On Tue, Jan 14, 2020 at 12:34:29PM -0700, Theo de Raadt wrote:
> Channeling a conversation from 15 years ago: "How about wpakeyfile"
ifconfig wpakeyfile would be trivial to add if we really want it.
The downside is loss of unveil, here handled the same way as for the
bridge rulesfile. Looks like unveil(argv[i], "r") is considered bad
practice even for an 'i' that should contain a path?
diff a7540b3fac3fd3a71fd4134709ac4d4f71a3b5a4 /usr/src
blob - 3fb0780ba7cf1333894f5c3485a95e71885fbd6d
file + sbin/ifconfig/ifconfig.8
--- sbin/ifconfig/ifconfig.8
+++ sbin/ifconfig/ifconfig.8
@@ -940,6 +940,7 @@ will begin advertising as master.
.Op Cm wpaciphers Ar cipher,cipher,...
.Op Cm wpagroupcipher Ar cipher
.Op Oo Fl Oc Ns Cm wpakey Ar passphrase | hexkey
+.Op Cm wpakeyfile Ar path
.Op Cm wpaprotos Ar proto,proto,...
.Ek
.nr nS 0
@@ -990,6 +991,7 @@ the
.Cm join
list will record
.Cm wpakey ,
+.Cm wpakeyfile ,
.Cm wpaprotos ,
or
.Cm nwkey
@@ -1209,6 +1211,8 @@ The default value is
.Dq psk
can only be used if a pre-shared key is configured using the
.Cm wpakey
+or
+.Cm wpakeyfile
option.
.It Cm wpaciphers Ar cipher,cipher,...
Set the comma-separated list of allowed pairwise ciphers.
@@ -1268,6 +1272,10 @@ or
option must first be specified, since
.Nm
will hash the nwid along with the passphrase to create the key.
+.It Cm wpakeyfile Ar path
+Set the WPA key contained in the file at the specified
+.Ar path .
+Trailing whitespace is ignored.
.It Cm -wpakey
Delete the pre-shared WPA key and disable WPA.
.It Cm wpaprotos Ar proto,proto,...
blob - f242d72cd73e8d50ccf1dd3d96ac62e35fe7025b
file + sbin/ifconfig/ifconfig.c
--- sbin/ifconfig/ifconfig.c
+++ sbin/ifconfig/ifconfig.c
@@ -63,6 +63,7 @@
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/time.h>
+#include <sys/stat.h>
#include <net/if.h>
#include <net/if_dl.h>
@@ -106,6 +107,7 @@
#include <resolv.h>
#include <util.h>
#include <ifaddrs.h>
+#include <fcntl.h>
#ifndef SMALL
#include <dev/usb/mbim.h>
@@ -211,6 +213,7 @@ void setifwpaakms(const char *, int);
void setifwpaciphers(const char *, int);
void setifwpagroupcipher(const char *, int);
void setifwpakey(const char *, int);
+void setifwpakeyfile(const char *, int);
void setifchan(const char *, int);
void setifscan(const char *, int);
void setifnwflag(const char *, int);
@@ -415,6 +418,7 @@ const struct cmd {
{ "wpagroupcipher", NEXTARG, 0, setifwpagroupcipher },
{ "wpaprotos", NEXTARG, 0, setifwpaprotos },
{ "wpakey", NEXTARG, 0, setifwpakey },
+ { "wpakeyfile", NEXTARG, 0, setifwpakeyfile },
{ "-wpakey", -1, 0, setifwpakey },
{ "chan", NEXTARG0, 0, setifchan },
{ "-chan", -1, 0, setifchan },
@@ -728,7 +732,7 @@ main(int argc, char *argv[])
int create = 0;
int Cflag = 0;
int gflag = 0;
- int found_rulefile = 0;
+ int found_rulefile = 0, found_wpakeyfile = 0, wpafileidx = 0;
int i;
/* If no args at all, print all interfaces. */
@@ -785,9 +789,13 @@ main(int argc, char *argv[])
found_rulefile = 1;
break;
}
+ if (strcmp(argv[i], "wpakeyfile") == 0) {
+ found_wpakeyfile = 1;
+ break;
+ }
}
- if (!found_rulefile) {
+ if (!found_rulefile && !found_wpakeyfile) {
if (unveil(_PATH_RESCONF, "r") == -1)
err(1, "unveil");
if (unveil(_PATH_HOSTS, "r") == -1)
@@ -2240,6 +2248,40 @@ setifwpakey(const char *val, int d)
wpa.i_enabled = psk.i_enabled;
if (ioctl(sock, SIOCS80211WPAPARMS, (caddr_t)&wpa) == -1)
err(1, "SIOCS80211WPAPARMS");
+}
+
+void
+setifwpakeyfile(const char *val, int d)
+{
+ char *wpakey;
+ int fd;
+ struct stat sb;
+ ssize_t n;
+
+ fd = open(val, O_RDONLY);
+ if (fd == -1)
+ err(1, "open %s", val);
+
+ if (fstat(fd, &sb) == -1)
+ err(1, "fstat %s", val);
+
+ wpakey = malloc(sb.st_size);
+ if (wpakey == NULL)
+ err(1, "malloc");
+
+ n = read(fd, wpakey, sb.st_size);
+ if (n == -1)
+ err(1, "read %s", val);
+ if (n != sb.st_size)
+ errx(1, "failed to read from file %s", val);
+ close(fd);
+
+ while (n > 0 && isspace(wpakey[n - 1])) {
+ wpakey[n - 1] = '\0';
+ n--;
+ }
+
+ setifwpakey(wpakey, d);
}
void
