2015-11-11 08:34:59 +00:00
|
|
|
. /lib/functions/network.sh
|
2020-09-08 19:00:05 +00:00
|
|
|
. /lib/functions.sh
|
2015-11-11 08:34:59 +00:00
|
|
|
|
2014-12-27 12:59:47 +00:00
|
|
|
wpa_supplicant_add_rate() {
|
2013-12-02 16:41:03 +00:00
|
|
|
local var="$1"
|
|
|
|
local val="$(($2 / 1000))"
|
|
|
|
local sub="$((($2 / 100) % 10))"
|
|
|
|
append $var "$val" ","
|
|
|
|
[ $sub -gt 0 ] && append $var "."
|
|
|
|
}
|
|
|
|
|
2014-12-27 12:59:47 +00:00
|
|
|
hostapd_add_rate() {
|
2014-01-31 10:43:18 +00:00
|
|
|
local var="$1"
|
|
|
|
local val="$(($2 / 100))"
|
|
|
|
append $var "$val" " "
|
|
|
|
}
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
hostapd_append_wep_key() {
|
|
|
|
local var="$1"
|
|
|
|
|
|
|
|
wep_keyidx=0
|
|
|
|
set_default key 1
|
|
|
|
case "$key" in
|
|
|
|
[1234])
|
|
|
|
for idx in 1 2 3 4; do
|
|
|
|
local zidx
|
|
|
|
zidx=$(($idx - 1))
|
|
|
|
json_get_var ckey "key${idx}"
|
|
|
|
[ -n "$ckey" ] && \
|
2013-12-23 12:11:28 +00:00
|
|
|
append $var "wep_key${zidx}=$(prepare_key_wep "$ckey")" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
done
|
|
|
|
wep_keyidx=$((key - 1))
|
|
|
|
;;
|
|
|
|
*)
|
2013-12-23 12:11:28 +00:00
|
|
|
append $var "wep_key0=$(prepare_key_wep "$key")" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
}
|
|
|
|
|
2016-12-28 04:22:00 +00:00
|
|
|
hostapd_append_wpa_key_mgmt() {
|
2018-10-03 21:33:51 +00:00
|
|
|
local auth_type_l="$(echo $auth_type | tr 'a-z' 'A-Z')"
|
2016-12-28 04:22:00 +00:00
|
|
|
|
2018-10-03 21:33:51 +00:00
|
|
|
case "$auth_type" in
|
|
|
|
psk|eap)
|
|
|
|
append wpa_key_mgmt "WPA-$auth_type_l"
|
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-${auth_type_l}"
|
|
|
|
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-${auth_type_l}-SHA256"
|
|
|
|
;;
|
2018-10-09 20:50:50 +00:00
|
|
|
eap192)
|
|
|
|
append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
|
2022-06-26 15:18:39 +00:00
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-EAP-SHA384"
|
2018-10-09 20:50:50 +00:00
|
|
|
;;
|
|
|
|
eap-eap192)
|
|
|
|
append wpa_key_mgmt "WPA-EAP-SUITE-B-192"
|
|
|
|
append wpa_key_mgmt "WPA-EAP"
|
2022-06-26 15:18:39 +00:00
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && {
|
|
|
|
append wpa_key_mgmt "FT-EAP-SHA384"
|
|
|
|
append wpa_key_mgmt "FT-EAP"
|
|
|
|
}
|
2018-10-09 20:50:50 +00:00
|
|
|
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-EAP-SHA256"
|
|
|
|
;;
|
2018-10-03 21:33:51 +00:00
|
|
|
sae)
|
|
|
|
append wpa_key_mgmt "SAE"
|
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
|
|
|
|
;;
|
|
|
|
psk-sae)
|
|
|
|
append wpa_key_mgmt "WPA-PSK"
|
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-PSK"
|
|
|
|
[ "${ieee80211w:-0}" -gt 0 ] && append wpa_key_mgmt "WPA-PSK-SHA256"
|
|
|
|
append wpa_key_mgmt "SAE"
|
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt "FT-SAE"
|
|
|
|
;;
|
2018-10-04 20:45:06 +00:00
|
|
|
owe)
|
|
|
|
append wpa_key_mgmt "OWE"
|
|
|
|
;;
|
2018-10-03 21:33:51 +00:00
|
|
|
esac
|
2020-09-08 19:00:05 +00:00
|
|
|
|
2021-12-07 13:47:40 +00:00
|
|
|
[ "$fils" -gt 0 ] && {
|
|
|
|
case "$auth_type" in
|
|
|
|
eap*)
|
|
|
|
append wpa_key_mgmt FILS-SHA256
|
|
|
|
[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
}
|
|
|
|
|
2020-09-08 19:00:05 +00:00
|
|
|
[ "$auth_osen" = "1" ] && append wpa_key_mgmt "OSEN"
|
2016-12-28 04:22:00 +00:00
|
|
|
}
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
hostapd_add_log_config() {
|
|
|
|
config_add_boolean \
|
|
|
|
log_80211 \
|
|
|
|
log_8021x \
|
|
|
|
log_radius \
|
|
|
|
log_wpa \
|
|
|
|
log_driver \
|
|
|
|
log_iapp \
|
|
|
|
log_mlme
|
|
|
|
|
|
|
|
config_add_int log_level
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_common_add_device_config() {
|
|
|
|
config_add_array basic_rate
|
2014-12-27 12:59:47 +00:00
|
|
|
config_add_array supported_rates
|
2021-05-26 11:04:50 +00:00
|
|
|
config_add_string beacon_rate
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-06-15 21:08:56 +00:00
|
|
|
config_add_string country country3
|
2015-06-06 23:09:43 +00:00
|
|
|
config_add_boolean country_ie doth
|
2019-11-09 03:42:56 +00:00
|
|
|
config_add_boolean spectrum_mgmt_required
|
|
|
|
config_add_int local_pwr_constraint
|
2014-07-15 10:30:08 +00:00
|
|
|
config_add_string require_mode
|
2017-03-27 09:50:23 +00:00
|
|
|
config_add_boolean legacy_rates
|
hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.
The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.
Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.
Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.
Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.
For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.
A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.
There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.
There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.
Cell Density
0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.
1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.
2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.
3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.
Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-10-28 11:04:32 +00:00
|
|
|
config_add_int cell_density
|
2021-05-18 15:46:01 +00:00
|
|
|
config_add_int rts_threshold
|
2021-05-26 11:34:41 +00:00
|
|
|
config_add_int rssi_reject_assoc_rssi
|
|
|
|
config_add_int rssi_ignore_probe_request
|
2021-05-26 12:34:46 +00:00
|
|
|
config_add_int maxassoc
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2017-06-15 11:48:56 +00:00
|
|
|
config_add_string acs_chan_bias
|
2017-05-07 10:37:00 +00:00
|
|
|
config_add_array hostapd_options
|
2017-06-15 11:48:56 +00:00
|
|
|
|
2020-11-16 19:21:46 +00:00
|
|
|
config_add_int airtime_mode
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
hostapd_add_log_config
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_prepare_device_config() {
|
|
|
|
local config="$1"
|
|
|
|
local driver="$2"
|
|
|
|
|
|
|
|
local base_cfg=
|
|
|
|
|
2021-06-15 21:08:56 +00:00
|
|
|
json_get_vars country country3 country_ie beacon_int:100 dtim_period:2 doth require_mode legacy_rates \
|
2021-05-18 15:46:01 +00:00
|
|
|
acs_chan_bias local_pwr_constraint spectrum_mgmt_required airtime_mode cell_density \
|
2021-05-26 12:34:46 +00:00
|
|
|
rts_threshold beacon_rate rssi_reject_assoc_rssi rssi_ignore_probe_request maxassoc
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
hostapd_set_log_options base_cfg
|
|
|
|
|
|
|
|
set_default country_ie 1
|
2019-11-09 03:42:56 +00:00
|
|
|
set_default spectrum_mgmt_required 0
|
2014-05-03 21:14:48 +00:00
|
|
|
set_default doth 1
|
2020-12-04 17:47:47 +00:00
|
|
|
set_default legacy_rates 0
|
2020-08-27 23:39:45 +00:00
|
|
|
set_default airtime_mode 0
|
hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.
The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.
Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.
Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.
Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.
For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.
A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.
There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.
There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.
Cell Density
0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.
1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.
2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.
3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.
Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-10-28 11:04:32 +00:00
|
|
|
set_default cell_density 0
|
2014-05-03 21:14:48 +00:00
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$country" ] && {
|
|
|
|
append base_cfg "country_code=$country" "$N"
|
2021-06-15 21:08:56 +00:00
|
|
|
[ -n "$country3" ] && append base_cfg "country3=$country3" "$N"
|
2014-05-03 21:14:48 +00:00
|
|
|
|
2019-11-09 03:42:56 +00:00
|
|
|
[ "$country_ie" -gt 0 ] && {
|
|
|
|
append base_cfg "ieee80211d=1" "$N"
|
|
|
|
[ -n "$local_pwr_constraint" ] && append base_cfg "local_pwr_constraint=$local_pwr_constraint" "$N"
|
|
|
|
[ "$spectrum_mgmt_required" -gt 0 ] && append base_cfg "spectrum_mgmt_required=$spectrum_mgmt_required" "$N"
|
|
|
|
}
|
2014-05-03 21:14:48 +00:00
|
|
|
[ "$hwmode" = "a" -a "$doth" -gt 0 ] && append base_cfg "ieee80211h=1" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
2017-06-15 11:48:56 +00:00
|
|
|
[ -n "$acs_chan_bias" ] && append base_cfg "acs_chan_bias=$acs_chan_bias" "$N"
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
local brlist= br
|
2014-01-28 21:12:36 +00:00
|
|
|
json_get_values basic_rate_list basic_rate
|
2017-03-27 09:50:23 +00:00
|
|
|
local rlist= r
|
|
|
|
json_get_values rate_list supported_rates
|
|
|
|
|
|
|
|
[ -n "$hwmode" ] && append base_cfg "hw_mode=$hwmode" "$N"
|
hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.
The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.
Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.
Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.
Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.
For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.
A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.
There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.
There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.
Cell Density
0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.
1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.
2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.
3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.
Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-10-28 11:04:32 +00:00
|
|
|
if [ "$hwmode" = "g" ] || [ "$hwmode" = "a" ]; then
|
|
|
|
[ -n "$require_mode" ] && legacy_rates=0
|
|
|
|
case "$require_mode" in
|
|
|
|
n) append base_cfg "require_ht=1" "$N";;
|
|
|
|
ac) append base_cfg "require_vht=1" "$N";;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
case "$hwmode" in
|
|
|
|
b)
|
|
|
|
if [ "$cell_density" -eq 1 ]; then
|
|
|
|
set_default rate_list "5500 11000"
|
|
|
|
set_default basic_rate_list "5500 11000"
|
|
|
|
elif [ "$cell_density" -ge 2 ]; then
|
|
|
|
set_default rate_list "11000"
|
|
|
|
set_default basic_rate_list "11000"
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
g)
|
|
|
|
if [ "$cell_density" -eq 0 ] || [ "$cell_density" -eq 1 ]; then
|
|
|
|
if [ "$legacy_rates" -eq 0 ]; then
|
|
|
|
set_default rate_list "6000 9000 12000 18000 24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "6000 12000 24000"
|
|
|
|
elif [ "$cell_density" -eq 1 ]; then
|
|
|
|
set_default rate_list "5500 6000 9000 11000 12000 18000 24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "5500 11000"
|
|
|
|
fi
|
|
|
|
elif [ "$cell_density" -ge 3 ] && [ "$legacy_rates" -ne 0 ] || [ "$cell_density" -eq 2 ]; then
|
|
|
|
if [ "$legacy_rates" -eq 0 ]; then
|
|
|
|
set_default rate_list "12000 18000 24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "12000 24000"
|
|
|
|
else
|
|
|
|
set_default rate_list "11000 12000 18000 24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "11000"
|
|
|
|
fi
|
|
|
|
elif [ "$cell_density" -ge 3 ]; then
|
|
|
|
set_default rate_list "24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "24000"
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
a)
|
|
|
|
if [ "$cell_density" -eq 1 ]; then
|
|
|
|
set_default rate_list "6000 9000 12000 18000 24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "6000 12000 24000"
|
|
|
|
elif [ "$cell_density" -eq 2 ]; then
|
|
|
|
set_default rate_list "12000 18000 24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "12000 24000"
|
|
|
|
elif [ "$cell_density" -ge 3 ]; then
|
|
|
|
set_default rate_list "24000 36000 48000 54000"
|
|
|
|
set_default basic_rate_list "24000"
|
|
|
|
fi
|
|
|
|
;;
|
2014-07-15 10:30:08 +00:00
|
|
|
esac
|
2014-12-27 12:59:47 +00:00
|
|
|
|
|
|
|
for r in $rate_list; do
|
|
|
|
hostapd_add_rate rlist "$r"
|
|
|
|
done
|
|
|
|
|
2017-03-27 09:50:23 +00:00
|
|
|
for br in $basic_rate_list; do
|
|
|
|
hostapd_add_rate brlist "$br"
|
|
|
|
done
|
|
|
|
|
2021-05-26 11:34:41 +00:00
|
|
|
[ -n "$rssi_reject_assoc_rssi" ] && append base_cfg "rssi_reject_assoc_rssi=$rssi_reject_assoc_rssi" "$N"
|
|
|
|
[ -n "$rssi_ignore_probe_request" ] && append base_cfg "rssi_ignore_probe_request=$rssi_ignore_probe_request" "$N"
|
2021-05-26 11:04:50 +00:00
|
|
|
[ -n "$beacon_rate" ] && append base_cfg "beacon_rate=$beacon_rate" "$N"
|
2014-12-27 12:59:47 +00:00
|
|
|
[ -n "$rlist" ] && append base_cfg "supported_rates=$rlist" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
|
2017-05-13 14:17:44 +00:00
|
|
|
append base_cfg "beacon_int=$beacon_int" "$N"
|
2021-05-18 15:46:01 +00:00
|
|
|
[ -n "$rts_threshold" ] && append base_cfg "rts_threshold=$rts_threshold" "$N"
|
2019-11-09 03:42:56 +00:00
|
|
|
append base_cfg "dtim_period=$dtim_period" "$N"
|
2020-08-27 23:39:45 +00:00
|
|
|
[ "$airtime_mode" -gt 0 ] && append base_cfg "airtime_mode=$airtime_mode" "$N"
|
2021-05-26 12:34:46 +00:00
|
|
|
[ -n "$maxassoc" ] && append base_cfg "iface_max_num_sta=$maxassoc" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2017-05-07 10:37:00 +00:00
|
|
|
json_get_values opts hostapd_options
|
|
|
|
for val in $opts; do
|
|
|
|
append base_cfg "$val" "$N"
|
|
|
|
done
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
cat > "$config" <<EOF
|
|
|
|
driver=$driver
|
|
|
|
$base_cfg
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_common_add_bss_config() {
|
2014-02-18 13:33:59 +00:00
|
|
|
config_add_string 'bssid:macaddr' 'ssid:string'
|
2018-11-12 22:46:13 +00:00
|
|
|
config_add_boolean wds wmm uapsd hidden utf8_ssid
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
config_add_int maxassoc max_inactivity
|
2020-08-23 00:07:40 +00:00
|
|
|
config_add_boolean disassoc_low_ack isolate short_preamble skip_inactivity_poll
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
config_add_int \
|
|
|
|
wep_rekey eap_reauth_period \
|
|
|
|
wpa_group_rekey wpa_pair_rekey wpa_master_rekey
|
2019-11-09 03:42:57 +00:00
|
|
|
config_add_boolean wpa_strict_rekey
|
2017-10-17 13:35:03 +00:00
|
|
|
config_add_boolean wpa_disable_eapol_key_retries
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2017-11-14 20:41:29 +00:00
|
|
|
config_add_boolean tdls_prohibit
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
config_add_boolean rsn_preauth auth_cache
|
|
|
|
config_add_int ieee80211w
|
2015-09-11 16:33:54 +00:00
|
|
|
config_add_int eapol_version
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2014-02-18 13:33:59 +00:00
|
|
|
config_add_string 'auth_server:host' 'server:host'
|
2020-08-07 19:19:29 +00:00
|
|
|
config_add_string auth_secret key
|
2014-02-18 13:33:59 +00:00
|
|
|
config_add_int 'auth_port:port' 'port:port'
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
config_add_string acct_server
|
|
|
|
config_add_string acct_secret
|
|
|
|
config_add_int acct_port
|
2017-06-27 07:34:49 +00:00
|
|
|
config_add_int acct_interval
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-06-15 21:12:08 +00:00
|
|
|
config_add_int bss_load_update_period chan_util_avg_period
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
config_add_string dae_client
|
|
|
|
config_add_string dae_secret
|
|
|
|
config_add_int dae_port
|
|
|
|
|
|
|
|
config_add_string nasid
|
2014-06-02 12:44:40 +00:00
|
|
|
config_add_string ownip
|
2018-01-19 13:03:46 +00:00
|
|
|
config_add_string radius_client_addr
|
2013-12-02 16:41:03 +00:00
|
|
|
config_add_string iapp_interface
|
2016-04-17 12:50:55 +00:00
|
|
|
config_add_string eap_type ca_cert client_cert identity anonymous_identity auth priv_key priv_key_pwd
|
2020-01-16 08:01:35 +00:00
|
|
|
config_add_boolean ca_cert_usesystem ca_cert2_usesystem
|
hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.
From the documentation:
subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com
subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.
altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI
altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.
domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.
domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 08:27:28 +00:00
|
|
|
config_add_string subject_match subject_match2
|
|
|
|
config_add_array altsubject_match altsubject_match2
|
|
|
|
config_add_array domain_match domain_match2 domain_suffix_match domain_suffix_match2
|
2018-01-05 12:15:01 +00:00
|
|
|
config_add_string ieee80211w_mgmt_cipher
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-05-18 10:50:17 +00:00
|
|
|
config_add_int dynamic_vlan vlan_naming vlan_no_bridge
|
2014-12-01 16:15:20 +00:00
|
|
|
config_add_string vlan_tagged_interface vlan_bridge
|
2015-08-17 06:17:13 +00:00
|
|
|
config_add_string vlan_file
|
2014-07-29 09:48:02 +00:00
|
|
|
|
2014-02-18 13:33:59 +00:00
|
|
|
config_add_string 'key1:wepkey' 'key2:wepkey' 'key3:wepkey' 'key4:wepkey' 'password:wpakey'
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2014-10-20 11:19:21 +00:00
|
|
|
config_add_string wpa_psk_file
|
|
|
|
|
2018-12-10 16:02:27 +00:00
|
|
|
config_add_int multi_ap
|
|
|
|
|
2014-03-21 15:55:03 +00:00
|
|
|
config_add_boolean wps_pushbutton wps_label ext_registrar wps_pbc_in_m1
|
2016-12-27 05:16:23 +00:00
|
|
|
config_add_int wps_ap_setup_locked wps_independent
|
2013-12-02 16:41:03 +00:00
|
|
|
config_add_string wps_device_type wps_device_name wps_manufacturer wps_pin
|
2018-12-10 16:02:27 +00:00
|
|
|
config_add_string multi_ap_backhaul_ssid multi_ap_backhaul_key
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-06-15 21:09:41 +00:00
|
|
|
config_add_boolean wnm_sleep_mode wnm_sleep_mode_no_keys bss_transition
|
2017-09-30 11:01:11 +00:00
|
|
|
config_add_int time_advertisement
|
|
|
|
config_add_string time_zone
|
2021-06-24 13:56:12 +00:00
|
|
|
config_add_string vendor_elements
|
2017-09-30 11:01:11 +00:00
|
|
|
|
2019-10-31 20:03:39 +00:00
|
|
|
config_add_boolean ieee80211k rrm_neighbor_report rrm_beacon_report
|
|
|
|
|
2020-10-18 21:09:09 +00:00
|
|
|
config_add_boolean ftm_responder stationary_ap
|
|
|
|
config_add_string lci civic
|
|
|
|
|
2017-09-16 09:14:27 +00:00
|
|
|
config_add_boolean ieee80211r pmk_r1_push ft_psk_generate_local ft_over_ds
|
2015-03-26 23:34:33 +00:00
|
|
|
config_add_int r0_key_lifetime reassociation_deadline
|
|
|
|
config_add_string mobility_domain r1_key_holder
|
|
|
|
config_add_array r0kh r1kh
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout
|
|
|
|
|
2014-02-18 13:33:59 +00:00
|
|
|
config_add_string macfilter 'macfile:file'
|
|
|
|
config_add_array 'maclist:list(macaddr)'
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2015-02-13 10:53:54 +00:00
|
|
|
config_add_array bssid_blacklist
|
|
|
|
config_add_array bssid_whitelist
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
config_add_int mcast_rate
|
|
|
|
config_add_array basic_rate
|
2014-12-27 12:59:47 +00:00
|
|
|
config_add_array supported_rates
|
2020-09-08 19:00:05 +00:00
|
|
|
|
2018-10-03 21:33:51 +00:00
|
|
|
config_add_boolean sae_require_mfp
|
2021-06-02 17:48:43 +00:00
|
|
|
config_add_int sae_pwe
|
2020-09-08 19:00:05 +00:00
|
|
|
|
2018-10-04 20:45:06 +00:00
|
|
|
config_add_string 'owe_transition_bssid:macaddr' 'owe_transition_ssid:string'
|
2022-06-15 23:55:26 +00:00
|
|
|
config_add_string owe_transition_ifname
|
2020-09-08 19:00:05 +00:00
|
|
|
|
2020-10-19 00:29:47 +00:00
|
|
|
config_add_boolean iw_enabled iw_internet iw_asra iw_esr iw_uesa
|
|
|
|
config_add_int iw_access_network_type iw_venue_group iw_venue_type
|
|
|
|
config_add_int iw_ipaddr_type_availability iw_gas_address3
|
|
|
|
config_add_string iw_hessid iw_network_auth_type iw_qos_map_set
|
|
|
|
config_add_array iw_roaming_consortium iw_domain_name iw_anqp_3gpp_cell_net iw_nai_realm
|
2021-05-18 15:06:48 +00:00
|
|
|
config_add_array iw_anqp_elem iw_venue_name iw_venue_url
|
2020-10-19 00:29:47 +00:00
|
|
|
|
2020-09-08 19:00:05 +00:00
|
|
|
config_add_boolean hs20 disable_dgaf osen
|
|
|
|
config_add_int anqp_domain_id
|
|
|
|
config_add_int hs20_deauth_req_timeout
|
|
|
|
config_add_array hs20_oper_friendly_name
|
|
|
|
config_add_array osu_provider
|
|
|
|
config_add_array operator_icon
|
|
|
|
config_add_array hs20_conn_capab
|
|
|
|
config_add_string osu_ssid hs20_wan_metrics hs20_operating_class hs20_t_c_filename hs20_t_c_timestamp
|
2020-08-27 23:39:45 +00:00
|
|
|
|
2021-05-18 15:06:48 +00:00
|
|
|
config_add_string hs20_t_c_server_url
|
|
|
|
|
2020-11-16 19:32:38 +00:00
|
|
|
config_add_array airtime_sta_weight
|
2020-08-27 23:39:45 +00:00
|
|
|
config_add_int airtime_bss_weight airtime_bss_limit
|
2020-11-07 14:44:05 +00:00
|
|
|
|
2022-09-06 10:12:12 +00:00
|
|
|
config_add_boolean multicast_to_unicast multicast_to_unicast_all proxy_arp per_sta_vif
|
2021-01-13 08:52:02 +00:00
|
|
|
|
2020-11-07 14:44:05 +00:00
|
|
|
config_add_array hostapd_bss_options
|
2020-10-07 08:08:14 +00:00
|
|
|
config_add_boolean default_disabled
|
2021-05-18 15:53:45 +00:00
|
|
|
|
|
|
|
config_add_boolean request_cui
|
|
|
|
config_add_array radius_auth_req_attr
|
|
|
|
config_add_array radius_acct_req_attr
|
2021-04-06 12:59:41 +00:00
|
|
|
|
|
|
|
config_add_int eap_server
|
|
|
|
config_add_string eap_user_file ca_cert server_cert private_key private_key_passwd server_id
|
2021-12-07 13:47:40 +00:00
|
|
|
|
|
|
|
config_add_boolean fils
|
2021-12-10 10:30:40 +00:00
|
|
|
config_add_string fils_dhcp
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
2020-05-25 09:39:40 +00:00
|
|
|
hostapd_set_vlan_file() {
|
|
|
|
local ifname="$1"
|
|
|
|
local vlan="$2"
|
|
|
|
json_get_vars name vid
|
|
|
|
echo "${vid} ${ifname}-${name}" >> /var/run/hostapd-${ifname}.vlan
|
|
|
|
wireless_add_vlan "${vlan}" "${ifname}-${name}"
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_set_vlan() {
|
|
|
|
local ifname="$1"
|
|
|
|
|
2020-06-08 03:03:05 +00:00
|
|
|
rm -f /var/run/hostapd-${ifname}.vlan
|
2020-05-25 09:39:40 +00:00
|
|
|
for_each_vlan hostapd_set_vlan_file ${ifname}
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_set_psk_file() {
|
|
|
|
local ifname="$1"
|
|
|
|
local vlan="$2"
|
|
|
|
local vlan_id=""
|
|
|
|
|
|
|
|
json_get_vars mac vid key
|
2020-06-08 20:01:47 +00:00
|
|
|
set_default mac "00:00:00:00:00:00"
|
2020-05-25 09:39:40 +00:00
|
|
|
[ -n "$vid" ] && vlan_id="vlanid=$vid "
|
|
|
|
echo "${vlan_id} ${mac} ${key}" >> /var/run/hostapd-${ifname}.psk
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_set_psk() {
|
|
|
|
local ifname="$1"
|
|
|
|
|
2020-06-08 03:03:05 +00:00
|
|
|
rm -f /var/run/hostapd-${ifname}.psk
|
2020-05-25 09:39:40 +00:00
|
|
|
for_each_station hostapd_set_psk_file ${ifname}
|
|
|
|
}
|
|
|
|
|
2020-10-19 00:29:47 +00:00
|
|
|
append_iw_roaming_consortium() {
|
|
|
|
[ -n "$1" ] && append bss_conf "roaming_consortium=$1" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_iw_domain_name() {
|
|
|
|
if [ -z "$iw_domain_name_conf" ]; then
|
|
|
|
iw_domain_name_conf="$1"
|
|
|
|
else
|
|
|
|
iw_domain_name_conf="$iw_domain_name_conf,$1"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
append_iw_anqp_3gpp_cell_net() {
|
|
|
|
if [ -z "$iw_anqp_3gpp_cell_net_conf" ]; then
|
|
|
|
iw_anqp_3gpp_cell_net_conf="$1"
|
|
|
|
else
|
|
|
|
iw_anqp_3gpp_cell_net_conf="$iw_anqp_3gpp_cell_net_conf:$1"
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
append_iw_anqp_elem() {
|
|
|
|
[ -n "$1" ] && append bss_conf "anqp_elem=$1" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_iw_nai_realm() {
|
|
|
|
[ -n "$1" ] && append bss_conf "nai_realm=$1" "$N"
|
|
|
|
}
|
|
|
|
|
2021-05-18 15:06:48 +00:00
|
|
|
append_iw_venue_name() {
|
|
|
|
append bss_conf "venue_name=$1" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_iw_venue_url() {
|
|
|
|
append bss_conf "venue_url=$1" "$N"
|
|
|
|
}
|
|
|
|
|
2020-09-08 19:00:05 +00:00
|
|
|
append_hs20_oper_friendly_name() {
|
|
|
|
append bss_conf "hs20_oper_friendly_name=$1" "$N"
|
|
|
|
}
|
|
|
|
|
2021-05-18 15:06:48 +00:00
|
|
|
append_osu_provider_friendly_name() {
|
|
|
|
append bss_conf "osu_friendly_name=$1" "$N"
|
|
|
|
}
|
|
|
|
|
2020-09-08 19:00:05 +00:00
|
|
|
append_osu_provider_service_desc() {
|
|
|
|
append bss_conf "osu_service_desc=$1" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_hs20_icon() {
|
|
|
|
local width height lang type path
|
|
|
|
config_get width "$1" width
|
|
|
|
config_get height "$1" height
|
|
|
|
config_get lang "$1" lang
|
|
|
|
config_get type "$1" type
|
|
|
|
config_get path "$1" path
|
|
|
|
|
|
|
|
append bss_conf "hs20_icon=$width:$height:$lang:$type:$1:$path" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_hs20_icons() {
|
|
|
|
config_load wireless
|
|
|
|
config_foreach append_hs20_icon hs20-icon
|
|
|
|
}
|
|
|
|
|
|
|
|
append_operator_icon() {
|
|
|
|
append bss_conf "operator_icon=$1" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_osu_icon() {
|
|
|
|
append bss_conf "osu_icon=$1" "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_osu_provider() {
|
2021-01-12 09:32:06 +00:00
|
|
|
local cfgtype osu_server_uri osu_friendly_name osu_nai osu_nai2 osu_method_list
|
2020-09-08 19:00:05 +00:00
|
|
|
|
|
|
|
config_load wireless
|
|
|
|
config_get cfgtype "$1" TYPE
|
|
|
|
[ "$cfgtype" != "osu-provider" ] && return
|
|
|
|
|
|
|
|
append bss_conf "# provider $1" "$N"
|
|
|
|
config_get osu_server_uri "$1" osu_server_uri
|
|
|
|
config_get osu_nai "$1" osu_nai
|
|
|
|
config_get osu_nai2 "$1" osu_nai2
|
|
|
|
config_get osu_method_list "$1" osu_method
|
|
|
|
|
|
|
|
append bss_conf "osu_server_uri=$osu_server_uri" "$N"
|
|
|
|
append bss_conf "osu_nai=$osu_nai" "$N"
|
|
|
|
append bss_conf "osu_nai2=$osu_nai2" "$N"
|
|
|
|
append bss_conf "osu_method_list=$osu_method_list" "$N"
|
|
|
|
|
|
|
|
config_list_foreach "$1" osu_service_desc append_osu_provider_service_desc
|
2021-05-18 15:06:48 +00:00
|
|
|
config_list_foreach "$1" osu_friendly_name append_osu_friendly_name
|
2020-09-08 19:00:05 +00:00
|
|
|
config_list_foreach "$1" osu_icon append_osu_icon
|
|
|
|
|
|
|
|
append bss_conf "$N"
|
|
|
|
}
|
|
|
|
|
|
|
|
append_hs20_conn_capab() {
|
|
|
|
[ -n "$1" ] && append bss_conf "hs20_conn_capab=$1" "$N"
|
|
|
|
}
|
|
|
|
|
2021-05-18 15:53:45 +00:00
|
|
|
append_radius_acct_req_attr() {
|
2021-06-03 13:57:07 +00:00
|
|
|
[ -n "$1" ] && append bss_conf "radius_acct_req_attr=$1" "$N"
|
2021-05-18 15:53:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
append_radius_auth_req_attr() {
|
2021-06-03 13:57:07 +00:00
|
|
|
[ -n "$1" ] && append bss_conf "radius_auth_req_attr=$1" "$N"
|
2021-05-18 15:53:45 +00:00
|
|
|
}
|
|
|
|
|
2020-11-16 19:32:38 +00:00
|
|
|
append_airtime_sta_weight() {
|
|
|
|
[ -n "$1" ] && append bss_conf "airtime_sta_weight=$1" "$N"
|
|
|
|
}
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
hostapd_set_bss_options() {
|
|
|
|
local var="$1"
|
|
|
|
local phy="$2"
|
|
|
|
local vif="$3"
|
|
|
|
|
|
|
|
wireless_vif_parse_encryption
|
|
|
|
|
2022-01-07 20:19:36 +00:00
|
|
|
local bss_conf bss_md5sum ft_key
|
2015-03-26 23:34:24 +00:00
|
|
|
local wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_key_mgmt
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
json_get_vars \
|
2019-11-09 03:42:57 +00:00
|
|
|
wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_strict_rekey \
|
2017-11-14 20:41:29 +00:00
|
|
|
wpa_disable_eapol_key_retries tdls_prohibit \
|
2013-12-28 11:07:28 +00:00
|
|
|
maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
|
2016-12-27 05:16:23 +00:00
|
|
|
wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
|
|
|
|
wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
|
2018-11-12 22:46:13 +00:00
|
|
|
macfilter ssid utf8_ssid wmm uapsd hidden short_preamble rsn_preauth \
|
2017-06-27 08:43:54 +00:00
|
|
|
iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
|
2018-04-25 21:27:00 +00:00
|
|
|
acct_server acct_secret acct_port acct_interval \
|
2021-06-02 17:48:43 +00:00
|
|
|
bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
|
2020-08-23 00:07:40 +00:00
|
|
|
multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
|
2021-01-13 08:52:02 +00:00
|
|
|
airtime_bss_weight airtime_bss_limit airtime_sta_weight \
|
2022-09-06 10:12:12 +00:00
|
|
|
multicast_to_unicast_all proxy_arp per_sta_vif \
|
2021-06-24 13:56:12 +00:00
|
|
|
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
|
2021-12-07 13:47:40 +00:00
|
|
|
vendor_elements fils
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-12-07 13:47:40 +00:00
|
|
|
set_default fils 0
|
2013-12-28 11:07:28 +00:00
|
|
|
set_default isolate 0
|
2013-12-02 16:41:03 +00:00
|
|
|
set_default maxassoc 0
|
|
|
|
set_default max_inactivity 0
|
|
|
|
set_default short_preamble 1
|
|
|
|
set_default disassoc_low_ack 1
|
2020-08-23 00:07:40 +00:00
|
|
|
set_default skip_inactivity_poll 0
|
2013-12-02 16:41:03 +00:00
|
|
|
set_default hidden 0
|
|
|
|
set_default wmm 1
|
2015-01-05 13:03:12 +00:00
|
|
|
set_default uapsd 1
|
2017-10-17 13:35:03 +00:00
|
|
|
set_default wpa_disable_eapol_key_retries 0
|
2017-11-14 20:41:29 +00:00
|
|
|
set_default tdls_prohibit 0
|
hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabled
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.
hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:
// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2
For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:
// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2
For client compatibility therefore:
EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.
To fix this, we can therefore change in the script:
set_default eapol_version 0
To the following:
set_default eapol_version $((wpa & 1))
This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.
For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-13 11:39:12 +00:00
|
|
|
set_default eapol_version $((wpa & 1))
|
2016-08-04 23:10:00 +00:00
|
|
|
set_default acct_port 1813
|
2018-04-25 21:27:00 +00:00
|
|
|
set_default bss_load_update_period 60
|
|
|
|
set_default chan_util_avg_period 600
|
2018-11-12 22:46:13 +00:00
|
|
|
set_default utf8_ssid 1
|
2018-12-10 16:02:27 +00:00
|
|
|
set_default multi_ap 0
|
2020-08-27 23:39:45 +00:00
|
|
|
set_default airtime_bss_weight 0
|
|
|
|
set_default airtime_bss_limit 0
|
2021-04-06 12:59:41 +00:00
|
|
|
set_default eap_server 0
|
2018-12-10 16:02:27 +00:00
|
|
|
|
2021-12-07 13:47:40 +00:00
|
|
|
/usr/sbin/hostapd -vfils || fils=0
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "ctrl_interface=/var/run/hostapd"
|
2013-12-28 11:07:28 +00:00
|
|
|
if [ "$isolate" -gt 0 ]; then
|
|
|
|
append bss_conf "ap_isolate=$isolate" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
fi
|
|
|
|
if [ "$maxassoc" -gt 0 ]; then
|
|
|
|
append bss_conf "max_num_sta=$maxassoc" "$N"
|
|
|
|
fi
|
|
|
|
if [ "$max_inactivity" -gt 0 ]; then
|
|
|
|
append bss_conf "ap_max_inactivity=$max_inactivity" "$N"
|
|
|
|
fi
|
|
|
|
|
2020-08-27 23:39:45 +00:00
|
|
|
[ "$airtime_bss_weight" -gt 0 ] && append bss_conf "airtime_bss_weight=$airtime_bss_weight" "$N"
|
|
|
|
[ "$airtime_bss_limit" -gt 0 ] && append bss_conf "airtime_bss_limit=$airtime_bss_limit" "$N"
|
2020-11-16 19:32:38 +00:00
|
|
|
json_for_each_item append_airtime_sta_weight airtime_sta_weight
|
2020-08-27 23:39:45 +00:00
|
|
|
|
2018-04-25 21:27:00 +00:00
|
|
|
append bss_conf "bss_load_update_period=$bss_load_update_period" "$N"
|
|
|
|
append bss_conf "chan_util_avg_period=$chan_util_avg_period" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "disassoc_low_ack=$disassoc_low_ack" "$N"
|
2020-08-23 00:07:40 +00:00
|
|
|
append bss_conf "skip_inactivity_poll=$skip_inactivity_poll" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "preamble=$short_preamble" "$N"
|
|
|
|
append bss_conf "wmm_enabled=$wmm" "$N"
|
|
|
|
append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
|
2015-01-05 13:03:12 +00:00
|
|
|
append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
|
2018-11-12 22:46:13 +00:00
|
|
|
append bss_conf "utf8_ssid=$utf8_ssid" "$N"
|
2018-12-10 16:02:27 +00:00
|
|
|
append bss_conf "multi_ap=$multi_ap" "$N"
|
2021-06-24 13:56:12 +00:00
|
|
|
[ -n "$vendor_elements" ] && append bss_conf "vendor_elements=$vendor_elements" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2017-11-14 20:41:29 +00:00
|
|
|
[ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N"
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
[ "$wpa" -gt 0 ] && {
|
|
|
|
[ -n "$wpa_group_rekey" ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
|
|
|
|
[ -n "$wpa_pair_rekey" ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey" "$N"
|
|
|
|
[ -n "$wpa_master_rekey" ] && append bss_conf "wpa_gmk_rekey=$wpa_master_rekey" "$N"
|
2019-11-09 03:42:57 +00:00
|
|
|
[ -n "$wpa_strict_rekey" ] && append bss_conf "wpa_strict_rekey=$wpa_strict_rekey" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
2017-06-27 08:43:54 +00:00
|
|
|
[ -n "$nasid" ] && append bss_conf "nas_identifier=$nasid" "$N"
|
2016-08-04 23:10:00 +00:00
|
|
|
[ -n "$acct_server" ] && {
|
|
|
|
append bss_conf "acct_server_addr=$acct_server" "$N"
|
|
|
|
append bss_conf "acct_server_port=$acct_port" "$N"
|
|
|
|
[ -n "$acct_secret" ] && \
|
|
|
|
append bss_conf "acct_server_shared_secret=$acct_secret" "$N"
|
2017-06-27 07:34:49 +00:00
|
|
|
[ -n "$acct_interval" ] && \
|
|
|
|
append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
|
2021-05-18 15:53:45 +00:00
|
|
|
json_for_each_item append_radius_acct_req_attr radius_acct_req_attr
|
2016-08-04 23:10:00 +00:00
|
|
|
}
|
|
|
|
|
2018-10-03 21:33:51 +00:00
|
|
|
case "$auth_type" in
|
2018-10-09 20:50:50 +00:00
|
|
|
sae|owe|eap192|eap-eap192)
|
2018-10-03 21:33:51 +00:00
|
|
|
set_default ieee80211w 2
|
|
|
|
set_default sae_require_mfp 1
|
2022-02-21 17:51:48 +00:00
|
|
|
set_default sae_pwe 2
|
2018-10-03 21:33:51 +00:00
|
|
|
;;
|
|
|
|
psk-sae)
|
|
|
|
set_default ieee80211w 1
|
|
|
|
set_default sae_require_mfp 1
|
2022-02-21 17:51:48 +00:00
|
|
|
set_default sae_pwe 2
|
2018-10-03 21:33:51 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
|
2021-06-02 17:48:43 +00:00
|
|
|
[ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N"
|
2018-10-03 21:33:51 +00:00
|
|
|
|
2016-10-28 16:29:15 +00:00
|
|
|
local vlan_possible=""
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
case "$auth_type" in
|
2018-10-04 20:45:06 +00:00
|
|
|
none|owe)
|
2022-06-15 23:55:26 +00:00
|
|
|
json_get_vars owe_transition_bssid owe_transition_ssid owe_transition_ifname
|
2018-10-04 20:45:06 +00:00
|
|
|
|
|
|
|
[ -n "$owe_transition_ssid" ] && append bss_conf "owe_transition_ssid=\"$owe_transition_ssid\"" "$N"
|
|
|
|
[ -n "$owe_transition_bssid" ] && append bss_conf "owe_transition_bssid=$owe_transition_bssid" "$N"
|
2022-06-15 23:55:26 +00:00
|
|
|
[ -n "$owe_transition_ifname" ] && append bss_conf "owe_transition_ifname=$owe_transition_ifname" "$N"
|
2018-10-04 20:45:06 +00:00
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
wps_possible=1
|
|
|
|
# Here we make the assumption that if we're in open mode
|
|
|
|
# with WPS enabled, we got to be in unconfigured state.
|
|
|
|
wps_not_configured=1
|
|
|
|
;;
|
2018-10-03 21:33:51 +00:00
|
|
|
psk|sae|psk-sae)
|
2014-10-20 11:19:21 +00:00
|
|
|
json_get_vars key wpa_psk_file
|
2020-08-07 18:50:55 +00:00
|
|
|
if [ ${#key} -eq 64 ]; then
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "wpa_psk=$key" "$N"
|
2020-08-07 18:50:55 +00:00
|
|
|
elif [ ${#key} -ge 8 ] && [ ${#key} -le 63 ]; then
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "wpa_passphrase=$key" "$N"
|
2020-08-07 18:50:55 +00:00
|
|
|
elif [ -n "$key" ] || [ -z "$wpa_psk_file" ]; then
|
|
|
|
wireless_setup_vif_failed INVALID_WPA_PSK
|
|
|
|
return 1
|
2013-12-02 16:41:03 +00:00
|
|
|
fi
|
2020-05-25 09:39:40 +00:00
|
|
|
[ -z "$wpa_psk_file" ] && set_default wpa_psk_file /var/run/hostapd-$ifname.psk
|
2014-10-20 11:19:21 +00:00
|
|
|
[ -n "$wpa_psk_file" ] && {
|
|
|
|
[ -e "$wpa_psk_file" ] || touch "$wpa_psk_file"
|
|
|
|
append bss_conf "wpa_psk_file=$wpa_psk_file" "$N"
|
|
|
|
}
|
2015-09-11 16:33:54 +00:00
|
|
|
[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
|
|
|
|
|
2020-05-25 09:39:40 +00:00
|
|
|
set_default dynamic_vlan 0
|
|
|
|
vlan_possible=1
|
2013-12-02 16:41:03 +00:00
|
|
|
wps_possible=1
|
|
|
|
;;
|
2018-10-09 20:50:50 +00:00
|
|
|
eap|eap192|eap-eap192)
|
2013-12-02 16:41:03 +00:00
|
|
|
json_get_vars \
|
|
|
|
auth_server auth_secret auth_port \
|
|
|
|
dae_client dae_secret dae_port \
|
2018-01-19 13:03:46 +00:00
|
|
|
ownip radius_client_addr \
|
2021-12-07 13:47:40 +00:00
|
|
|
eap_reauth_period request_cui \
|
|
|
|
erp_domain mobility_domain \
|
2021-12-10 10:30:40 +00:00
|
|
|
fils_realm fils_dhcp
|
2016-10-28 16:29:15 +00:00
|
|
|
|
|
|
|
# radius can provide VLAN ID for clients
|
|
|
|
vlan_possible=1
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
# legacy compatibility
|
|
|
|
[ -n "$auth_server" ] || json_get_var auth_server server
|
|
|
|
[ -n "$auth_port" ] || json_get_var auth_port port
|
|
|
|
[ -n "$auth_secret" ] || json_get_var auth_secret key
|
|
|
|
|
2021-12-07 13:47:40 +00:00
|
|
|
[ "$fils" -gt 0 ] && {
|
|
|
|
set_default erp_domain "$mobility_domain"
|
|
|
|
set_default erp_domain "$(echo "$ssid" | md5sum | head -c 8)"
|
|
|
|
set_default fils_realm "$erp_domain"
|
|
|
|
|
|
|
|
append bss_conf "erp_send_reauth_start=1" "$N"
|
|
|
|
append bss_conf "erp_domain=$erp_domain" "$N"
|
|
|
|
append bss_conf "fils_realm=$fils_realm" "$N"
|
|
|
|
append bss_conf "fils_cache_id=$(echo "$fils_realm" | md5sum | head -c 4)" "$N"
|
2021-12-10 10:30:40 +00:00
|
|
|
|
|
|
|
[ "$fils_dhcp" = "*" ] && {
|
|
|
|
json_get_values network network
|
|
|
|
fils_dhcp=
|
|
|
|
for net in $network; do
|
|
|
|
fils_dhcp="$(ifstatus "$net" | jsonfilter -e '@.data.dhcpserver')"
|
|
|
|
[ -n "$fils_dhcp" ] && break
|
|
|
|
done
|
|
|
|
|
|
|
|
[ -z "$fils_dhcp" -a -n "$network_bridge" -a -n "$network_ifname" ] && \
|
|
|
|
fils_dhcp="$(udhcpc -B -n -q -s /lib/netifd/dhcp-get-server.sh -t 1 -i "$network_ifname" 2>/dev/null)"
|
|
|
|
}
|
|
|
|
[ -n "$fils_dhcp" ] && append bss_conf "dhcp_server=$fils_dhcp" "$N"
|
2021-12-07 13:47:40 +00:00
|
|
|
}
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
set_default auth_port 1812
|
|
|
|
set_default dae_port 3799
|
2021-05-18 15:53:45 +00:00
|
|
|
set_default request_cui 0
|
2014-07-29 09:48:02 +00:00
|
|
|
|
2021-04-06 12:59:41 +00:00
|
|
|
[ "$eap_server" -eq 0 ] && {
|
|
|
|
append bss_conf "auth_server_addr=$auth_server" "$N"
|
|
|
|
append bss_conf "auth_server_port=$auth_port" "$N"
|
|
|
|
append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
|
|
|
|
}
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-05-18 15:53:45 +00:00
|
|
|
[ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
|
|
|
|
|
|
|
|
[ -n "$dae_client" -a -n "$dae_secret" ] && {
|
|
|
|
append bss_conf "radius_das_port=$dae_port" "$N"
|
|
|
|
append bss_conf "radius_das_client=$dae_client $dae_secret" "$N"
|
|
|
|
}
|
2021-05-18 15:53:45 +00:00
|
|
|
json_for_each_item append_radius_auth_req_attr radius_auth_req_attr
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2014-08-11 08:44:48 +00:00
|
|
|
[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
|
2018-01-19 13:03:46 +00:00
|
|
|
[ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "eapol_key_index_workaround=1" "$N"
|
|
|
|
append bss_conf "ieee8021x=1" "$N"
|
2014-07-29 09:48:02 +00:00
|
|
|
|
2015-09-11 16:33:54 +00:00
|
|
|
[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
;;
|
|
|
|
wep)
|
|
|
|
local wep_keyidx=0
|
2013-12-28 11:07:37 +00:00
|
|
|
json_get_vars key
|
2013-12-23 12:11:28 +00:00
|
|
|
hostapd_append_wep_key bss_conf
|
|
|
|
append bss_conf "wep_default_key=$wep_keyidx" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$wep_rekey" ] && append bss_conf "wep_rekey_period=$wep_rekey" "$N"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
local auth_algs=$((($auth_mode_shared << 1) | $auth_mode_open))
|
|
|
|
append bss_conf "auth_algs=${auth_algs:-1}" "$N"
|
|
|
|
append bss_conf "wpa=$wpa" "$N"
|
|
|
|
[ -n "$wpa_pairwise" ] && append bss_conf "wpa_pairwise=$wpa_pairwise" "$N"
|
|
|
|
|
|
|
|
set_default wps_pushbutton 0
|
|
|
|
set_default wps_label 0
|
2014-04-12 14:28:34 +00:00
|
|
|
set_default wps_pbc_in_m1 0
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
config_methods=
|
|
|
|
[ "$wps_pushbutton" -gt 0 ] && append config_methods push_button
|
|
|
|
[ "$wps_label" -gt 0 ] && append config_methods label
|
|
|
|
|
2018-12-10 16:02:27 +00:00
|
|
|
# WPS not possible on Multi-AP backhaul-only SSID
|
|
|
|
[ "$multi_ap" = 1 ] && wps_possible=
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$wps_possible" -a -n "$config_methods" ] && {
|
|
|
|
set_default ext_registrar 0
|
|
|
|
set_default wps_device_type "6-0050F204-1"
|
2017-11-07 08:45:53 +00:00
|
|
|
set_default wps_device_name "OpenWrt AP"
|
|
|
|
set_default wps_manufacturer "www.openwrt.org"
|
2017-01-14 11:22:24 +00:00
|
|
|
set_default wps_independent 1
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
wps_state=2
|
2021-01-12 09:30:08 +00:00
|
|
|
[ -n "$wps_not_configured" ] && wps_state=1
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2014-06-04 11:51:59 +00:00
|
|
|
[ "$ext_registrar" -gt 0 -a -n "$network_bridge" ] && append bss_conf "upnp_iface=$network_bridge" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
append bss_conf "eap_server=1" "$N"
|
2014-09-15 16:09:23 +00:00
|
|
|
[ -n "$wps_pin" ] && append bss_conf "ap_pin=$wps_pin" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "wps_state=$wps_state" "$N"
|
|
|
|
append bss_conf "device_type=$wps_device_type" "$N"
|
|
|
|
append bss_conf "device_name=$wps_device_name" "$N"
|
|
|
|
append bss_conf "manufacturer=$wps_manufacturer" "$N"
|
|
|
|
append bss_conf "config_methods=$config_methods" "$N"
|
2017-01-14 11:22:24 +00:00
|
|
|
append bss_conf "wps_independent=$wps_independent" "$N"
|
2016-12-27 05:16:23 +00:00
|
|
|
[ -n "$wps_ap_setup_locked" ] && append bss_conf "ap_setup_locked=$wps_ap_setup_locked" "$N"
|
2014-03-21 15:55:03 +00:00
|
|
|
[ "$wps_pbc_in_m1" -gt 0 ] && append bss_conf "pbc_in_m1=$wps_pbc_in_m1" "$N"
|
2018-12-10 16:02:27 +00:00
|
|
|
[ "$multi_ap" -gt 0 ] && [ -n "$multi_ap_backhaul_ssid" ] && {
|
|
|
|
append bss_conf "multi_ap_backhaul_ssid=\"$multi_ap_backhaul_ssid\"" "$N"
|
|
|
|
if [ -z "$multi_ap_backhaul_key" ]; then
|
|
|
|
:
|
|
|
|
elif [ ${#multi_ap_backhaul_key} -lt 8 ]; then
|
|
|
|
wireless_setup_vif_failed INVALID_WPA_PSK
|
|
|
|
return 1
|
|
|
|
elif [ ${#multi_ap_backhaul_key} -eq 64 ]; then
|
|
|
|
append bss_conf "multi_ap_backhaul_wpa_psk=$multi_ap_backhaul_key" "$N"
|
|
|
|
else
|
|
|
|
append bss_conf "multi_ap_backhaul_wpa_passphrase=$multi_ap_backhaul_key" "$N"
|
|
|
|
fi
|
|
|
|
}
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
append bss_conf "ssid=$ssid" "$N"
|
2021-10-20 19:13:10 +00:00
|
|
|
[ -n "$network_bridge" ] && append bss_conf "bridge=$network_bridge${N}wds_bridge=" "$N"
|
2021-07-27 18:28:58 +00:00
|
|
|
[ -n "$network_ifname" ] && append bss_conf "snoop_iface=$network_ifname" "$N"
|
2014-08-11 08:44:48 +00:00
|
|
|
[ -n "$iapp_interface" ] && {
|
2015-11-11 08:34:59 +00:00
|
|
|
local ifname
|
2017-09-09 14:40:57 +00:00
|
|
|
network_get_device ifname "$iapp_interface" || ifname="$iapp_interface"
|
2015-11-11 08:34:59 +00:00
|
|
|
append bss_conf "iapp_interface=$ifname" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
2021-06-15 21:09:41 +00:00
|
|
|
json_get_vars time_advertisement time_zone wnm_sleep_mode wnm_sleep_mode_no_keys bss_transition
|
2020-11-26 00:04:02 +00:00
|
|
|
set_default bss_transition 0
|
|
|
|
set_default wnm_sleep_mode 0
|
2021-06-15 21:09:41 +00:00
|
|
|
set_default wnm_sleep_mode_no_keys 0
|
2017-09-30 11:01:11 +00:00
|
|
|
|
2020-10-18 23:21:23 +00:00
|
|
|
[ -n "$time_advertisement" ] && append bss_conf "time_advertisement=$time_advertisement" "$N"
|
|
|
|
[ -n "$time_zone" ] && append bss_conf "time_zone=$time_zone" "$N"
|
2021-06-15 21:09:41 +00:00
|
|
|
if [ "$wnm_sleep_mode" -eq "1" ]; then
|
|
|
|
append bss_conf "wnm_sleep_mode=1" "$N"
|
|
|
|
[ "$wnm_sleep_mode_no_keys" -eq "1" ] && append bss_conf "wnm_sleep_mode_no_keys=1" "$N"
|
|
|
|
fi
|
2020-10-18 23:21:23 +00:00
|
|
|
[ "$bss_transition" -eq "1" ] && append bss_conf "bss_transition=1" "$N"
|
2017-09-30 11:01:11 +00:00
|
|
|
|
2020-10-18 20:35:31 +00:00
|
|
|
json_get_vars ieee80211k rrm_neighbor_report rrm_beacon_report
|
2019-10-31 20:03:39 +00:00
|
|
|
set_default ieee80211k 0
|
|
|
|
if [ "$ieee80211k" -eq "1" ]; then
|
|
|
|
set_default rrm_neighbor_report 1
|
|
|
|
set_default rrm_beacon_report 1
|
2020-11-26 00:04:02 +00:00
|
|
|
else
|
|
|
|
set_default rrm_neighbor_report 0
|
|
|
|
set_default rrm_beacon_report 0
|
2019-10-31 20:03:39 +00:00
|
|
|
fi
|
|
|
|
|
2020-10-18 20:35:31 +00:00
|
|
|
[ "$rrm_neighbor_report" -eq "1" ] && append bss_conf "rrm_neighbor_report=1" "$N"
|
|
|
|
[ "$rrm_beacon_report" -eq "1" ] && append bss_conf "rrm_beacon_report=1" "$N"
|
|
|
|
|
2020-10-18 21:09:09 +00:00
|
|
|
json_get_vars ftm_responder stationary_ap lci civic
|
2020-11-26 00:04:02 +00:00
|
|
|
set_default ftm_responder 0
|
2020-10-18 21:09:09 +00:00
|
|
|
if [ "$ftm_responder" -eq "1" ]; then
|
2020-11-26 00:04:02 +00:00
|
|
|
set_default stationary_ap 0
|
2020-10-18 21:09:09 +00:00
|
|
|
iw phy "$phy" info | grep -q "ENABLE_FTM_RESPONDER" && {
|
|
|
|
append bss_conf "ftm_responder=1" "$N"
|
|
|
|
[ "$stationary_ap" -eq "1" ] && append bss_conf "stationary_ap=1" "$N"
|
|
|
|
[ -n "$lci" ] && append bss_conf "lci=$lci" "$N"
|
2021-04-06 11:24:43 +00:00
|
|
|
[ -n "$civic" ] && append bss_conf "civic=$civic" "$N"
|
2020-10-18 21:09:09 +00:00
|
|
|
}
|
|
|
|
fi
|
|
|
|
|
2015-03-26 23:34:10 +00:00
|
|
|
if [ "$wpa" -ge "1" ]; then
|
2017-06-27 08:43:54 +00:00
|
|
|
json_get_vars ieee80211r
|
2015-04-11 10:52:01 +00:00
|
|
|
set_default ieee80211r 0
|
2015-03-26 23:34:33 +00:00
|
|
|
|
|
|
|
if [ "$ieee80211r" -gt "0" ]; then
|
2018-05-18 08:39:33 +00:00
|
|
|
json_get_vars mobility_domain ft_psk_generate_local ft_over_ds reassociation_deadline
|
2021-01-12 09:32:06 +00:00
|
|
|
|
2018-05-18 08:39:33 +00:00
|
|
|
set_default mobility_domain "$(echo "$ssid" | md5sum | head -c 4)"
|
2022-08-30 08:57:26 +00:00
|
|
|
set_default ft_over_ds 0
|
2018-05-18 08:39:33 +00:00
|
|
|
set_default reassociation_deadline 1000
|
2015-03-26 23:34:33 +00:00
|
|
|
|
2020-01-05 23:13:58 +00:00
|
|
|
case "$auth_type" in
|
|
|
|
psk|sae|psk-sae)
|
|
|
|
set_default ft_psk_generate_local 1
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
set_default ft_psk_generate_local 0
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2021-06-04 07:12:07 +00:00
|
|
|
[ -n "$network_ifname" ] && append bss_conf "ft_iface=$network_ifname" "$N"
|
2015-03-26 23:34:33 +00:00
|
|
|
append bss_conf "mobility_domain=$mobility_domain" "$N"
|
2017-09-16 09:07:24 +00:00
|
|
|
append bss_conf "ft_psk_generate_local=$ft_psk_generate_local" "$N"
|
2017-09-16 09:14:27 +00:00
|
|
|
append bss_conf "ft_over_ds=$ft_over_ds" "$N"
|
2018-05-18 08:39:33 +00:00
|
|
|
append bss_conf "reassociation_deadline=$reassociation_deadline" "$N"
|
|
|
|
[ -n "$nasid" ] || append bss_conf "nas_identifier=${macaddr//\:}" "$N"
|
|
|
|
|
|
|
|
if [ "$ft_psk_generate_local" -eq "0" ]; then
|
|
|
|
json_get_vars r0_key_lifetime r1_key_holder pmk_r1_push
|
|
|
|
json_get_values r0kh r0kh
|
|
|
|
json_get_values r1kh r1kh
|
|
|
|
|
|
|
|
set_default r0_key_lifetime 10000
|
|
|
|
set_default pmk_r1_push 0
|
|
|
|
|
2021-05-27 11:15:40 +00:00
|
|
|
[ -n "$r0kh" -a -n "$r1kh" ] || {
|
2022-01-07 20:19:36 +00:00
|
|
|
ft_key=`echo -n "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
|
2021-05-27 11:15:40 +00:00
|
|
|
|
2022-01-07 20:19:36 +00:00
|
|
|
set_default r0kh "ff:ff:ff:ff:ff:ff,*,$ft_key"
|
|
|
|
set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key"
|
2021-05-27 11:15:40 +00:00
|
|
|
}
|
|
|
|
|
2018-05-18 08:39:33 +00:00
|
|
|
[ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N"
|
|
|
|
append bss_conf "r0_key_lifetime=$r0_key_lifetime" "$N"
|
|
|
|
append bss_conf "pmk_r1_push=$pmk_r1_push" "$N"
|
|
|
|
|
|
|
|
for kh in $r0kh; do
|
|
|
|
append bss_conf "r0kh=${kh//,/ }" "$N"
|
|
|
|
done
|
|
|
|
for kh in $r1kh; do
|
|
|
|
append bss_conf "r1kh=${kh//,/ }" "$N"
|
|
|
|
done
|
|
|
|
fi
|
2015-03-26 23:34:33 +00:00
|
|
|
fi
|
2021-12-07 13:47:40 +00:00
|
|
|
if [ "$fils" -gt 0 ]; then
|
|
|
|
json_get_vars fils_realm
|
|
|
|
set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
|
|
|
|
fi
|
2015-03-26 23:34:33 +00:00
|
|
|
|
2017-10-17 13:35:03 +00:00
|
|
|
append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
|
|
|
|
|
2016-12-28 04:22:00 +00:00
|
|
|
hostapd_append_wpa_key_mgmt
|
2015-03-26 23:34:24 +00:00
|
|
|
[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
|
2015-03-26 23:34:10 +00:00
|
|
|
fi
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
if [ "$wpa" -ge "2" ]; then
|
2014-06-04 11:51:59 +00:00
|
|
|
if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
|
2013-12-02 16:41:03 +00:00
|
|
|
set_default auth_cache 1
|
|
|
|
append bss_conf "rsn_preauth=1" "$N"
|
2014-06-04 11:51:59 +00:00
|
|
|
append bss_conf "rsn_preauth_interfaces=$network_bridge" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
else
|
2019-10-28 18:10:14 +00:00
|
|
|
case "$auth_type" in
|
|
|
|
sae|psk-sae|owe)
|
|
|
|
set_default auth_cache 1
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
set_default auth_cache 0
|
|
|
|
;;
|
|
|
|
esac
|
2013-12-02 16:41:03 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
append bss_conf "okc=$auth_cache" "$N"
|
2021-12-07 13:47:40 +00:00
|
|
|
[ "$auth_cache" = 0 -a "$fils" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
# RSN -> allow management frame protection
|
|
|
|
case "$ieee80211w" in
|
|
|
|
[012])
|
2018-01-05 12:15:01 +00:00
|
|
|
json_get_vars ieee80211w_mgmt_cipher ieee80211w_max_timeout ieee80211w_retry_timeout
|
2013-12-02 16:41:03 +00:00
|
|
|
append bss_conf "ieee80211w=$ieee80211w" "$N"
|
|
|
|
[ "$ieee80211w" -gt "0" ] && {
|
2022-06-26 15:18:39 +00:00
|
|
|
if [ "$auth_type" = "eap192" ]; then
|
|
|
|
append bss_conf "group_mgmt_cipher=BIP-GMAC-256" "$N"
|
|
|
|
else
|
|
|
|
append bss_conf "group_mgmt_cipher=${ieee80211w_mgmt_cipher:-AES-128-CMAC}" "$N"
|
|
|
|
fi
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$ieee80211w_max_timeout" ] && \
|
|
|
|
append bss_conf "assoc_sa_query_max_timeout=$ieee80211w_max_timeout" "$N"
|
|
|
|
[ -n "$ieee80211w_retry_timeout" ] && \
|
|
|
|
append bss_conf "assoc_sa_query_retry_timeout=$ieee80211w_retry_timeout" "$N"
|
|
|
|
}
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
fi
|
|
|
|
|
2013-12-03 09:02:58 +00:00
|
|
|
_macfile="/var/run/hostapd-$ifname.maclist"
|
2013-12-02 16:41:03 +00:00
|
|
|
case "$macfilter" in
|
|
|
|
allow)
|
|
|
|
append bss_conf "macaddr_acl=1" "$N"
|
|
|
|
append bss_conf "accept_mac_file=$_macfile" "$N"
|
2016-10-28 16:29:15 +00:00
|
|
|
# accept_mac_file can be used to set MAC to VLAN ID mapping
|
|
|
|
vlan_possible=1
|
2013-12-02 16:41:03 +00:00
|
|
|
;;
|
|
|
|
deny)
|
|
|
|
append bss_conf "macaddr_acl=0" "$N"
|
|
|
|
append bss_conf "deny_mac_file=$_macfile" "$N"
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
_macfile=""
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
[ -n "$_macfile" ] && {
|
2013-12-03 09:02:58 +00:00
|
|
|
json_get_vars macfile
|
|
|
|
json_get_values maclist maclist
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
rm -f "$_macfile"
|
|
|
|
(
|
|
|
|
for mac in $maclist; do
|
|
|
|
echo "$mac"
|
|
|
|
done
|
|
|
|
[ -n "$macfile" -a -f "$macfile" ] && cat "$macfile"
|
|
|
|
) > "$_macfile"
|
|
|
|
}
|
|
|
|
|
2016-10-28 16:29:15 +00:00
|
|
|
[ -n "$vlan_possible" -a -n "$dynamic_vlan" ] && {
|
2021-05-18 10:50:17 +00:00
|
|
|
json_get_vars vlan_naming vlan_tagged_interface vlan_bridge vlan_file vlan_no_bridge
|
2016-10-28 16:29:15 +00:00
|
|
|
set_default vlan_naming 1
|
2020-05-25 09:39:40 +00:00
|
|
|
[ -z "$vlan_file" ] && set_default vlan_file /var/run/hostapd-$ifname.vlan
|
2016-10-28 16:29:15 +00:00
|
|
|
append bss_conf "dynamic_vlan=$dynamic_vlan" "$N"
|
|
|
|
append bss_conf "vlan_naming=$vlan_naming" "$N"
|
2021-05-18 10:50:17 +00:00
|
|
|
if [ -n "$vlan_bridge" ]; then
|
2016-10-28 16:29:15 +00:00
|
|
|
append bss_conf "vlan_bridge=$vlan_bridge" "$N"
|
2021-05-18 10:50:17 +00:00
|
|
|
else
|
|
|
|
set_default vlan_no_bridge 1
|
|
|
|
fi
|
|
|
|
append bss_conf "vlan_no_bridge=$vlan_no_bridge" "$N"
|
2016-10-28 16:29:15 +00:00
|
|
|
[ -n "$vlan_tagged_interface" ] && \
|
|
|
|
append bss_conf "vlan_tagged_interface=$vlan_tagged_interface" "$N"
|
|
|
|
[ -n "$vlan_file" ] && {
|
|
|
|
[ -e "$vlan_file" ] || touch "$vlan_file"
|
|
|
|
append bss_conf "vlan_file=$vlan_file" "$N"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-19 00:29:47 +00:00
|
|
|
json_get_vars iw_enabled iw_internet iw_asra iw_esr iw_uesa iw_access_network_type
|
|
|
|
json_get_vars iw_hessid iw_venue_group iw_venue_type iw_network_auth_type
|
|
|
|
json_get_vars iw_roaming_consortium iw_domain_name iw_anqp_3gpp_cell_net iw_nai_realm
|
|
|
|
json_get_vars iw_anqp_elem iw_qos_map_set iw_ipaddr_type_availability iw_gas_address3
|
2021-05-18 15:06:48 +00:00
|
|
|
json_get_vars iw_venue_name iw_venue_url
|
2020-10-19 00:29:47 +00:00
|
|
|
|
|
|
|
set_default iw_enabled 0
|
|
|
|
if [ "$iw_enabled" = "1" ]; then
|
|
|
|
append bss_conf "interworking=1" "$N"
|
|
|
|
set_default iw_internet 1
|
|
|
|
set_default iw_asra 0
|
|
|
|
set_default iw_esr 0
|
|
|
|
set_default iw_uesa 0
|
|
|
|
|
|
|
|
append bss_conf "internet=$iw_internet" "$N"
|
|
|
|
append bss_conf "asra=$iw_asra" "$N"
|
|
|
|
append bss_conf "esr=$iw_esr" "$N"
|
|
|
|
append bss_conf "uesa=$iw_uesa" "$N"
|
|
|
|
|
|
|
|
[ -n "$iw_access_network_type" ] && \
|
|
|
|
append bss_conf "access_network_type=$iw_access_network_type" "$N"
|
|
|
|
[ -n "$iw_hessid" ] && append bss_conf "hessid=$iw_hessid" "$N"
|
|
|
|
[ -n "$iw_venue_group" ] && \
|
|
|
|
append bss_conf "venue_group=$iw_venue_group" "$N"
|
|
|
|
[ -n "$iw_venue_type" ] && append bss_conf "venue_type=$iw_venue_type" "$N"
|
|
|
|
[ -n "$iw_network_auth_type" ] && \
|
|
|
|
append bss_conf "network_auth_type=$iw_network_auth_type" "$N"
|
|
|
|
[ -n "$iw_gas_address3" ] && append bss_conf "gas_address3=$iw_gas_address3" "$N"
|
|
|
|
|
|
|
|
json_for_each_item append_iw_roaming_consortium iw_roaming_consortium
|
|
|
|
json_for_each_item append_iw_anqp_elem iw_anqp_elem
|
|
|
|
json_for_each_item append_iw_nai_realm iw_nai_realm
|
2021-05-18 15:06:48 +00:00
|
|
|
json_for_each_item append_iw_venue_name iw_venue_name
|
|
|
|
json_for_each_item append_iw_venue_url iw_venue_url
|
2020-10-19 00:29:47 +00:00
|
|
|
|
2020-10-28 19:42:17 +00:00
|
|
|
iw_domain_name_conf=
|
2020-10-19 00:29:47 +00:00
|
|
|
json_for_each_item append_iw_domain_name iw_domain_name
|
|
|
|
[ -n "$iw_domain_name_conf" ] && \
|
|
|
|
append bss_conf "domain_name=$iw_domain_name_conf" "$N"
|
|
|
|
|
2020-10-28 19:42:17 +00:00
|
|
|
iw_anqp_3gpp_cell_net_conf=
|
2020-10-19 00:29:47 +00:00
|
|
|
json_for_each_item append_iw_anqp_3gpp_cell_net iw_anqp_3gpp_cell_net
|
|
|
|
[ -n "$iw_anqp_3gpp_cell_net_conf" ] && \
|
|
|
|
append bss_conf "anqp_3gpp_cell_net=$iw_anqp_3gpp_cell_net_conf" "$N"
|
|
|
|
fi
|
|
|
|
|
2021-11-03 21:40:53 +00:00
|
|
|
set_default iw_qos_map_set 0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
|
|
|
|
case "$iw_qos_map_set" in
|
|
|
|
*,*);;
|
|
|
|
*) iw_qos_map_set="";;
|
|
|
|
esac
|
|
|
|
[ -n "$iw_qos_map_set" ] && append bss_conf "qos_map_set=$iw_qos_map_set" "$N"
|
2020-10-19 00:29:47 +00:00
|
|
|
|
2020-09-08 19:00:05 +00:00
|
|
|
local hs20 disable_dgaf osen anqp_domain_id hs20_deauth_req_timeout \
|
2021-05-18 15:06:48 +00:00
|
|
|
osu_ssid hs20_wan_metrics hs20_operating_class hs20_t_c_filename hs20_t_c_timestamp \
|
|
|
|
hs20_t_c_server_url
|
2020-09-08 19:00:05 +00:00
|
|
|
json_get_vars hs20 disable_dgaf osen anqp_domain_id hs20_deauth_req_timeout \
|
2021-05-18 15:06:48 +00:00
|
|
|
osu_ssid hs20_wan_metrics hs20_operating_class hs20_t_c_filename hs20_t_c_timestamp \
|
|
|
|
hs20_t_c_server_url
|
2020-09-08 19:00:05 +00:00
|
|
|
|
|
|
|
set_default hs20 0
|
|
|
|
set_default disable_dgaf $hs20
|
|
|
|
set_default osen 0
|
|
|
|
set_default anqp_domain_id 0
|
|
|
|
set_default hs20_deauth_req_timeout 60
|
|
|
|
if [ "$hs20" = "1" ]; then
|
|
|
|
append bss_conf "hs20=1" "$N"
|
|
|
|
append_hs20_icons
|
|
|
|
append bss_conf "disable_dgaf=$disable_dgaf" "$N"
|
|
|
|
append bss_conf "osen=$osen" "$N"
|
|
|
|
append bss_conf "anqp_domain_id=$anqp_domain_id" "$N"
|
|
|
|
append bss_conf "hs20_deauth_req_timeout=$hs20_deauth_req_timeout" "$N"
|
|
|
|
[ -n "$osu_ssid" ] && append bss_conf "osu_ssid=$osu_ssid" "$N"
|
|
|
|
[ -n "$hs20_wan_metrics" ] && append bss_conf "hs20_wan_metrics=$hs20_wan_metrics" "$N"
|
|
|
|
[ -n "$hs20_operating_class" ] && append bss_conf "hs20_operating_class=$hs20_operating_class" "$N"
|
|
|
|
[ -n "$hs20_t_c_filename" ] && append bss_conf "hs20_t_c_filename=$hs20_t_c_filename" "$N"
|
|
|
|
[ -n "$hs20_t_c_timestamp" ] && append bss_conf "hs20_t_c_timestamp=$hs20_t_c_timestamp" "$N"
|
2021-05-18 15:06:48 +00:00
|
|
|
[ -n "$hs20_t_c_server_url" ] && append bss_conf "hs20_t_c_server_url=$hs20_t_c_server_url" "$N"
|
2020-09-08 19:00:05 +00:00
|
|
|
json_for_each_item append_hs20_oper_friendly_name hs20_oper_friendly_name
|
2021-05-18 15:06:48 +00:00
|
|
|
json_for_each_item append_hs20_conn_capab hs20_conn_capab
|
2020-09-08 19:00:05 +00:00
|
|
|
json_for_each_item append_osu_provider osu_provider
|
|
|
|
json_for_each_item append_operator_icon operator_icon
|
|
|
|
fi
|
|
|
|
|
2021-04-06 12:59:41 +00:00
|
|
|
if [ "$eap_server" = "1" ]; then
|
|
|
|
append bss_conf "eap_server=1" "$N"
|
2021-12-07 13:47:40 +00:00
|
|
|
append bss_conf "eap_server_erp=1" "$N"
|
2021-04-06 12:59:41 +00:00
|
|
|
[ -n "$eap_user_file" ] && append bss_conf "eap_user_file=$eap_user_file" "$N"
|
|
|
|
[ -n "$ca_cert" ] && append bss_conf "ca_cert=$ca_cert" "$N"
|
|
|
|
[ -n "$server_cert" ] && append bss_conf "server_cert=$server_cert" "$N"
|
|
|
|
[ -n "$private_key" ] && append bss_conf "private_key=$private_key" "$N"
|
|
|
|
[ -n "$private_key_passwd" ] && append bss_conf "private_key_passwd=$private_key_passwd" "$N"
|
|
|
|
[ -n "$server_id" ] && append bss_conf "server_id=$server_id" "$N"
|
|
|
|
fi
|
|
|
|
|
2022-09-06 10:12:12 +00:00
|
|
|
set_default multicast_to_unicast_all 0
|
|
|
|
if [ "$multicast_to_unicast_all" -gt 0 ]; then
|
|
|
|
append bss_conf "multicast_to_unicast=$multicast_to_unicast_all" "$N"
|
2021-01-13 08:52:02 +00:00
|
|
|
fi
|
2021-05-26 11:50:43 +00:00
|
|
|
set_default proxy_arp 0
|
|
|
|
if [ "$proxy_arp" -gt 0 ]; then
|
|
|
|
append bss_conf "proxy_arp=$proxy_arp" "$N"
|
|
|
|
fi
|
2021-01-13 08:52:02 +00:00
|
|
|
|
|
|
|
set_default per_sta_vif 0
|
|
|
|
if [ "$per_sta_vif" -gt 0 ]; then
|
|
|
|
append bss_conf "per_sta_vif=$per_sta_vif" "$N"
|
|
|
|
fi
|
|
|
|
|
2020-11-07 14:44:05 +00:00
|
|
|
json_get_values opts hostapd_bss_options
|
|
|
|
for val in $opts; do
|
|
|
|
append bss_conf "$val" "$N"
|
|
|
|
done
|
|
|
|
|
2019-10-30 15:57:22 +00:00
|
|
|
bss_md5sum=$(echo $bss_conf | md5sum | cut -d" " -f1)
|
|
|
|
append bss_conf "config_id=$bss_md5sum" "$N"
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
append "$var" "$bss_conf" "$N"
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_set_log_options() {
|
|
|
|
local var="$1"
|
|
|
|
|
|
|
|
local log_level log_80211 log_8021x log_radius log_wpa log_driver log_iapp log_mlme
|
|
|
|
json_get_vars log_level log_80211 log_8021x log_radius log_wpa log_driver log_iapp log_mlme
|
|
|
|
|
|
|
|
set_default log_level 2
|
|
|
|
set_default log_80211 1
|
|
|
|
set_default log_8021x 1
|
|
|
|
set_default log_radius 1
|
|
|
|
set_default log_wpa 1
|
|
|
|
set_default log_driver 1
|
|
|
|
set_default log_iapp 1
|
|
|
|
set_default log_mlme 1
|
|
|
|
|
2014-08-11 08:44:48 +00:00
|
|
|
local log_mask=$(( \
|
2013-12-02 16:41:03 +00:00
|
|
|
($log_80211 << 0) | \
|
|
|
|
($log_8021x << 1) | \
|
|
|
|
($log_radius << 2) | \
|
|
|
|
($log_wpa << 3) | \
|
|
|
|
($log_driver << 4) | \
|
|
|
|
($log_iapp << 5) | \
|
|
|
|
($log_mlme << 6) \
|
|
|
|
))
|
|
|
|
|
|
|
|
append "$var" "logger_syslog=$log_mask" "$N"
|
|
|
|
append "$var" "logger_syslog_level=$log_level" "$N"
|
|
|
|
append "$var" "logger_stdout=$log_mask" "$N"
|
|
|
|
append "$var" "logger_stdout_level=$log_level" "$N"
|
|
|
|
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
_wpa_supplicant_common() {
|
|
|
|
local ifname="$1"
|
|
|
|
|
|
|
|
_rpath="/var/run/wpa_supplicant"
|
|
|
|
_config="${_rpath}-$ifname.conf"
|
|
|
|
}
|
|
|
|
|
|
|
|
wpa_supplicant_teardown_interface() {
|
|
|
|
_wpa_supplicant_common "$1"
|
2014-09-17 07:41:31 +00:00
|
|
|
rm -rf "$_rpath/$1" "$_config"
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
wpa_supplicant_prepare_interface() {
|
|
|
|
local ifname="$1"
|
|
|
|
_w_driver="$2"
|
|
|
|
|
|
|
|
_wpa_supplicant_common "$1"
|
|
|
|
|
2018-12-10 16:02:27 +00:00
|
|
|
json_get_vars mode wds multi_ap
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
[ -n "$network_bridge" ] && {
|
|
|
|
fail=
|
|
|
|
case "$mode" in
|
|
|
|
adhoc)
|
|
|
|
fail=1
|
|
|
|
;;
|
|
|
|
sta)
|
2018-12-10 16:02:27 +00:00
|
|
|
[ "$wds" = 1 -o "$multi_ap" = 1 ] || fail=1
|
2013-12-02 16:41:03 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
[ -n "$fail" ] && {
|
|
|
|
wireless_setup_vif_failed BRIDGE_NOT_ALLOWED
|
|
|
|
return 1
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
local ap_scan=
|
|
|
|
|
|
|
|
_w_mode="$mode"
|
|
|
|
|
2019-12-25 17:46:14 +00:00
|
|
|
[ "$mode" = adhoc ] && {
|
2013-12-02 16:41:03 +00:00
|
|
|
ap_scan="ap_scan=2"
|
|
|
|
}
|
|
|
|
|
2016-01-03 20:56:57 +00:00
|
|
|
local country_str=
|
|
|
|
[ -n "$country" ] && {
|
|
|
|
country_str="country=$country"
|
|
|
|
}
|
|
|
|
|
2018-12-10 16:02:27 +00:00
|
|
|
multiap_flag_file="${_config}.is_multiap"
|
|
|
|
if [ "$multi_ap" = "1" ]; then
|
|
|
|
touch "$multiap_flag_file"
|
|
|
|
else
|
|
|
|
[ -e "$multiap_flag_file" ] && rm "$multiap_flag_file"
|
|
|
|
fi
|
2013-12-02 16:41:03 +00:00
|
|
|
wpa_supplicant_teardown_interface "$ifname"
|
|
|
|
cat > "$_config" <<EOF
|
2020-09-28 13:12:56 +00:00
|
|
|
${scan_list:+freq_list=$scan_list}
|
2013-12-02 16:41:03 +00:00
|
|
|
$ap_scan
|
2016-01-03 20:56:57 +00:00
|
|
|
$country_str
|
2013-12-02 16:41:03 +00:00
|
|
|
EOF
|
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
2017-11-14 11:38:08 +00:00
|
|
|
wpa_supplicant_set_fixed_freq() {
|
|
|
|
local freq="$1"
|
|
|
|
local htmode="$2"
|
|
|
|
|
|
|
|
append network_data "fixed_freq=1" "$N$T"
|
|
|
|
append network_data "frequency=$freq" "$N$T"
|
|
|
|
case "$htmode" in
|
|
|
|
NOHT) append network_data "disable_ht=1" "$N$T";;
|
2021-07-20 10:13:49 +00:00
|
|
|
HE20|HT20|VHT20) append network_data "disable_ht40=1" "$N$T";;
|
2021-08-16 08:07:55 +00:00
|
|
|
HT40*|VHT40|VHT80|VHT160|HE40|HE80|HE160) append network_data "ht40=1" "$N$T";;
|
2017-11-14 11:38:08 +00:00
|
|
|
esac
|
|
|
|
case "$htmode" in
|
|
|
|
VHT*) append network_data "vht=1" "$N$T";;
|
|
|
|
esac
|
|
|
|
case "$htmode" in
|
2021-05-18 17:08:28 +00:00
|
|
|
HE80|VHT80) append network_data "max_oper_chwidth=1" "$N$T";;
|
|
|
|
HE160|VHT160) append network_data "max_oper_chwidth=2" "$N$T";;
|
|
|
|
HE20|HE40|VHT20|VHT40) append network_data "max_oper_chwidth=0" "$N$T";;
|
2020-05-12 17:37:28 +00:00
|
|
|
*) append network_data "disable_vht=1" "$N$T";;
|
2017-11-14 11:38:08 +00:00
|
|
|
esac
|
|
|
|
}
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
wpa_supplicant_add_network() {
|
|
|
|
local ifname="$1"
|
2017-11-14 11:38:08 +00:00
|
|
|
local freq="$2"
|
|
|
|
local htmode="$3"
|
2018-04-20 05:41:03 +00:00
|
|
|
local noscan="$4"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
_wpa_supplicant_common "$1"
|
|
|
|
wireless_vif_parse_encryption
|
|
|
|
|
|
|
|
json_get_vars \
|
|
|
|
ssid bssid key \
|
|
|
|
basic_rate mcast_rate \
|
2021-12-07 13:47:40 +00:00
|
|
|
ieee80211w ieee80211r fils \
|
2020-10-07 08:08:14 +00:00
|
|
|
multi_ap \
|
|
|
|
default_disabled
|
2015-07-15 08:16:22 +00:00
|
|
|
|
2019-09-20 11:20:21 +00:00
|
|
|
case "$auth_type" in
|
|
|
|
sae|owe|eap192|eap-eap192)
|
|
|
|
set_default ieee80211w 2
|
|
|
|
;;
|
|
|
|
psk-sae)
|
|
|
|
set_default ieee80211w 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2015-07-15 08:16:22 +00:00
|
|
|
set_default ieee80211r 0
|
2018-12-10 16:02:27 +00:00
|
|
|
set_default multi_ap 0
|
2020-10-07 08:08:14 +00:00
|
|
|
set_default default_disabled 0
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
local key_mgmt='NONE'
|
|
|
|
local network_data=
|
|
|
|
local T=" "
|
|
|
|
|
2015-04-20 15:00:07 +00:00
|
|
|
local scan_ssid="scan_ssid=1"
|
2016-12-11 14:54:06 +00:00
|
|
|
local freq wpa_key_mgmt
|
2015-07-15 08:16:22 +00:00
|
|
|
|
2019-12-25 17:46:14 +00:00
|
|
|
[ "$_w_mode" = "adhoc" ] && {
|
2013-12-02 16:41:03 +00:00
|
|
|
append network_data "mode=1" "$N$T"
|
2018-05-12 19:08:18 +00:00
|
|
|
[ -n "$freq" ] && wpa_supplicant_set_fixed_freq "$freq" "$htmode"
|
2020-01-16 08:13:51 +00:00
|
|
|
[ "$noscan" = "1" ] && append network_data "noscan=1" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2015-04-20 15:00:07 +00:00
|
|
|
scan_ssid="scan_ssid=0"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2016-12-11 14:54:06 +00:00
|
|
|
[ "$_w_driver" = "nl80211" ] || append wpa_key_mgmt "WPA-NONE"
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
2019-12-25 17:46:14 +00:00
|
|
|
[ "$_w_mode" = "mesh" ] && {
|
2018-04-28 19:12:19 +00:00
|
|
|
json_get_vars mesh_id mesh_fwding mesh_rssi_threshold
|
2018-05-12 19:08:18 +00:00
|
|
|
[ -n "$mesh_id" ] && ssid="${mesh_id}"
|
2015-11-24 18:28:44 +00:00
|
|
|
|
2015-04-20 15:00:07 +00:00
|
|
|
append network_data "mode=5" "$N$T"
|
2018-04-18 20:08:21 +00:00
|
|
|
[ -n "$mesh_fwding" ] && append network_data "mesh_fwding=${mesh_fwding}" "$N$T"
|
2018-04-28 19:12:19 +00:00
|
|
|
[ -n "$mesh_rssi_threshold" ] && append network_data "mesh_rssi_threshold=${mesh_rssi_threshold}" "$N$T"
|
2018-05-12 19:08:18 +00:00
|
|
|
[ -n "$freq" ] && wpa_supplicant_set_fixed_freq "$freq" "$htmode"
|
2018-04-20 05:41:03 +00:00
|
|
|
[ "$noscan" = "1" ] && append network_data "noscan=1" "$N$T"
|
2016-12-11 14:54:06 +00:00
|
|
|
append wpa_key_mgmt "SAE"
|
2015-04-20 15:00:07 +00:00
|
|
|
scan_ssid=""
|
|
|
|
}
|
|
|
|
|
2020-10-07 08:08:14 +00:00
|
|
|
[ "$_w_mode" = "sta" ] && {
|
|
|
|
[ "$multi_ap" = 1 ] && append network_data "multi_ap_backhaul_sta=1" "$N$T"
|
|
|
|
[ "$default_disabled" = 1 ] && append network_data "disabled=1" "$N$T"
|
|
|
|
}
|
2018-12-10 16:02:27 +00:00
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
case "$auth_type" in
|
|
|
|
none) ;;
|
2018-10-04 20:45:06 +00:00
|
|
|
owe)
|
|
|
|
hostapd_append_wpa_key_mgmt
|
2019-09-20 09:40:52 +00:00
|
|
|
key_mgmt="$wpa_key_mgmt"
|
2018-10-04 20:45:06 +00:00
|
|
|
;;
|
2013-12-02 16:41:03 +00:00
|
|
|
wep)
|
|
|
|
local wep_keyidx=0
|
|
|
|
hostapd_append_wep_key network_data
|
|
|
|
append network_data "wep_tx_keyidx=$wep_keyidx" "$N$T"
|
|
|
|
;;
|
2018-11-22 19:53:09 +00:00
|
|
|
wps)
|
|
|
|
key_mgmt='WPS'
|
|
|
|
;;
|
2018-10-03 21:33:51 +00:00
|
|
|
psk|sae|psk-sae)
|
2013-12-02 16:41:03 +00:00
|
|
|
local passphrase
|
|
|
|
|
2017-01-11 02:09:22 +00:00
|
|
|
if [ "$_w_mode" != "mesh" ]; then
|
|
|
|
hostapd_append_wpa_key_mgmt
|
|
|
|
fi
|
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
key_mgmt="$wpa_key_mgmt"
|
2016-12-11 14:54:06 +00:00
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
if [ ${#key} -eq 64 ]; then
|
|
|
|
passphrase="psk=${key}"
|
|
|
|
else
|
2018-03-27 17:24:27 +00:00
|
|
|
if [ "$_w_mode" = "mesh" ]; then
|
|
|
|
passphrase="sae_password=\"${key}\""
|
|
|
|
else
|
|
|
|
passphrase="psk=\"${key}\""
|
|
|
|
fi
|
2013-12-02 16:41:03 +00:00
|
|
|
fi
|
|
|
|
append network_data "$passphrase" "$N$T"
|
|
|
|
;;
|
2018-10-09 20:50:50 +00:00
|
|
|
eap|eap192|eap-eap192)
|
2016-12-28 04:22:00 +00:00
|
|
|
hostapd_append_wpa_key_mgmt
|
2016-12-11 14:54:06 +00:00
|
|
|
key_mgmt="$wpa_key_mgmt"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2020-01-16 08:01:35 +00:00
|
|
|
json_get_vars eap_type identity anonymous_identity ca_cert ca_cert_usesystem
|
|
|
|
|
2021-12-07 13:47:40 +00:00
|
|
|
[ "$fils" -gt 0 ] && append network_data "erp=1" "$N$T"
|
2020-01-16 08:01:35 +00:00
|
|
|
if [ "$ca_cert_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
|
|
|
|
append network_data "ca_cert=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
|
|
|
|
else
|
|
|
|
[ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
|
|
|
|
fi
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$identity" ] && append network_data "identity=\"$identity\"" "$N$T"
|
2016-04-17 12:50:55 +00:00
|
|
|
[ -n "$anonymous_identity" ] && append network_data "anonymous_identity=\"$anonymous_identity\"" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
case "$eap_type" in
|
|
|
|
tls)
|
|
|
|
json_get_vars client_cert priv_key priv_key_pwd
|
|
|
|
append network_data "client_cert=\"$client_cert\"" "$N$T"
|
|
|
|
append network_data "private_key=\"$priv_key\"" "$N$T"
|
|
|
|
append network_data "private_key_passwd=\"$priv_key_pwd\"" "$N$T"
|
hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.
From the documentation:
subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com
subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.
altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI
altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.
domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.
domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 08:27:28 +00:00
|
|
|
|
|
|
|
json_get_vars subject_match
|
|
|
|
[ -n "$subject_match" ] && append network_data "subject_match=\"$subject_match\"" "$N$T"
|
|
|
|
|
|
|
|
json_get_values altsubject_match altsubject_match
|
|
|
|
if [ -n "$altsubject_match" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $altsubject_match; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "altsubject_match=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
|
|
|
json_get_values domain_match domain_match
|
|
|
|
if [ -n "$domain_match" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $domain_match; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "domain_match=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
|
|
|
json_get_values domain_suffix_match domain_suffix_match
|
|
|
|
if [ -n "$domain_suffix_match" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $domain_suffix_match; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "domain_suffix_match=\"$list\"" "$N$T"
|
|
|
|
fi
|
2013-12-02 16:41:03 +00:00
|
|
|
;;
|
wpa_supplicant: improve generating phase2 config line for WPA-EAP
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
2016-01-18 11:40:44 +00:00
|
|
|
fast|peap|ttls)
|
2020-01-16 08:01:35 +00:00
|
|
|
json_get_vars auth password ca_cert2 ca_cert2_usesystem client_cert2 priv_key2 priv_key2_pwd
|
2013-12-02 16:41:03 +00:00
|
|
|
set_default auth MSCHAPV2
|
2016-01-19 10:06:29 +00:00
|
|
|
|
|
|
|
if [ "$auth" = "EAP-TLS" ]; then
|
2020-01-16 08:01:35 +00:00
|
|
|
if [ "$ca_cert2_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
|
|
|
|
append network_data "ca_cert2=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
|
|
|
|
else
|
|
|
|
[ -n "$ca_cert2" ] && append network_data "ca_cert2=\"$ca_cert2\"" "$N$T"
|
|
|
|
fi
|
2016-01-19 10:06:29 +00:00
|
|
|
append network_data "client_cert2=\"$client_cert2\"" "$N$T"
|
|
|
|
append network_data "private_key2=\"$priv_key2\"" "$N$T"
|
|
|
|
append network_data "private_key2_passwd=\"$priv_key2_pwd\"" "$N$T"
|
|
|
|
else
|
|
|
|
append network_data "password=\"$password\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.
From the documentation:
subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com
subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.
altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI
altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.
domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.
domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 08:27:28 +00:00
|
|
|
json_get_vars subject_match
|
|
|
|
[ -n "$subject_match" ] && append network_data "subject_match=\"$subject_match\"" "$N$T"
|
|
|
|
|
|
|
|
json_get_values altsubject_match altsubject_match
|
|
|
|
if [ -n "$altsubject_match" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $altsubject_match; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "altsubject_match=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
|
|
|
json_get_values domain_match domain_match
|
|
|
|
if [ -n "$domain_match" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $domain_match; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "domain_match=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
|
|
|
json_get_values domain_suffix_match domain_suffix_match
|
|
|
|
if [ -n "$domain_suffix_match" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $domain_suffix_match; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "domain_suffix_match=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
wpa_supplicant: improve generating phase2 config line for WPA-EAP
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
2016-01-18 11:40:44 +00:00
|
|
|
phase2proto="auth="
|
|
|
|
case "$auth" in
|
|
|
|
"auth"*)
|
|
|
|
phase2proto=""
|
|
|
|
;;
|
|
|
|
"EAP-"*)
|
|
|
|
auth="$(echo $auth | cut -b 5- )"
|
|
|
|
[ "$eap_type" = "ttls" ] &&
|
|
|
|
phase2proto="autheap="
|
hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.
From the documentation:
subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com
subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.
altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI
altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.
domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.
domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 08:27:28 +00:00
|
|
|
json_get_vars subject_match2
|
|
|
|
[ -n "$subject_match2" ] && append network_data "subject_match2=\"$subject_match2\"" "$N$T"
|
|
|
|
|
|
|
|
json_get_values altsubject_match2 altsubject_match2
|
|
|
|
if [ -n "$altsubject_match2" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $altsubject_match2; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "altsubject_match2=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
|
|
|
json_get_values domain_match2 domain_match2
|
|
|
|
if [ -n "$domain_match2" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $domain_match2; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "domain_match2=\"$list\"" "$N$T"
|
|
|
|
fi
|
|
|
|
|
|
|
|
json_get_values domain_suffix_match2 domain_suffix_match2
|
|
|
|
if [ -n "$domain_suffix_match2" ]; then
|
|
|
|
local list=
|
|
|
|
for x in $domain_suffix_match2; do
|
|
|
|
append list "$x" ";"
|
|
|
|
done
|
|
|
|
append network_data "domain_suffix_match2=\"$list\"" "$N$T"
|
|
|
|
fi
|
wpa_supplicant: improve generating phase2 config line for WPA-EAP
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
2016-01-18 11:40:44 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
append network_data "phase2=\"$phase2proto$auth\"" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
append network_data "eap=$(echo $eap_type | tr 'a-z' 'A-Z')" "$N$T"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2019-03-17 20:01:17 +00:00
|
|
|
[ "$wpa_cipher" = GCMP ] && {
|
|
|
|
append network_data "pairwise=GCMP" "$N$T"
|
|
|
|
append network_data "group=GCMP" "$N$T"
|
|
|
|
}
|
|
|
|
|
2015-04-20 15:00:07 +00:00
|
|
|
[ "$mode" = mesh ] || {
|
|
|
|
case "$wpa" in
|
|
|
|
1)
|
|
|
|
append network_data "proto=WPA" "$N$T"
|
|
|
|
;;
|
|
|
|
2)
|
|
|
|
append network_data "proto=RSN" "$N$T"
|
|
|
|
;;
|
|
|
|
esac
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2015-04-20 15:00:07 +00:00
|
|
|
case "$ieee80211w" in
|
|
|
|
[012])
|
|
|
|
[ "$wpa" -ge 2 ] && append network_data "ieee80211w=$ieee80211w" "$N$T"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
}
|
2013-12-02 16:41:03 +00:00
|
|
|
[ -n "$bssid" ] && append network_data "bssid=$bssid" "$N$T"
|
2017-11-07 10:48:40 +00:00
|
|
|
[ -n "$beacon_int" ] && append network_data "beacon_int=$beacon_int" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2015-02-13 10:53:54 +00:00
|
|
|
local bssid_blacklist bssid_whitelist
|
|
|
|
json_get_values bssid_blacklist bssid_blacklist
|
|
|
|
json_get_values bssid_whitelist bssid_whitelist
|
|
|
|
|
|
|
|
[ -n "$bssid_blacklist" ] && append network_data "bssid_blacklist=$bssid_blacklist" "$N$T"
|
|
|
|
[ -n "$bssid_whitelist" ] && append network_data "bssid_whitelist=$bssid_whitelist" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
[ -n "$basic_rate" ] && {
|
|
|
|
local br rate_list=
|
|
|
|
for br in $basic_rate; do
|
2014-12-27 12:59:47 +00:00
|
|
|
wpa_supplicant_add_rate rate_list "$br"
|
2013-12-02 16:41:03 +00:00
|
|
|
done
|
|
|
|
[ -n "$rate_list" ] && append network_data "rates=$rate_list" "$N$T"
|
|
|
|
}
|
|
|
|
|
|
|
|
[ -n "$mcast_rate" ] && {
|
|
|
|
local mc_rate=
|
2014-12-27 12:59:47 +00:00
|
|
|
wpa_supplicant_add_rate mc_rate "$mcast_rate"
|
2014-01-14 19:35:55 +00:00
|
|
|
append network_data "mcast_rate=$mc_rate" "$N$T"
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|
|
|
|
|
2021-01-12 08:38:02 +00:00
|
|
|
if [ "$key_mgmt" = "WPS" ]; then
|
2018-11-22 19:53:09 +00:00
|
|
|
echo "wps_cred_processing=1" >> "$_config"
|
|
|
|
else
|
|
|
|
cat >> "$_config" <<EOF
|
2013-12-02 16:41:03 +00:00
|
|
|
network={
|
2015-04-20 15:00:07 +00:00
|
|
|
$scan_ssid
|
2013-12-02 16:41:03 +00:00
|
|
|
ssid="$ssid"
|
|
|
|
key_mgmt=$key_mgmt
|
|
|
|
$network_data
|
|
|
|
}
|
|
|
|
EOF
|
2018-11-22 19:53:09 +00:00
|
|
|
fi
|
2013-12-02 16:41:03 +00:00
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
|
|
|
wpa_supplicant_run() {
|
2019-10-30 15:57:22 +00:00
|
|
|
local ifname="$1"
|
|
|
|
local hostapd_ctrl="$2"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
_wpa_supplicant_common "$ifname"
|
|
|
|
|
2020-04-06 22:58:40 +00:00
|
|
|
ubus wait_for wpa_supplicant
|
2021-01-12 00:28:17 +00:00
|
|
|
local supplicant_res="$(ubus call wpa_supplicant config_add "{ \
|
2019-10-30 15:57:22 +00:00
|
|
|
\"driver\": \"${_w_driver:-wext}\", \"ctrl\": \"$_rpath\", \
|
|
|
|
\"iface\": \"$ifname\", \"config\": \"$_config\" \
|
|
|
|
${network_bridge:+, \"bridge\": \"$network_bridge\"} \
|
|
|
|
${hostapd_ctrl:+, \"hostapd_ctrl\": \"$hostapd_ctrl\"} \
|
2021-01-12 00:28:17 +00:00
|
|
|
}")"
|
2013-12-02 16:41:03 +00:00
|
|
|
|
|
|
|
ret="$?"
|
|
|
|
|
2021-01-12 00:28:17 +00:00
|
|
|
[ "$ret" != 0 -o -z "$supplicant_res" ] && wireless_setup_vif_failed WPA_SUPPLICANT_FAILED
|
2013-12-02 16:41:03 +00:00
|
|
|
|
2021-01-12 00:28:17 +00:00
|
|
|
wireless_add_process "$(jsonfilter -s "$supplicant_res" -l 1 -e @.pid)" "/usr/sbin/wpa_supplicant" 1 1
|
2019-12-05 17:35:36 +00:00
|
|
|
|
2013-12-02 16:41:03 +00:00
|
|
|
return $ret
|
|
|
|
}
|
|
|
|
|
|
|
|
hostapd_common_cleanup() {
|
2019-10-30 15:57:22 +00:00
|
|
|
killall meshd-nl80211
|
2013-12-02 16:41:03 +00:00
|
|
|
}
|