we used to emit and event and react on it but I didn't find a good way to register persistent listner for it) tl;dr WPS is broken, permission problem and psk are dropped on restart. Christian Marangi (3): wifi-scripts: permit hostapd to access wpa_psk_file wifi-scripts: save wpa_psk_file on permanent storage by default hostapd: restore /etc/hostapd directory on sysupgrade package/network/config/wifi-scripts/Makefile | 2 +- .../wifi-scripts/files/lib/netifd/hostapd.sh | 14 ++++++- package/network/services/hostapd/Makefile | 40 +++++++++++++------ 3 files changed, 41 insertions(+), 15 deletions(-)