I have sent this a while ago. Can anyone review this (Felix, as the author of r0kh/r1kh generator?).
On Fri, Jan 7, 2022 at 5:19 PM Eneas U de Queiroz <cotequei...@gmail.com> wrote: > > The 80211r r0kh and r1kh defaults are generated from the md5sum of > "$mobility_domain/$auth_secret". auth_secret is only set when using EAP > authentication, but the default key is used for SAE/PSK as well. In > this case, auth_secret is empty, and the default value of the key can > be computed from the SSID alone. > > Fallback to using $key when auth_secret is empty. While at it, rename > the variable holding the generated key from 'key' to 'ft_key', to avoid > clobbering the PSK. > > Signed-off-by: Eneas U de Queiroz <cotequei...@gmail.com> > --- > > This should be cherry-picked to 21.02 as well. > > package/network/services/hostapd/files/hostapd.sh | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/network/services/hostapd/files/hostapd.sh > b/package/network/services/hostapd/files/hostapd.sh > index d9d5f34877..e00fc21cd9 100644 > --- a/package/network/services/hostapd/files/hostapd.sh > +++ b/package/network/services/hostapd/files/hostapd.sh > @@ -876,10 +876,10 @@ hostapd_set_bss_options() { > set_default pmk_r1_push 0 > > [ -n "$r0kh" -a -n "$r1kh" ] || { > - key=`echo -n > "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'` > + ft_key=`echo -n > "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'` > > - set_default r0kh > "ff:ff:ff:ff:ff:ff,*,$key" > - set_default r1kh > "00:00:00:00:00:00,00:00:00:00:00:00,$key" > + set_default r0kh > "ff:ff:ff:ff:ff:ff,*,$ft_key" > + set_default r1kh > "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key" > } > > [ -n "$r1_key_holder" ] && append bss_conf > "r1_key_holder=$r1_key_holder" "$N" So that one can grasp a bit better what this is about--the commit message was under par--see this post: https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81?u=cotequeiroz Basically, if you have ieee80211r=1, ft_psk_generate_local=0, and have not setup r0kh or r1kh, then hostapd.sh will generate a 128-bit key from the 2-byte mobility domain (defaults to the first 2 byes of the SSID md5sum) and the auth_secret. The intention of the script originally was to support just EAP, so it uses the auth_secret to generate a key. However, it is possible (ft_psk_generate_local does not work with SAE) to use generated keys when using PSK, in which case auth_secret will not be ordinarily set, and the default key can be trivially computed. Cheers, Eneas _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel