luci-mod-network: add ppsk option (support for private psk)

[mgiganto]

This PR allows a luci user to enable a private psk (PPSK), where each
station may have its own PSK or use a common PSK if a private one is not defined.

Depends on PR 3509: openwrt/openwrt#3509

Signed-off-by: Manuel Giganto mgigantoregistros@gmail.com

[mgiganto]

@Ansuel here is the luci patch updated.
This is the luci side for openwrt/openwrt#3509

[galeksandrp]

What's the status of this?

Cause without this for those who brave enough to setup ppsk via /etc/config/wireless
subsequent update of configuration via luci destroy wifi completely
due to luci removing

uci del wireless.wifinet3.auth_server
uci del wireless.wifinet3.auth_secret

[mgiganto]

Hi Alexander, We need to wait for the core team to commit the patch in the master luci repository. While that happens, you can use your own luci repository and apply the patch... You can always talk to the core team and ask them if there is anything you can do to help them to review and commit the patch. Best regards Alexander

On Tuesday, 29 November 2022, Alexander Georgievskiy < ***@***.***> wrote: What's the status of this? Cause without this for those who brave enough to setup ppsk via

/etc/config/wireless

subsequent update of configuration via luci destroy wifi completely due to luci removing uci del wireless.wifinet3.auth_server uci del wireless.wifinet3.auth_secret — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.<

https://ci6.googleusercontent.com/proxy/aSqJ2tE1R7ZTNJf8OZMIj6pyBSf3h12in9aG8HZwZw-tBYhzGjrdeetYed4fvqOpnI23Q4UUBowpND-vOURPVcN81B-i3JS5Mgg5soEFAR5X7AO066zWhOUji9wg7gGAHq4SiGDlgnSmzhHvCbVPJwh-6OJiEHFNh0dtCrra28YeUSlHaow79khYqracy3u9JmrupkKqo5iV4C5_-s7Bi1xt3rB-dnM9-N20V7_UOA=s0-d-e1-ft#https://github.com/notifications/beacon/AFB3LF5ZM66Y6IQRTIQGPMDWKYIDTA5CNFSM4SM62WMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOJ5IYTWY.gif>Message ID: ***@***.***>

[galeksandrp]

@jow- What's the status of this?

Just tested mgiganto@6869ab1 on 0f6e166, no conflicts rebase, working fine:

1. Checking `Enable private psk key (PPSK)` leads to `ppsk mark`, `radius settings` being added (as expected)

Checking Enable private psk key (PPSK)

leads to ppsk mark, radius settings

being added (as expected).

2. Unchecking `Enable private psk key (PPSK)` leads to `ppsk mark`, `radius settings` being removed (as expected)

Unchecking Enable private psk key (PPSK)

leads to ppsk mark, radius settings

being removed (as expected).

[jow-]

@galeksandrp - the description text needs to be polished for better english and the option dependencies are not correct, the ppsk: "1" dependency on the RADIUS options looks wrong, those options should be available even if ppsk is not in use.

It likely works anyway because add_dependency_permutations() adds a bunch of other deps which make the options work but this renders the o.depends({ ppsk: '1' }); calls redundant so they would need to be removed.

Also consistent use of acronyms and capitalization, e.g.: Enable private psk key (PPSK) is redundant, should be either Enable private shared keys (PPSK) or Enable private PSK (PPSK) or Enable PPSK and simply explain the PPSK acronym in the long description.

[mgiganto]

Thanks for the details @jow, I'll take a look. The thing is, radius configuration is only expected to happen with WPE, but in this case, we want it to be available and it is required when WPA is using PPSK. Altough we can configure the radius all the time, IMHO I think it is more clear to hide that parameters or delete them if they cannot be used, and they can only be used when PPSK is enabled. May I know what would be the right approach from your point of view?

…

On 15/03/2023, Jo-Philipp Wich ***@***.***> wrote: @galeksandrp - the description text needs to be polished for better english and the option dependencies are not correct, the `ppsk: "1"` dependency on the RADIUS options looks wrong, those options should be available even if ppsk is not in use. It likely works anyway because `add_dependency_permutations()` adds a bunch of other deps which make the options work but this renders the `o.depends({ ppsk: '1' });` calls redundant so they would need to be removed. -- Reply to this email directly or view it on GitHub: #4513 (comment) You are receiving this because you authored the thread. Message ID: ***@***.***>

[galeksandrp]

@jow- @mgiganto Could you please look if this galeksandrp@feature_ppsk adresses all the issues?

[mgiganto]

Thanks for the suggestion Alexander! I have to test :D

…

On 08/04/2023, Alexander Georgievskiy ***@***.***> wrote: @jow- @mgiganto Could you please look if this galeksandrp@feature_ppsk adresses all the issues? -- Reply to this email directly or view it on GitHub: #4513 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[galeksandrp]

What's the status of this?

Checked galeksandrp@9c8fdb4 on LuCI Master (git-23.158.78004-23a246e), works fine.

Tested like

uclient-fetch -O /www/luci-static/resources/view/network/wireless.js https://raw.githubusercontent.com/galeksandrp/luci/feature_ppsk/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js

Joke is that freeradius3 is destroyed in snapshot, but that is another story.

[mgiganto]

Thank you @galeksandrp! I tested it and made some extra modifications based on your idea.
This way is definitely much cleaner than the original code!
What do you think now @jow- ?

[galeksandrp]

@jow- What's the status of this?

Checked mgiganto@a380dcf on LuCI Master git-23.236.53281-98e3743, works fine.
Only checked simple PPSK, I am not using per STA vlan.

[galeksandrp]

@jow- What's the status of this?

Checked mgiganto@a380dcf on LuCI Master (git-23.292.78363-ee6a4da), works fine.
Only checked simple PPSK, I am not using per STA vlan.

[systemcrash]

@galeksandrp - the description text needs to be polished for better english and the option dependencies are not correct, the ppsk: "1" dependency on the RADIUS options looks wrong, those options should be available even if ppsk is not in use.

It likely works anyway because add_dependency_permutations() adds a bunch of other deps which make the options work but this renders the o.depends({ ppsk: '1' }); calls redundant so they would need to be removed.

Also consistent use of acronyms and capitalization, e.g.: Enable private psk key (PPSK) is redundant, should be either Enable private shared keys (PPSK) or Enable private PSK (PPSK) or Enable PPSK and simply explain the PPSK acronym in the long description.

@mgiganto
Yeah, not sure I get the ppsk: 1 parts. Are you saying that e.g. to use the RADIUS auth_port, PPSK must be enabled? That's what these imply. If that's the case (sounds wrong), please remove them, and force push. Progress...

[galeksandrp]

@systemcrash

Are you saying that e.g. to use the RADIUS auth_port, PPSK must be enabled

No. @jow- said that for mgiganto@6869ab1. It was fixed 5 months ago.

Now there are array of structs. Each struct is dependency permutation - eg independent struct of conditions.
Structs in that array traversed with OR logic.

o = ss.taboption('encryption', form.Value, 'auth_server', _('RADIUS Authentication Server'));
// Adds struct in array -----> o <----- And yes, in openwrt >wpa< is Enterprise WPA only
add_dependency_permutations(o, { mode: ['ap', 'ap-wds'], encryption: ['wpa', 'wpa2', 'wpa3', 'wpa3-mixed'] });
// Adds struct in array -----> o <----- And yes, WPA1 PSK is >psk<, WPA2 PSK is >psk2<
add_dependency_permutations(o, { mode: ['ap', 'ap-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'], ppsk: ['1'] });

that means that RADIUS Auth Server setting will be available for

• AP/APWDS+WPA without PSK(enterprise WPA)
  OR
• AP/APWDS+PSK(any sort that is not SAE)+PPSK

[systemcrash]

OK, could you please update your commit message to how I've edited your first message above?

[mgiganto]

I'll be updating the description and review again the dependencies/ permutations. Regarding to "Yeah, not sure I get the ppsk: 1 parts. Are you saying that e.g. to use the RADIUS auth_port, PPSK must be enabled? That's what these imply." Yes, RADIUS is used in enterprise and when ppsk is enabled. It is not about the port, it is about RADIUS usage itself. If we cannot use RADIUS (we ask the password to it, because it changes per user at enterprise level and mac at personal level), we don't need to enter any details about it and it would mislead people. "If that's the case (sounds wrong), please remove them, and force push. Progress" What do you want to be removed? El lunes, 4 de diciembre de 2023, Paul Donald ***@***.***> escribió:

OK, could you please update your commit message to how I've edited your

first message above?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.<

https://ci5.googleusercontent.com/proxy/G0_s_caZBcChp8IJYQA_vUZOqBplwjAgBH3ay1lTFZLXbCeUJjJjsgQD8gT3fjyS_wEvK-6f-c4RdSQNM3UsSqcdaSh5XZerl-VqEBYFC2aGmxxc7WjSdA_XlMn_-7pQYW4ydn1IxQWqzqoit5rrzIf-1BZpUWlZF-hKTZoy-HKr8ozizqO-ZT2De4Qz4RTAN_E0SJfM4vB6c_P_wm-VL9PbIaocsv8D1BvansTXUQ=s0-d-e1-ft#https://github.com/notifications/beacon/AFB3LFZK2JBGT3BHXCLWCPTYHXYTJA5CNFSM4SM62WMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGONWOG3KI.gif>Message ID: ***@***.***>

[mgiganto]

Also, it was not compatible with wpa3 at the time of pushing it, this was due to the SAE implementation. After this patch gets merged, I can recheck things and see if I find a way to make it to work with SAE. WPA3 only uses SAE, therefore we should not allow PPSK over it nor wpa3+mixed mode, because in mixed mode it will use wpa3 whenever it is possible, which will cause that only devices that doesn't support wpa3 will be able to connect. Do you still think we should change the permutations to include the WPA3 (SAE) options? El lunes, 4 de diciembre de 2023, Paul Donald ***@***.***> escribió:

OK, could you please update your commit message to how I've edited your

first message above?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.<

https://ci5.googleusercontent.com/proxy/G0_s_caZBcChp8IJYQA_vUZOqBplwjAgBH3ay1lTFZLXbCeUJjJjsgQD8gT3fjyS_wEvK-6f-c4RdSQNM3UsSqcdaSh5XZerl-VqEBYFC2aGmxxc7WjSdA_XlMn_-7pQYW4ydn1IxQWqzqoit5rrzIf-1BZpUWlZF-hKTZoy-HKr8ozizqO-ZT2De4Qz4RTAN_E0SJfM4vB6c_P_wm-VL9PbIaocsv8D1BvansTXUQ=s0-d-e1-ft#https://github.com/notifications/beacon/AFB3LFZK2JBGT3BHXCLWCPTYHXYTJA5CNFSM4SM62WMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGONWOG3KI.gif>Message ID: ***@***.***>

[systemcrash]

I'll be updating the description and review again the dependencies/ permutations. Regarding to "Yeah, not sure I get the ppsk: 1 parts. Are you saying that e.g. to use the RADIUS auth_port, PPSK must be enabled? That's what these imply." Yes, RADIUS is used in enterprise and when ppsk is enabled. It is not about the port, it is about RADIUS usage itself. If we cannot use RADIUS (we ask the password to it, because it changes per user at enterprise level and mac at personal level), we don't need to enter any details about it and it would mislead people. "If that's the case (sounds wrong), please remove them, and force push. Progress" What do you want to be removed? El lunes, 4 de diciembre de 2023, Paul Donald @.***> escribió:
OK, could you please update your commit message to how I've edited your
first message above?

Update your commit message. Not the PR description.

Nothing needs removing if the dependency permutations function as OR. Not AND.

Has anyone else been able to test this?

[mgiganto]

@systemcrash I have updated the commit message of the PR.

[systemcrash]

@systemcrash I have updated the commit message of the PR.

Could you fix the following in your commit message please? It makes searching in git more consistent.
dinamically -> dynamically
associate -> associated

[systemcrash]

Closed via 75a2fd2

[systemcrash]

Thank you @mgiganto

[mgiganto]

Thanks to you @systemcrash!

[systemcrash]

Back to the drawing board

[dannil]

Ping @mgiganto I think you maybe missed the revert in 05af14b, see #6902

[mgiganto]

Thank you!

…

On Sun, 31 Mar 2024 at 23:42, Daniel Nilsson ***@***.***> wrote: Ping @mgiganto <https://github.com/mgiganto> I think you maybe missed the revert in 05af14b <05af14b>, see #6902 <#6902> — Reply to this email directly, view it on GitHub <#4513 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFB3LF6V3PDX5UOSZZN7RKDY3CGOTAVCNFSM4SM62WMKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBSHA4TGNRRGM4A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[systemcrash]

@mgiganto simply mandating ppsk: '1' is not correct.

jow- wrote: the ppsk: "1" dependency on the RADIUS options looks wrong, those options should be available even if ppsk is not in use.

Let's take for example the first setting which is modified in this PR: auth_server.

add_dependency_permutations yields:

Object { mode: "ap", encryption: "psk", ppsk: "1" }
Object { mode: "ap-wds", encryption: "psk", ppsk: "1" }
Object { mode: "ap", encryption: "psk2", ppsk: "1" }
Object { mode: "ap-wds", encryption: "psk2", ppsk: "1" }
Object { mode: "ap", encryption: "psk+psk2", ppsk: "1" }
Object { mode: "ap-wds", encryption: "psk+psk2", ppsk: "1" }
Object { mode: "ap", encryption: "psk-mixed", ppsk: "1" }
Object { mode: "ap-wds", encryption: "psk-mixed", ppsk: "1" }

We can already see that mandating ppsk in every combination is wrong. There are a number of settings where auth_server works WITHOUT PPSK, for example, before this PR.

Before, it was effectively:

Object { mode: "ap", encryption: "wpa", ppsk: "0" }
Object { mode: "ap-wds", encryption: "wpa", ppsk: "0" }
Object { mode: "ap", encryption: "wpa2", ppsk: "0" }
Object { mode: "ap-wds", encryption: "wpa2", ppsk: "0" }
Object { mode: "ap", encryption: "wpa3", ppsk: "0" }
Object { mode: "ap-wds", encryption: "wpa3", ppsk: "0" }
Object { mode: "ap", encryption: "wpa3-mixed", ppsk: "0" }
Object { mode: "ap-wds", encryption: "wpa3-mixed", ppsk: "0" }

Some settings depend on RADIUS being enabled. But most of the existing RADIUS settings do not ALSO depend on PPSK.

So those dependency permutations must be corrected.

So my suggestion is not to replace the permutations, but add new ones.

e.g.

				add_dependency_permutations(o, { mode: ['ap', 'ap-wds'], encryption: ['wpa', 'wpa2', 'wpa3', 'wpa3-mixed'], ppsk: ['0'] });
				add_dependency_permutations(o, { mode: ['ap', 'ap-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'], ppsk: ['1'] });

WPA3 only uses
SAE, therefore we should not allow PPSK over it nor wpa3+mixed mode,
because in mixed mode it will use wpa3 whenever it is possible, which will
cause that only devices that doesn't support wpa3 will be able to connect.

So what depends on what here? PPSK does not work with SAE?

[systemcrash]

Further, please update your commit message as I specified here

[mgiganto]

The objective is to hide KEY field ONLY when PPSK=1, and in show it in any other case, but I don't have a method to remove dependencies, so a reverse logic needs to be applied, show the KEY field when PPSK=0 OR PPSK is not defined. I tried with add_dependency_permutations(o, { encryption: ['psk2', 'psk+psk2'], ppsk: [/^0?$/] }); but it is not working as expected. Why? Because PPSK is only defined for AP and AP-WDS, so other modes with PSK encryption support like Client mode don't have PPSK defined at all and fail on the dependency permutation... Any ideas/suggestions? I need to test the latest version of hostapd using SAE + ppsk, when I made the PR the implementation of ppsk using SAE was broken on hostapd, so it was disabled on purpose. Chances are that it is working now, I need to build it with the latest version to see it.

…

On Mon, 1 Apr 2024 at 15:17, Paul Donald ***@***.***> wrote: Further, please update your commit message as I specified here <#4513 (comment)> — Reply to this email directly, view it on GitHub <#4513 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFB3LF72WOSNN6HMUCUZPSDY3FT6LAVCNFSM4SM62WMKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBSHE4DEOBSGM2A> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[galeksandrp]

I am an idiot, forgot about WiFi Client modes.

Looks like this, but here is the question - Do PPSK will work on WDS setup?

I bet it will, cause well, looks like openwrt allows all encryption schemes for AP-WDS.

o = ss.taboption('encryption', form.Value, '_wpa_key', _('Key'));
add_dependency_permutations(o, { mode: ['ap', 'ap-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'], ppsk: ['0'] });
add_dependency_permutations(o, { mode: ['sta', 'adhoc', 'mesh', 'sta-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'] });
o.depends('encryption', 'sae');
o.depends('encryption', 'sae-mixed');

[mgiganto]

I am away until next week so i cannot test it but your idea about segregating the problem and address it independently looks very promising to me. I don't recall about WDS, I think it should work, the patch focus on encryption mode, not wifi modes, and the only problem is pretty much hiding the default key in the luci, which is done just to avoid confusion to hostapd about having potentially 2 default passwords, one in radius, one internal in hostapd. Ppsk may potentially work in any mode that support psk encryption, it just doesn't make sense to use it when you are initiating the connection, because you are suppose to know your unique password previously, and if it is a matter of using dynamic passwords, I can see easier ways. El sábado, 15 de junio de 2024, Alexander Georgievskiy < ***@***.***> escribió:

I am an idiot, forgot about WiFi Client modes. Looks like this, but here is the question - Do PPSK will work on WDS

setup?

o = ss.taboption('encryption', form.Value, '_wpa_key', _('Key')); add_dependency_permutations(o, { mode: ['ap', 'ap-wds'], encryption:

['psk', 'psk2', 'psk+psk2', 'psk-mixed'], ppsk: ['0'] });

add_dependency_permutations(o, { mode: ['sta', 'adhoc', 'mesh',

'sta-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'] });

o.depends('encryption', 'sae'); o.depends('encryption', 'sae-mixed'); Or should we don't touch poor WDS and let it die in peace? o = ss.taboption('encryption', form.Value, '_wpa_key', _('Key')); add_dependency_permutations(o, { mode: ['ap'], encryption: ['psk',

'psk2', 'psk+psk2', 'psk-mixed'], ppsk: ['0'] });

add_dependency_permutations(o, { mode: ['sta', 'adhoc', 'mesh', 'ap-wds',

'sta-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'] });

o.depends('encryption', 'sae'); o.depends('encryption', 'sae-mixed'); — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.<

https://ci3.googleusercontent.com/meips/ADKq_NbXLGpc2N7X_ZBboQhBHMErzibKpZ0ECThpaRwwwzY6RFLtN1xeAiKmPeWbUhvNYAnQqf25w0NRrRayKEnnAwYjeIkwOeL-IhTw1j6yKtoINWim2PKum4Yo_DrHeK9N06xxy756ekSPQulL2iqwZrNzGfLWt2JKSGfpEd8vygCUbYHlI0nZBEtq-LwClMfauYWsvsYgygSQaUTuGru-T4KdIJWNmcdNun-7m_Sj58O3xYE=s0-d-e1-ft#https://github.com/notifications/beacon/AFB3LF4TQOJB2DJF7XDPNVTZHQEVTA5CNFSM4SM62WMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOQFGCJMI.gif>Message ID: ***@***.***>

[systemcrash]

@mgiganto do you want to take a last effort to get this working?

[mgiganto]

Oh yeah, let me do one more check :) El viernes, 26 de julio de 2024, Paul Donald ***@***.***> escribió:

@mgiganto do you want to take a last effort to get this working? — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.<

https://ci3.googleusercontent.com/meips/ADKq_Nbzz8w0APdGB8qLjqkcEm68uuz698eeTlVO5ZWoF4cnKNicjuyowOdYxMautl7ecqVvmmmcK_Y3QNPbtnTK-S8JhvgmGq91P_gsE893mOPWw5FcAR6C5b9Arq0uW8p-O3x65a_jMuZanqIKPxKoY-3UGEnf24ApWx5HQbC5RoQzYy8-8RFslRcMu5Onb6r-XIKyhZXHSH0dCWC1UM2qd-Cv21QydK9Cx6yCUkuia78BIbw=s0-d-e1-ft#https://github.com/notifications/beacon/AFB3LF5OQY5F5SO6RNM7HGDZOGHTDA5CNFSM4SM62WMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOQY2MYUQ.gif>Message ID: ***@***.***>

[mgiganto]

This filter seems to solve the issue.
My computer is out of service right now, so I modified the commit directly on github website.

[mgiganto]

Thank you @systemcrash, it is done.

[systemcrash]

Hi @mgiganto could you please amend your commit SOB line to
Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>

and remove the merge commit - just rebase everything onto master, please. Please also amend the commit subject lines to valid subject lines. e.g.
luci-mod-network: PPSK etc.