fastd: make secret key updatesafe

Submitted by Christian Dresel on Jan. 5, 2020, 9:10 a.m.

Details

Message ID 20200105091009.22443-1-fff@chrisi01.de
State New
Headers show

Commit Message

Christian Dresel Jan. 5, 2020, 9:10 a.m.
To use a whitelist easy, it is neccessary to make the fastd key updatesafe
This patch safe the key to uci fff and recover it, if a key is after the update available

Signed-off-by: Christian Dresel <fff@chrisi01.de>

---
Changes in v2:
- use variable in if
- remove trailing whitespace
- remove -q
---
---
 .../fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd         | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
index d53eb43..4bfc316 100644
--- a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
+++ b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
@@ -15,9 +15,18 @@  uci batch <<EOF
   set fastd.fff.mtu='1426'
   set fastd.fff.on_up="/etc/fastd/fff/up.sh"
   set fastd.fff.secure_handshakes='0'
-  set fastd.fff.secret="generate"
 EOF
 
+if secretkey=$(uci -q get fff.fastd.secret); then
+	uci set fastd.fff.secret=$secretkey
+else
+	secret=$(/usr/bin/fastd --generate-key --machine-readable)
+	uci set fastd.fff.secret="$secret"
+	uci set fff.fastd='fff'
+	uci set fff.fastd.secret="$secret" && uci commit fff
+fi
+uci commit fastd
+
 [ ! -d /etc/fastd/fff ] &&  mkdir -p /etc/fastd/fff
 ln -s /tmp/fastd_fff_peers /etc/fastd/fff/peers
 echo "#!/bin/sh" > /etc/fastd/fff/up.sh

Comments

Robert Langhammer Jan. 5, 2020, 4:55 p.m.
Hi Christian,

das find ich richtig gut. Einen Vorschlag hab ich noch. s. unten.

Am 05.01.20 um 10:10 schrieb Christian Dresel:
> To use a whitelist easy, it is neccessary to make the fastd key updatesafe
> This patch safe the key to uci fff and recover it, if a key is after the update available
>
> Signed-off-by: Christian Dresel <fff@chrisi01.de>
>
> ---
> Changes in v2:
> - use variable in if
> - remove trailing whitespace
> - remove -q
> ---
> ---
>  .../fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd         | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
> index d53eb43..4bfc316 100644
> --- a/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
> +++ b/src/packages/fff/fff-fastd/files/etc/uci-defaults/55_fff-fastd
> @@ -15,9 +15,18 @@ uci batch <<EOF
>    set fastd.fff.mtu='1426'
>    set fastd.fff.on_up="/etc/fastd/fff/up.sh"
>    set fastd.fff.secure_handshakes='0'
> -  set fastd.fff.secret="generate"
>  EOF
>  
> +if secretkey=$(uci -q get fff.fastd.secret); then
> +	uci set fastd.fff.secret=$secretkey
> +else
> +	secret=$(/usr/bin/fastd --generate-key --machine-readable)
> +	uci set fastd.fff.secret="$secret"
> +	uci set fff.fastd='fff'
> +	uci set fff.fastd.secret="$secret" && uci commit fff
> +fi
> +uci commit fastd
> +

Nenn doch die Variable, in die das Gleiche rein kommt gleich. secretkey
<-> secret

Es ist auch einiges doppelt. Mein Vorschlag:

if ! secret=$(uci -q get fff.fastd.secret); then
	secret=$(/usr/bin/fastd --generate-key --machine-readable)
	uci set fff.fastd='fff'
	uci set fff.fastd.secret="$secret"
fi
uci set fastd.fff.secret="$secret"
# optional uci commit 

Viele Grüße
Robert

>  [ ! -d /etc/fastd/fff ] &&  mkdir -p /etc/fastd/fff
>  ln -s /tmp/fastd_fff_peers /etc/fastd/fff/peers
>  echo "#!/bin/sh" > /etc/fastd/fff/up.sh