fastd: make secret key updatesafe

Submitted by Christian Dresel on Jan. 4, 2020, 5:28 p.m.

Details

Message ID 20200104172821.8863-1-fff@chrisi01.de
State New
Headers show

Commit Message

Christian Dresel Jan. 4, 2020, 5:28 p.m.
To use a whitelist easy, it is neccessary to make the fastd key updatesafe
This patch safe the key to uci fff and recover it, if a key is after the update available

Signed-off-by: Christian Dresel <fff@chrisi01.de>
---
 .../fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd         | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
index d53eb43..4b03229 100644
--- a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
+++ b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
@@ -15,9 +15,18 @@  uci batch <<EOF
   set fastd.fff.mtu='1426'
   set fastd.fff.on_up="/etc/fastd/fff/up.sh"
   set fastd.fff.secure_handshakes='0'
-  set fastd.fff.secret="generate"
 EOF
 
+if uci -q get fff.fastd.secret; then
+	uci set fastd.fff.secret=$(uci get fff.fastd.secret)
+else
+	secret=$(/usr/bin/fastd --generate-key --machine-readable)
+	uci -q set fastd.fff.secret="$secret"
+	uci set fff.fastd='fff'
+	uci -q set fff.fastd.secret="$secret" && uci -q commit fff	
+fi
+uci commit fastd
+
 [ ! -d /etc/fastd/fff ] &&  mkdir -p /etc/fastd/fff
 ln -s /tmp/fastd_fff_peers /etc/fastd/fff/peers
 echo "#!/bin/sh" > /etc/fastd/fff/up.sh

Comments

Fabian Blaese Jan. 4, 2020, 7:57 p.m.
Hey Christian,

On 04.01.20 18:28, Christian Dresel wrote:
> To use a whitelist easy, it is neccessary to make the fastd key updatesafe
> This patch safe the key to uci fff and recover it, if a key is after the update available
> 
> Signed-off-by: Christian Dresel <fff@chrisi01.de>
> ---
>  .../fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd         | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
> index d53eb43..4b03229 100644
> --- a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
> +++ b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
> @@ -15,9 +15,18 @@ uci batch <<EOF
>    set fastd.fff.mtu='1426'
>    set fastd.fff.on_up="/etc/fastd/fff/up.sh"
>    set fastd.fff.secure_handshakes='0'
> -  set fastd.fff.secret="generate"
>  EOF
>  
> +if uci -q get fff.fastd.secret; then
> +	uci set fastd.fff.secret=$(uci get fff.fastd.secret)
Man könnte das hier genau wie in den ganzen gateway.d files direkt beim Lesen fürs if in eine Variable schreiben.
Das macht einerseits den ansonsten möglicherweise irritierenden Output weg und spart eine Prozessausführung.

> +else
> +	secret=$(/usr/bin/fastd --generate-key --machine-readable)
> +	uci -q set fastd.fff.secret="$secret"
Warum -q?
Wenn dieses set nicht klappt, wäre eine Fehlermeldung eine gute Sache.. Weiter unten beim set und commit genauso.

> +	uci set fff.fastd='fff'
> +	uci -q set fff.fastd.secret="$secret" && uci -q commit fff	
trailing whitespace.

Ich persönlich würde die commits im uci-defaults weglassen, aber das hat Adrian ja schon in Erfahrung gebracht, dass das eher Geschmackssache ist.

Gruß
Fabian