[PATCH] hostapd: fallback to psk when generating r0kh/r1kh

Eneas U de Queiroz cotequeiroz at gmail.com
Fri Feb 18 11:34:46 PST 2022


Hi David

Thanks for looking into this.

On Fri, Feb 18, 2022 at 3:15 PM David Bauer <mail at david-bauer.net> wrote:

> Just so i get this right - This means the same configuration is
> incompatible between firmware containing this commit and firmware that
> does not? In this case i would not pick it it 21.02.

TLDR: For the use case that was intended, it does not; it will
intentionally break the insecure setup.

Here's the commit message that introduced the defaults:

21eb0a5aa3 hostapd: add default values for r0kh/r1kh

This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)

My understanding is that the intention was to use this for EAP only.
However, the key gets set even if PSK is used.  In that case it will
have an unset 'auth_secret', and that's where this becomes a security
issue.
The FT key is derived from "$mobility_domain/$auth_secret".  If
'auth_secret' is null, then the key is computed from
"$mobility_domain/" only, and 'mobility_domain' itself is computed
from the SSID by default.  At the end, you have an easy, working setup
with a default FT key that can be computed from just the SSID--and
nothing wrong is visible from the user POV.

There are several ways of fixing this: (1) don't compute r0kh/r1kh if
not using EAP.
(2) Use the PSK if auth_secret is unset.  (3) warn the user that a key
has not been set, but keep things as they are.

I like (2) because it is useful.  You can get FT working with WPA3-SAE
just by turning 802.11r on and turning off ft_psk_generate_local,
without having to set up the key.

Can there be breakage? Yes, and it is intended.  It'll break the
insecure PSK/FT default setup I described above, when you have some AP
running with the fix and some without it.

EAP setups will not be affected: even if 'key' is set but
'auth_secret' is unset (a possible breakage scenario), the code in
line 682[1] will set 'auth_secret'  from 'key' if the former is empty:
[ -n "$auth_secret" ] || json_get_var auth_secret key
So you can't have an EAP setup with 'auth_secret' unset and 'key' set.

(1) will create the same breakage, without adding anything useful.

Cheers,

Eneas

[1] https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/hostapd/files/hostapd.sh;h=d9d5f348775debade847f267b1ca1dc86444e41d;hb=HEAD#l682



More information about the openwrt-devel mailing list