NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2010-09

Re: ifconfig wpapass

From: Alexander Hall (halexopenbsd.org)
Date: Tue Sep 14 2010 - 03:00:00 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 09/14/10 07:38, Alexander Hall wrote:
> On 09/14/10 02:14, Alexander Hall wrote:
>> Not to mess with ifconfig's wpapsk, this diff does instead introduces
>> wpapass and -wpapass.
>>
>> Same nwid relation as before:
>> - A nwid is required prior to supplying a passphrase to wpapass.
>> - If the nwid is changed afterwards, the passkey is not adjusted.
>>
>> There has been discussion whether we should clear the wpa key on nwid
>> change, but I see that as a separate issue.
>>
>> Again, bsd.rd size impact not checked.
>>
>> I'd appreciate if someone would comment on the Makefile changes too.

Ray made me realize I also forgot to #include "pbkdf2.h". Lint kinda
agreed and now I also check the return value properly.

/Alexander

Index: distrib/special/ifconfig/Makefile
===================================================================
RCS file: /cvs/src/distrib/special/ifconfig/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- distrib/special/ifconfig/Makefile 28 Oct 2009 07:36:49 -0000 1.2
+++ distrib/special/ifconfig/Makefile 14 Sep 2010 07:52:57 -0000
-1,8 +1,10
# $OpenBSD: Makefile,v 1.2 2009/10/28 07:36:49 deraadt Exp $

PROG= ifconfig
+SRCS= ifconfig.c pbkdf2.c
COPTS+= -DSMALL
-.PATH: ${.CURDIR}/../../../sbin/ifconfig
+.PATH: ${.CURDIR}/../../../sbin/ifconfig ${.CURDIR}/../../../sbin/bioctl
+CFLAGS+=-I${.CURDIR}/../../../sbin/bioctl

CPPFLAGS+=-DINET6

Index: sbin/ifconfig/Makefile
===================================================================
RCS file: /cvs/src/sbin/ifconfig/Makefile,v
retrieving revision 1.10
diff -u -p -r1.10 Makefile
--- sbin/ifconfig/Makefile 22 Nov 2009 22:00:24 -0000 1.10
+++ sbin/ifconfig/Makefile 14 Sep 2010 07:52:57 -0000
-1,7 +1,10
# $OpenBSD: Makefile,v 1.10 2009/11/22 22:00:24 claudio Exp $

+.PATH: ${.CURDIR}/../bioctl
+CFLAGS+=-I${.CURDIR}/../bioctl
+
PROG= ifconfig
-SRCS= ifconfig.c brconfig.c
+SRCS= ifconfig.c brconfig.c pbkdf2.c
MAN= ifconfig.8

CPPFLAGS+=-DINET6
Index: sbin/ifconfig/ifconfig.c
===================================================================
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.239
diff -u -p -r1.239 ifconfig.c
--- sbin/ifconfig/ifconfig.c 3 Jul 2010 04:44:51 -0000 1.239
+++ sbin/ifconfig/ifconfig.c 14 Sep 2010 07:52:58 -0000
-105,6 +105,7
#include <ifaddrs.h>

#include "brconfig.h"
+#include "pbkdf2.h"

struct ifreq ifr, ridreq;
struct in_aliasreq in_addreq;
-161,6 +162,7 void setifwpaakms(const char *, int);
void setifwpaciphers(const char *, int);
void setifwpagroupcipher(const char *, int);
void setifwpapsk(const char *, int);
+void setifwpapass(const char *, int);
void setifchan(const char *, int);
void setifscan(const char *, int);
void setiftxpower(const char *, int);
-319,6 +321,8 const struct cmd {
         { "wpaprotos", NEXTARG, 0, setifwpaprotos },
         { "wpapsk", NEXTARG, 0, setifwpapsk },
         { "-wpapsk", -1, 0, setifwpapsk },
+ { "wpapass", NEXTARG, 0, setifwpapass },
+ { "-wpapass", -1, 0, setifwpapass },
         { "chan", NEXTARG0, 0, setifchan },
         { "-chan", -1, 0, setifchan },
         { "scan", NEXTARG0, 0, setifscan },
-1715,6 +1719,45 setifwpapsk(const char *val, int d)
                         errx(1, "wpapsk: invalid pre-shared key");
                 if (len != sizeof(psk.i_psk))
                         errx(1, "wpapsk: bad pre-shared key length");
+ psk.i_enabled = 1;
+ } else
+ psk.i_enabled = 0;
+
+ (void)strlcpy(psk.i_name, name, sizeof(psk.i_name));
+ if (ioctl(s, SIOCS80211WPAPSK, (caddr_t)&psk) < 0)
+ err(1, "SIOCS80211WPAPSK");
+}
+
+void
+setifwpapass(const char *val, int d)
+{
+ struct ieee80211_wpapsk psk;
+ struct ieee80211_nwid nwid;
+ int passlen, nwid_len;
+
+ if (d != -1) {
+ memset(&ifr, 0, sizeof(ifr));
+ ifr.ifr_data = (caddr_t)&nwid;
+ strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name));
+ if (ioctl(s, SIOCG80211NWID, (caddr_t)&ifr))
+ err(1, "SIOCG80211NWID");
+
+ passlen = strlen(val);
+ if (passlen < 8 || passlen > 63)
+ errx(1, "wpapass: passphrase must be between 8 and 63 "
+ "characters");
+ nwid_len = nwid.i_len;
+ if (nwid_len == 0)
+ errx(1, "wpapass: nwid not set");
+ else if (nwid_len > IEEE80211_NWID_LEN) {
+ nwid_len = IEEE80211_NWID_LEN;
+ warnx("truncating nwid to its first %d characters",
+ nwid_len);
+ }
+
+ if (pkcs5_pbkdf2(val, passlen, nwid.i_nwid, nwid_len, psk.i_psk,
+ sizeof(psk.i_psk), 4096) != 0)
+ errx(1, "wpapsk: passphrase hashing failed");
                 psk.i_enabled = 1;
         } else
                 psk.i_enabled = 0;

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]