RepoMirrors
/
openwrt
mirror of git://git.openwrt.org/openwrt/openwrt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

hostapd: fail R0KH and R1KH derivation when wpa_psk_file is used 

When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.

Signed-off-by: Rany Hany <rany_hany@riseup.net>
This commit is contained in:
Rany Hany 2024-01-05 19:01:40 +02:00 committed by Felix Fietkau
parent e2f6bfb833
commit 59f67b2010
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package/network/services/hostapd/files/hostapd.sh
View File

@ -943,6 +943,10 @@ hostapd_set_bss_options() {
set_default pmk_r1_push 0 set_default pmk_r1_push 0
[ -n "$r0kh" -a -n "$r1kh" ] || { [ -n "$r0kh" -a -n "$r1kh" ] || {
if [ -z "$auth_secret" -a -z "$key" ]; then
wireless_setup_vif_failed FT_KEY_CANT_BE_DERIVED
return 1
fi
ft_key=`echo -n "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'` ft_key=`echo -n "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
set_default r0kh "ff:ff:ff:ff:ff:ff,*,$ft_key" set_default r0kh "ff:ff:ff:ff:ff:ff,*,$ft_key"