| Summary: | The HOSTAPD service is STOPPED if the Pre-Shared Key field contains the character ! | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | iptom <tomphz> |
| Component: | --- | Assignee: | Michael Tremer <michael.tremer> |
| Status: | ON_QA --- | QA Contact: | |
| Severity: | Minor Usability | ||
| Priority: | Will only affect a few users | CC: | adolf.belka, bernhard.leeb, michael.tremer |
| Version: | 2 | ||
| Hardware: | unspecified | ||
| OS: | Unspecified | ||
|
Description
iptom
2025-12-24 11:52:05 UTC
Hello Tom, can you confirm that the setting is indeed empty in the generated configuration file? Is it properly stored in /var/ipfire/wlapap/settings? (In reply to Michael Tremer from comment #1) > Hello Tom, > > can you confirm that the setting is indeed empty in the generated > configuration file? > > Is it properly stored in /var/ipfire/wlapap/settings? Hello Michael :D Below is the content of the /var/ipfire/wlanap file without the ! character. HW_MODE= TX_POWER= IEEE80211W=optional ENC=wpa2+3 PWD=BBBBBBBBBBBBBB INTERFACE=f8:d1:xx:xx:xx:x SSID=SSIDBOX HIDESSID=off TXPOWER=auto COUNTRY=PL CHANNEL=0 BAND=2g NOSCAN=off MODE=HT20 APMODE=on CLIENTISOLATION=on Below is the content of the /etc/hostapd.conf file without the ! character. # Automatically generated configuration # DO NOT EDIT logger_syslog=-1 logger_syslog_level=4 driver=nl80211 country_code=PL country3=0x49 ieee80211d=1 ieee80211h=1 channel=0 local_pwr_constraint=3 spectrum_mgmt_required=1 enable_background_radar=1 wmm_enabled=1 hw_mode=g ieee80211n=1 ht_capab=[DSSS_CCK-40] [HT40+][HT40-] [SHORT-GI-20] [SHORT-GI-40] [RX-STBC1] auth_algs=1 ctrl_interface=/var/run/hostapd ctrl_interface_group=0 disassoc_low_ack=1 ssid2="SSIDBOX" utf8_ssid=1 ap_isolate=1 noscan=0 ieee80211w=1 beacon_prot=1 ocv=2 wpa=2 wpa_passphrase=BBBBBBBBBBBBBB wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE rsn_pairwise=CCMP mbo=1 mbo_cell_data_conn_pref=1 ssid_protection=1 extended_key_id=1 oce=7 interworking=1 access_network_type=0 internet=1 time_advertisement=2 multicast_to_unicast=1 Below is the content of the /var/ipfire/wlanap file after adding the ! character to PSK and rebooting. PWD=BBBBBBBBBBBBBB! BAND=2g HW_MODE= NOSCAN=off COUNTRY=PL APMODE=on CHANNEL=0 INTERFACE=f8:d1:11:13:80:0d HIDESSID=off TX_POWER= SSID=SSIDBOX ENC=wpa2+3 MODE=HT20 TXPOWER=auto CLIENTISOLATION=on IEEE80211W=optional Below is the content of the /etc/hostapd.conf file after adding the ! character to PSK and rebooting. # Automatically generated configuration # DO NOT EDIT logger_syslog=-1 logger_syslog_level=4 driver=nl80211 country_code=PL country3=0x49 ieee80211d=1 ieee80211h=1 channel=0 local_pwr_constraint=3 spectrum_mgmt_required=1 enable_background_radar=1 wmm_enabled=1 hw_mode=g ieee80211n=1 ht_capab=[DSSS_CCK-40] [HT40+][HT40-] [SHORT-GI-20] [SHORT-GI-40] [RX-STBC1] auth_algs=1 ctrl_interface=/var/run/hostapd ctrl_interface_group=0 disassoc_low_ack=1 ssid2="SSIDBOX" utf8_ssid=1 ap_isolate=1 noscan=0 ieee80211w=1 beacon_prot=1 ocv=2 wpa=2 wpa_passphrase=/ wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 SAE rsn_pairwise=CCMP mbo=1 mbo_cell_data_conn_pref=1 ssid_protection=1 extended_key_id=1 oce=7 interworking=1 access_network_type=0 internet=1 time_advertisement=2 multicast_to_unicast=1 This is a similar type of issue as in bug13792 so it could be that this is a duplicate of that bug. There are various characters that if used in the password cause problems to occur. I believe that the password for the hostapd needs to be base64 encoded similar to the ipsec fix that was done some time ago for the PSK. I believe this would fix bug13792 and this bug. Bug13792 is on my list of things to work on but my todo list has a lot of things on it so not got around to it yet. (In reply to Adolf Belka from comment #3) > This is a similar type of issue as in bug13792 so it could be that this is a > duplicate of that bug. > > There are various characters that if used in the password cause problems to > occur. > > I believe that the password for the hostapd needs to be base64 encoded > similar to the ipsec fix that was done some time ago for the PSK. I believe > this would fix bug13792 and this bug. Bug 13792 is related to WUI->System -> Wireless Client -> Wireless Client Configuration Bug 13920 is relatet to WUI-> Ipfire-> Wireless Access Point Adding a comma(s) to the "Pre-Shared Key" does not cause the hostapd service to stop after rebooting. Okay as they are for different packages it makes sense to keep the two bugs open but I believe that the same type of fix needs to be made, ie base64 encoding so that any characters that are considered special can be used without causing a problem. It will just need to be made into two separate .cgi files. https://community.ipfire.org/t/error-in-hostapd-config-since-199-upgrade/15384/2 An additional problem - after placing the “!” character in the SSID name, the hostapd service stops. 19:05:09 hostapd:Failed to initialize interface 19:05:09 hostapd:Failed to set up interface with /etc/hostapd.conf 19:05:09 hostapd:1 errors found in configuration file '/etc/hostapd.conf' 19:05:09 hostapd:Line 22: invalid SSID '""' 19:05:07 hostapd:nl80211: deinit ifname=blue0 disabled_11b_rates=0 19:05:07 hostapd:blue0: CTRL-EVENT-TERMINATING 19:05:07 hostapd:blue0: AP-DISABLED 19:05:07 hostapd:blue0: interface state ENABLED->DISABLED I just want to inform, that this is not only limited to ! character. I dont have that character in my passphrase but some other special characters. This resulsts in the following line ins hostapd.conf: wpa_passphrase=/srv/web/ipfire/cgi-bin when I change the script as described here https://community.ipfire.org/t/error-in-hostapd-config-since-199-upgrade/15384/6?u=grisu127 the hostapd.conf is generated with the correct passprhase line. > https://patchwork.ipfire.org/project/ipfire/list/?series=5436
Here is a patch set that will fix a couple of things around hostapd. Certainly the ! character in the PSK will work now.
Generally we conduct some filtering of the content of shell variables as it would otherwise become very easy to perform any shell command injection attacks. Using the ! in the PSK ran into that check and the content of the variable was cleared.
(In reply to Michael Tremer from comment #8) > > https://patchwork.ipfire.org/project/ipfire/list/?series=5436 > > Here is a patch set that will fix a couple of things around hostapd. > Certainly the ! character in the PSK will work now. > I am afraid not in my testing. The patches are not yet available in the nightly builds so I ran the patches on my build syatem and then did a build and installed the iso created. Confirmed that the changes in the functions file were present in the installed version, which they were. I then restored a backup and then tested out the existing password. Connection was successfully made. Then changed the last character in the password to an ! and tested again but the connection failed to occur. There was no error messages in the IPFire wireless system logs. Checking the Linux laptop logs I got the following which looks like the connection got made most of the way (4 way handshake completed) but then suddenly for no obvious reason the connection was deactivated. Jan 23 20:09:17 tethys wpa_supplicant[493]: wlp2s0: SME: Trying to authenticate with 00:0e:8e:53:30:1d (SSID='Jarnsaxa' freq=2437 MHz) Jan 23 20:09:17 tethys kernel: wlp2s0: authenticate with 00:0e:8e:53:30:1d (local address=08:71:90:42:7b:ce) Jan 23 20:09:17 tethys kernel: wlp2s0: send auth to 00:0e:8e:53:30:1d (try 1/3) Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0024] device (wlp2s0): supplicant interface state: scanning -> authenticating Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0046] device (p2p-dev-wlp2s0): supplicant management interface state: scanning -> authenticating Jan 23 20:09:18 tethys wpa_supplicant[493]: wlp2s0: Trying to associate with 00:0e:8e:53:30:1d (SSID='Jarnsaxa' freq=2437 MHz) Jan 23 20:09:18 tethys kernel: wlp2s0: authenticated Jan 23 20:09:18 tethys kernel: wlp2s0: associate with 00:0e:8e:53:30:1d (try 1/3) Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0135] device (wlp2s0): supplicant interface state: authenticating -> associating Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0137] device (p2p-dev-wlp2s0): supplicant management interface state: authenticating -> associating Jan 23 20:09:18 tethys kernel: wlp2s0: RX AssocResp from 00:0e:8e:53:30:1d (capab=0x411 status=0 aid=1) Jan 23 20:09:18 tethys kernel: wlp2s0: associated Jan 23 20:09:18 tethys wpa_supplicant[493]: wlp2s0: Associated with 00:0e:8e:53:30:1d Jan 23 20:09:18 tethys wpa_supplicant[493]: wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0299] device (wlp2s0): supplicant interface state: associating -> associated Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0300] device (p2p-dev-wlp2s0): supplicant management interface state: associating -> associated Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0479] device (wlp2s0): supplicant interface state: associated -> 4way_handshake Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0480] device (p2p-dev-wlp2s0): supplicant management interface state: associated -> 4way_handshake Jan 23 20:09:18 tethys wpa_supplicant[493]: wlp2s0: WPA: Key negotiation completed with 00:0e:8e:53:30:1d [PTK=CCMP GTK=CCMP] Jan 23 20:09:18 tethys wpa_supplicant[493]: wlp2s0: CTRL-EVENT-CONNECTED - Connection to 00:0e:8e:53:30:1d completed [id=0 id_str=] Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0898] device (wlp2s0): supplicant interface state: 4way_handshake -> completed Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0899] device (wlp2s0): Activation: (wifi) Stage 2 of 5 (Device Configure) successful. Connected to wireless network "Jarnsaxa" Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0900] device (p2p-dev-wlp2s0): supplicant management interface state: 4way_handshake -> completed Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0904] device (wlp2s0): state change: config -> ip-config (reason 'none', managed-type: 'full') Jan 23 20:09:18 tethys NetworkManager[457]: <info> [1769195358.0913] dhcp4 (wlp2s0): activation: beginning transaction (timeout in 45 seconds) Jan 23 20:09:26 tethys systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully. Jan 23 20:10:03 tethys NetworkManager[457]: <info> [1769195403.8287] device (wlp2s0): state change: ip-config -> failed (reason 'ip-config-unavailable', managed-type: 'full') Jan 23 20:10:03 tethys NetworkManager[457]: <info> [1769195403.8297] manager: NetworkManager state is now DISCONNECTED Jan 23 20:10:03 tethys kernel: wlp2s0: deauthenticating from 00:0e:8e:53:30:1d by local choice (Reason: 3=DEAUTH_LEAVING) Jan 23 20:10:03 tethys wpa_supplicant[493]: wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:0e:8e:53:30:1d reason=3 locally_generated=1 Jan 23 20:10:03 tethys wpa_supplicant[493]: wlp2s0: Added BSSID 00:0e:8e:53:30:1d into ignore list, ignoring for 10 seconds Jan 23 20:10:03 tethys NetworkManager[457]: <info> [1769195403.8565] device (wlp2s0): set-hw-addr: set MAC address to B2:32:F1:18:65:85 (scanning) Jan 23 20:10:03 tethys NetworkManager[457]: <warn> [1769195403.8599] device (wlp2s0): Activation: failed for connection 'Jarnsaxa' Jan 23 20:10:03 tethys NetworkManager[457]: <info> [1769195403.8618] device (wlp2s0): state change: failed -> disconnected (reason 'none', managed-type: 'full') I will try tomorrow again but after the nightly build so I can do an update and see if that works or if it duplicates what I found today. What I forgot to mention is that with the patches fix when I put an ! into the password and press Save then the password is shown correctly in /var/ipfire/wlanap/settings but in /etc/hostapd.conf the password line looks like wpa_passphrase=/srv/web/ipfire/cgi-bin This was also the case with the version without the patches fix. (In reply to Adolf Belka from comment #10) > What I forgot to mention is that with the patches fix when I put an ! into > the password and press Save then the password is shown correctly in > /var/ipfire/wlanap/settings but in /etc/hostapd.conf the password line looks > like > > wpa_passphrase=/srv/web/ipfire/cgi-bin > > This was also the case with the version without the patches fix. I can confirm this. Thanks for reporting. I will have to look at how to fix this... (In reply to Michael Tremer from comment #11) > (In reply to Adolf Belka from comment #10) > > What I forgot to mention is that with the patches fix when I put an ! into > > the password and press Save then the password is shown correctly in > > /var/ipfire/wlanap/settings but in /etc/hostapd.conf the password line looks > > like > > > > wpa_passphrase=/srv/web/ipfire/cgi-bin > > > > This was also the case with the version without the patches fix. > > I can confirm this. Thanks for reporting. > > I will have to look at how to fix this... False alarm. I can NOT confirm this with the proposed patches: > wpa=2 > wpa_passphrase=ipfire-2.x!abc > wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 > ... (In reply to Michael Tremer from comment #12) > (In reply to Michael Tremer from comment #11) > > (In reply to Adolf Belka from comment #10) > > > What I forgot to mention is that with the patches fix when I put an ! into > > > the password and press Save then the password is shown correctly in > > > /var/ipfire/wlanap/settings but in /etc/hostapd.conf the password line looks > > > like > > > > > > wpa_passphrase=/srv/web/ipfire/cgi-bin > > > > > > This was also the case with the version without the patches fix. > > > > I can confirm this. Thanks for reporting. > > > > I will have to look at how to fix this... > > False alarm. I can NOT confirm this with the proposed patches: > > > wpa=2 > > wpa_passphrase=ipfire-2.x!abc > > wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 > > ... Then most likely I had an error in applying the patches before building. When the x86_64 nightly build is working again, then I will do an update to CU200 with your patches merged in and test again and reportback. The build is running, I am hoping it will go through just fine. The build completed successfully so I moved my IPFire Prime system back to CU199 and updated again to CU200. Update went fine and I can successfully add an ! into the password and it is accepted and I can make the wireless connection. I clearly did something very wrong with my build patch, build and install, so my comments 9 & 10 should be ignored. I can confirm that the fix is working. Additional patches submitted to remove filtering of all PSK characters now that improved readhash has been implemented. https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=bee138720596ce50f82075e411f857cdd9f04344 Checking the latest patch changes then all characters are now accepted into the PSK in the settings file and then transferred to hostapd.conf.
This now also covers the characters
!&"$()*]^`'{}~
However if the ' character is used in the password then the displayed value is truncated down to the ' quote mark so the displayed password has all the characters up to but not including the ' mark.
So a password
usinglonger'passwords
has that whole password saved correctly into the settings file and correctly copied to the hostapd.conf file when the save button is pressed on the wlanap.cgi page.
However the displayed PSK is then shown as
usinglonger
Using the full password on the client enables the connection to be successfully created, so the issue is only on what is shown on the screen.
|