X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=blobdiff_plain;f=package%2Fnetwork%2Fservices%2Fhostapd%2Ffiles%2Fhostapd.sh;h=393233b8b46c689f522664bf7a2e1be42c77d040;hp=94f75c1c956652eaec14de328f8f635daecc7d04;hb=047f9ef8eb31ef5992225f1c6e4eb22ae196d225;hpb=7c197d9f0e7418b53e184f0b1a2112bed525454f

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index 94f75c1c95..393233b8b4 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -1,9 +1,11 @@
+. /lib/functions/network.sh
+
 hostapd_set_bss_options() {
 	local var="$1"
 	local vif="$2"
-	local enc wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wps_possible
+	local enc wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wps_possible wpa_key_mgmt
 
-	config_get enc "$vif" encryption
+	config_get enc "$vif" encryption "none"
 	config_get wep_rekey        "$vif" wep_rekey        # 300
 	config_get wpa_group_rekey  "$vif" wpa_group_rekey  # 300
 	config_get wpa_pair_rekey   "$vif" wpa_pair_rekey   # 300
@@ -73,6 +75,14 @@ hostapd_set_bss_options() {
 
 	# use crypto/auth settings for building the hostapd config
 	case "$enc" in
+		none)
+			wps_possible=1
+			wpa=0
+			crypto=
+			# Here we make the assumption that if we're in open mode
+			# with WPS enabled, we got to be in unconfigured state.
+			wps_not_configured=1
+		;;
 		*psk*)
 			config_get psk "$vif" key
 			if [ ${#psk} -eq 64 ]; then
@@ -84,8 +94,9 @@ hostapd_set_bss_options() {
 			[ -n "$wpa_group_rekey"  ] && append "$var" "wpa_group_rekey=$wpa_group_rekey" "$N"
 			[ -n "$wpa_pair_rekey"   ] && append "$var" "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"
 			[ -n "$wpa_master_rekey" ] && append "$var" "wpa_gmk_rekey=$wpa_master_rekey"  "$N"
+			append wpa_key_mgmt "WPA-PSK"
 		;;
-		*wpa*)
+		*wpa*|*8021x*)
 			# required fields? formats?
 			# hostapd is particular, maybe a default configuration for failures
 			config_get auth_server "$vif" auth_server
@@ -98,9 +109,13 @@ hostapd_set_bss_options() {
 			config_get auth_secret "$vif" auth_secret
 			[ -z "$auth_secret" ] && config_get auth_secret "$vif" key
 			append "$var" "auth_server_shared_secret=$auth_secret" "$N"
+			# You don't really want to enable this unless you are doing
+			# some corner case testing or are using OpenWrt as a work around
+			# for some systematic issues.
 			config_get_bool auth_cache "$vif" auth_cache 0
-			[ "$auth_cache" -gt 0 ] || append "$var" "disable_pmksa_caching=1" "$N"
-			[ "$auth_cache" -gt 0 ] || append "$var" "okc=0" "$N"
+			config_get rsn_preauth "$vif" rsn_preauth
+			[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "disable_pmksa_caching=1" "$N"
+			[ "$auth_cache" -gt 0 ] || [[ "$rsn_preauth" = 1 ]] || append "$var" "okc=0" "$N"
 			config_get acct_server "$vif" acct_server
 			[ -n "$acct_server" ] && append "$var" "acct_server_addr=$acct_server" "$N"
 			config_get acct_port "$vif" acct_port
@@ -108,11 +123,20 @@ hostapd_set_bss_options() {
 			[ -n "$acct_port" ] && append "$var" "acct_server_port=$acct_port" "$N"
 			config_get acct_secret "$vif" acct_secret
 			[ -n "$acct_secret" ] && append "$var" "acct_server_shared_secret=$acct_secret" "$N"
-			config_get nasid "$vif" nasid
-			append "$var" "nas_identifier=$nasid" "$N"
+			config_get eap_reauth_period "$vif" eap_reauth_period
+			[ -n "$eap_reauth_period" ] && append "$var" "eap_reauth_period=$eap_reauth_period" "$N"
+			config_get dae_client "$vif" dae_client
+			config_get dae_secret "$vif" dae_secret
+			[ -n "$dae_client" -a -n "$dae_secret" ] && {
+				config_get dae_port  "$vif" dae_port
+				append "$var" "radius_das_port=${dae_port:-3799}" "$N"
+				append "$var" "radius_das_client=$dae_client $dae_secret" "$N"
+			}
+			config_get ownip "$vif" ownip
+			append "$var" "own_ip_addr=$ownip" "$N"
 			append "$var" "eapol_key_index_workaround=1" "$N"
 			append "$var" "ieee8021x=1" "$N"
-			append "$var" "wpa_key_mgmt=WPA-EAP" "$N"
+			append wpa_key_mgmt "WPA-EAP"
 			[ -n "$wpa_group_rekey"  ] && append "$var" "wpa_group_rekey=$wpa_group_rekey" "$N"
 			[ -n "$wpa_pair_rekey"   ] && append "$var" "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"
 			[ -n "$wpa_master_rekey" ] && append "$var" "wpa_gmk_rekey=$wpa_master_rekey"  "$N"
@@ -173,10 +197,15 @@ hostapd_set_bss_options() {
 		config_get device_type "$vif" wps_device_type "6-0050F204-1"
 		config_get device_name "$vif" wps_device_name "OpenWrt AP"
 		config_get manufacturer "$vif" wps_manufacturer "openwrt.org"
+		config_get wps_pin "$vif" wps_pin
+
+		config_get_bool ext_registrar "$vif" ext_registrar 0
+		[ "$ext_registrar" -gt 0 -a -n "$bridge" ] && append "$var" "upnp_iface=$bridge" "$N"
 
 		append "$var" "eap_server=1" "$N"
-		append "$var" "wps_state=2" "$N"
-		append "$var" "ap_setup_locked=1" "$N"
+		[ -n "$wps_pin" ] && append "$var" "ap_pin=$wps_pin" "$N"
+		append "$var" "wps_state=${wps_not_configured:-2}" "$N"
+		append "$var" "ap_setup_locked=0" "$N"
 		append "$var" "device_type=$device_type" "$N"
 		append "$var" "device_name=$device_name" "$N"
 		append "$var" "manufacturer=$manufacturer" "$N"
@@ -186,16 +215,69 @@ hostapd_set_bss_options() {
 	append "$var" "ssid=$ssid" "$N"
 	[ -n "$bridge" ] && append "$var" "bridge=$bridge" "$N"
 	[ -n "$ieee80211d" ] && append "$var" "ieee80211d=$ieee80211d" "$N"
-	[ -n "$iapp_interface" ] && append "$var" iapp_interface=$(uci_get_state network "$iapp_interface" ifname "$iapp_interface") "$N"
+	[ -n "$iapp_interface" ] && {
+		local ifname
+		network_get_device ifname "$iapp_interface" || ifname = "$iapp_interface"
+		append bss_conf "iapp_interface=$ifname" "$N"
+	}
+
+	if [ "$wpa" -ge "1" ]
+	then
+		config_get nasid "$vif" nasid
+		[ -n "$nasid" ] && append "$var" "nas_identifier=$nasid" "$N"
+
+		config_get_bool ieee80211r "$vif" ieee80211r 0
+		if [ "$ieee80211r" -gt 0 ]
+		then
+			config_get mobility_domain "$vif" mobility_domain "4f57"
+			config_get r0_key_lifetime "$vif" r0_key_lifetime "10000"
+			config_get r1_key_holder "$vif" r1_key_holder "00004f577274"
+			config_get reassociation_deadline "$vif" reassociation_deadline "1000"
+			config_get r0kh "$vif" r0kh
+			config_get r1kh "$vif" r1kh
+			config_get_bool pmk_r1_push "$vif" pmk_r1_push 0
+
+			append "$var" "mobility_domain=$mobility_domain" "$N"
+			append "$var" "r0_key_lifetime=$r0_key_lifetime" "$N"
+			append "$var" "r1_key_holder=$r1_key_holder" "$N"
+			append "$var" "reassociation_deadline=$reassociation_deadline" "$N"
+			append "$var" "pmk_r1_push=$pmk_r1_push" "$N"
+
+			for kh in $r0kh; do
+				"$var" "r0kh=${kh//,/ }" "$N"
+			done
+			for kh in $r1kh; do
+				"$var" "r1kh=${kh//,/ }" "$N"
+			done
+
+			[ "$wpa_key_mgmt" != "${wpa_key_mgmt/EAP/}" ] && append wpa_key_mgmt "FT-EAP"
+			[ "$wpa_key_mgmt" != "${wpa_key_mgmt/PSK/}" ] && append wpa_key_mgmt "FT-PSK"
+		fi
+
+		[ -n "wpa_key_mgmt" ] && append "$var" "wpa_key_mgmt=$wpa_key_mgmt"
+	fi
 
 	if [ "$wpa" -ge "2" ]
 	then
-		# RSN -> allow preauthentication
-		config_get_bool rsn_preauth "$vif" rsn_preauth "$auth_cache"
+		# RSN -> allow preauthentication. You have two
+		# options, rsn_preauth for production or rsn_preauth_testing
+		# for validation / testing.
 		if [ -n "$bridge" -a "$rsn_preauth" = 1 ]
 		then
 			append "$var" "rsn_preauth=1" "$N"
 			append "$var" "rsn_preauth_interfaces=$bridge" "$N"
+			append "$var" "okc=1" "$N"
+		else
+			# RSN preauthentication testings hould disable
+			# Opportunistic Key Caching (okc) as otherwise the PMKSA
+			# entry for a test could come from the Opportunistic Key Caching
+			config_get rsn_preauth_testing "$vif" rsn_preauth_testing
+			if [ -n "$bridge" -a "$rsn_preauth_testing" = 1 ]
+			then
+				append "$var" "rsn_preauth=1" "$N"
+				append "$var" "rsn_preauth_interfaces=$bridge" "$N"
+				append "$var" "okc=0" "$N"
+			fi
 		fi
 
 		# RSN -> allow management frame protection
@@ -315,4 +397,3 @@ $hostapd_cfg
 EOF
 	hostapd -P /var/run/wifi-$ifname.pid -B /var/run/hostapd-$ifname.conf
 }
-