From 0a4c5abab952ae0d864505f037f46cd0a27d6701 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 30 Mar 2019 16:12:53 +0100 Subject: [PATCH] wireless-ap: Add support for WPA3 and rewrite WPA2 Signed-off-by: Michael Tremer --- src/functions/functions.hostapd | 90 +++++++++++++++++++++---------- src/helpers/hostapd-config-helper | 5 +- src/hooks/ports/wireless-ap | 38 +++++++------ 3 files changed, 86 insertions(+), 47 deletions(-) diff --git a/src/functions/functions.hostapd b/src/functions/functions.hostapd index d3eaa744..6c2fbd92 100644 --- a/src/functions/functions.hostapd +++ b/src/functions/functions.hostapd @@ -61,13 +61,14 @@ hostapd_config_write() { local channel_bandwidth local country_code="$(wireless_get_reg_domain)" local dfs="on" - local encryption local environment="${WIRELESS_DEFAULT_ENVIRONMENT}" - local key local mfp="off" local mode + local secret local ssid local wmm="1" + local wpa2_personal="off" + local wpa3_personal="off" while [ $# -gt 0 ]; do case "${1}" in @@ -89,9 +90,6 @@ hostapd_config_write() { --environment=*) environment="$(cli_get_val "${1}")" ;; - --key=*) - key=$(cli_get_val "${1}") - ;; --mfp=*) mfp="$(cli_get_val "${1}")" ;; @@ -103,6 +101,9 @@ hostapd_config_write() { return ${EXIT_ERROR} fi ;; + --secret=*) + secret="$(cli_get_val "${1}")" + ;; --ssid=*) ssid=$(cli_get_val "${1}") ;; @@ -114,6 +115,12 @@ hostapd_config_write() { wmm="0" fi ;; + --wpa2-personal=*) + wpa2_personal="$(cli_get_bool "${1}")" + ;; + --wpa3-personal=*) + wpa3_personal="$(cli_get_bool "${1}")" + ;; *) warning_log "Ignoring unknown argument '${1}'." ;; @@ -136,12 +143,6 @@ hostapd_config_write() { assert isset mode assert isset ssid - # Check if key is set when encryption is used. - if isset encryption; then - assert isoneof encryption WPA2 - assert isset key - fi - # Check wireless environment if ! wireless_environment_is_valid "${environment}"; then error "Invalid wireless environment: ${environment}" @@ -166,6 +167,12 @@ hostapd_config_write() { return ${EXIT_ERROR} fi + # Check if secret is set for personal authentication + if ! isset secret && (enabled WPA3_PERSONAL || enabled WPA2_PERSONAL); then + error "Secret not set but personal authentication enabled" + return ${EXIT_ERROR} + fi + # 802.11ac/n flags local ieee80211ac local ieee80211n @@ -394,27 +401,52 @@ hostapd_config_write() { print ) >> ${file} - # Encryption settings - if isset encryption; then - local encryption_mode=0 - case "${encryption}" in - WPA2) - encryption_mode=2 - ;; - esac + # Authentication Settings + local wpa + local wpa_key_mgmt + local wpa_passphrase + local sae_password + local wpa_strict_rekey + + # WPA3 Personal + if enabled WPA3_PERSONAL; then + # Enable RSN + wpa="2" + + # Add WPA key management + list_append wpa_key_mgmt "SAE" + sae_password="${secret}" + fi + + # WPA2 Personal + if enabled WPA2_PERSONAL; then + # Enable RSN + wpa="2" + + # Add WPA key management + list_append wpa_key_mgmt "WPA-PSK-SHA256" "WPA-PSK" + wpa_passphrase="${secret}" - ( - print "# Encryption settings" - print "wpa=${encryption_mode}" - print "wpa_passphrase=${key}" - print "wpa_key_mgmt=WPA-PSK-SHA256 WPA-PSK" - print "wpa_pairwise=${pairwise_ciphers[*]}" - print "rsn_pairwise=${pairwise_ciphers[*]}" - print "group_cipher=${group_ciphers[*]}" - print - ) >> ${file} + # Enable WPA strict rekey + wpa_strict_rekey="1" fi + # Enable RSN ciphers when RSN is enabled + local rsn_pairwise + local group_cipher + if [ "${wpa}" = "2" ]; then + rsn_pairwise="${pairwise_ciphers[*]}" + group_cipher="${group_ciphers[*]}" + fi + + local var + for var in wpa wpa_key_mgmt wpa_passphrase sae_password \ + rsn_pairwise group_cipher wpa_strict_rekey; do + if [ -n "${!var}" ]; then + print "${var}=${!var}" + fi + done >> "${file}" + # Log configuration file file_to_log DEBUG "${file}" diff --git a/src/helpers/hostapd-config-helper b/src/helpers/hostapd-config-helper index 7af723d2..6d9f685c 100644 --- a/src/helpers/hostapd-config-helper +++ b/src/helpers/hostapd-config-helper @@ -42,12 +42,13 @@ case "${action}" in --channel="${CHANNEL}" \ --channel-bandwidth="${CHANNEL_BANDWIDTH}" \ --dfs="${DFS}" \ - --encryption="${ENCRYPTION}" \ --environment="${ENVIRONMENT}" \ - --key="${KEY}" \ + --secret="${SECRET}" \ --mfp="${MFP}" \ --mode="${MODE}" \ --ssid="${SSID}" \ + --wpa3-personal="${WPA3_PERSONAL}" \ + --wpa2-personal="${WPA2_PERSONAL}" \ || exit $? ;; diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap index a964fac8..7176ee58 100644 --- a/src/hooks/ports/wireless-ap +++ b/src/hooks/ports/wireless-ap @@ -29,15 +29,20 @@ HOOK_SETTINGS=( "CHANNEL" "CHANNEL_BANDWIDTH" "DFS" - "ENCRYPTION" "ENVIRONMENT" - "KEY" "MFP" "MODE" "PHY" + "SECRET" "SSID" + "WPA3_PERSONAL" + "WPA2_PERSONAL" ) +# Disable WPA3+2 by default +DEFAULT_WPA3_PERSONAL="off" +DEFAULT_WPA2_PERSONAL="off" + # Broadcast SSID by default DEFAULT_BROADCAST_SSID="on" @@ -64,14 +69,6 @@ hook_check_settings() { assert ismac PHY assert isset SSID - if isset ENCRYPTION; then - assert isoneof ENCRYPTION WPA2 - - assert isset KEY - assert [ ${#KEY} -ge 8 ] - assert [ ${#KEY} -le 63 ] - fi - assert wireless_environment_is_valid "${ENVIRONMENT}" } @@ -99,9 +96,6 @@ hook_parse_cmdline() { return ${EXIT_ERROR} fi ;; - --encryption=*) - ENCRYPTION=$(cli_get_val "${1}") - ;; --environment=*) ENVIRONMENT="$(cli_get_val "${1}")" @@ -110,9 +104,6 @@ hook_parse_cmdline() { return ${EXIT_ERROR} fi ;; - --key=*) - KEY=$(cli_get_val "${1}") - ;; --mac=*) ADDRESS=$(cli_get_val "${1}") ;; @@ -140,9 +131,18 @@ hook_parse_cmdline() { --phy=*) PHY=$(cli_get_val "${1}") ;; + --secret=*) + SECRET="$(cli_get_val "${1}")" + ;; --ssid=*) SSID=$(cli_get_val "${1}") ;; + --wpa2-personal=*) + WPA2_PERSONAL="$(cli_get_bool "${1}")" + ;; + --wpa3-personal=*) + WPA3_PERSONAL="$(cli_get_bool "${1}")" + ;; *) warning "Ignoring unknown argument '${1}'" ;; @@ -174,6 +174,12 @@ hook_parse_cmdline() { return ${EXIT_ERROR} fi + # Check if SECRET is set when WPA* is enabled + if ! isset SECRET && (enabled WPA3_PERSONAL || enabled WPA2_PERSONAL); then + error "Secret is not set when PSK authentication is enabled" + return ${EXIT_ERROR} + fi + # Save address of phy do identify it again PHY=$(phy_get ${PHY}) PHY=$(phy_get_address ${PHY}) -- 2.47.2