]> git.ipfire.org Git - people/ms/network.git/blobdiff - src/hooks/ports/wireless-ap
projects / people / ms / network.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
wireless-ap: Check that secret has the correct length and no invalid characters
[people/ms/network.git] / src / hooks / ports / wireless-ap
diff --git a/src/hooks/ports/wireless-ap b/src/hooks/ports/wireless-ap
index 8de0aba398e818d74e9c673e0c0a4943271faf05..26e14d63f53ef32430da9af9e343dd3c4b949c95 100644 (file)
--- a/src/hooks/ports/wireless-ap
+++ b/src/hooks/ports/wireless-ap
@@ -21,64 +21,108 @@
 
 . /usr/lib/network/header-port
 
-HOOK_SETTINGS="HOOK ADDRESS BROADCAST_SSID CHANNEL MODE PHY SSID"
-HOOK_SETTINGS="${HOOK_SETTINGS} ENCRYPTION KEY"
-
-ADDRESS=$(mac_generate)
-BROADCAST_SSID=on
-CHANNEL=1
-ENCRYPTION=""
-KEY=""
-MODE="g"
-SSID=
-
-function hook_check() {
+HOOK_PORT_PATTERN="${PORT_PATTERN_ACCESSPOINT}"
+
+HOOK_SETTINGS=(
+       "ADDRESS"
+       "BROADCAST_SSID"
+       "CHANNEL"
+       "CHANNEL_BANDWIDTH"
+       "DFS"
+       "ENVIRONMENT"
+       "MFP"
+       "MODE"
+       "PHY"
+       "SECRET"
+       "SSID"
+       "WPA3_PERSONAL"
+       "WPA2_PERSONAL"
+)
+
+# Disable WPA3+2 by default
+DEFAULT_WPA3_PERSONAL="off"
+DEFAULT_WPA2_PERSONAL="off"
+
+# Broadcast SSID by default
+DEFAULT_BROADCAST_SSID="on"
+
+# Perform radar detection by default when possible
+DEFAULT_DFS="on"
+
+# 802.11w - Management Frame Protection
+DEFAULT_MFP="on"
+
+DEFAULT_ENVIRONMENT="${WIRELESS_DEFAULT_ENVIRONMENT}"
+
+hook_check_settings() {
        assert isset ADDRESS
        assert ismac ADDRESS
        assert isset BROADCAST_SSID
        assert isbool BROADCAST_SSID
        assert isset CHANNEL
+       assert isbool DFS
+       assert isbool MFP
        assert isset MODE
-       assert isoneof MODE a b g n
+       assert isoneof MODE ${HOSTAPD_SUPPORTED_MODES}
        assert isset PHY
        assert ismac PHY
        assert isset SSID
 
-       if isset ENCRYPTION; then
-               assert isoneof ENCRYPTION WPA WPA2 WPA/WPA2
-
-               assert isset KEY
-               assert [ ${#KEY} -ge 8 ]
-               assert [ ${#KEY} -le 63 ]
-       fi
+       assert wireless_environment_is_valid "${ENVIRONMENT}"
 }
 
-function hook_new() {
+hook_parse_cmdline() {
        while [ $# -gt 0 ]; do
                case "${1}" in
                        --broadcast-ssid=*)
-                               BROADCAST_SSID=$(cli_get_val ${1})
+                               BROADCAST_SSID=$(cli_get_val "${1}")
                                ;;
                        --channel=*)
-                               CHANNEL=$(cli_get_val ${1})
+                               CHANNEL=$(cli_get_val "${1}")
+                               ;;
+                       --channel-bandwidth=*)
+                               CHANNEL_BANDWIDTH="$(cli_get_val "${1}")"
                                ;;
-                       --encryption=*)
-                               ENCRYPTION=$(cli_get_val ${1})
+                       --dfs=*)
+                               DFS="$(cli_get_bool "${1}")"
                                ;;
-                       --key=*)
-                               KEY=$(cli_get_val ${1})
+                       --environment=*)
+                               ENVIRONMENT="$(cli_get_val "${1}")"
+
+                               if ! wireless_environment_is_valid "${ENVIRONMENT}"; then
+                                       error "Invalid wireless environment: ${ENVIRONMENT}"
+                                       return ${EXIT_ERROR}
+                               fi
                                ;;
                        --mac=*)
-                               ADDRESS=$(cli_get_val ${1})
+                               ADDRESS=$(cli_get_val "${1}")
+                               ;;
+                       --mfp=*)
+                               MFP="$(cli_get_bool "${1}")"
                                ;;
                        --mode=*)
-                               MODE=$(cli_get_val ${1})
+                               MODE=$(cli_get_val "${1}")
+
+                               if ! isoneof MODE ${HOSTAPD_SUPPORTED_MODES}; then
+                                       error "Unsupported mode: ${MODE}"
+                                       error "Mode must be one of ${HOSTAPD_SUPPORTED_MODES}"
+                                       return ${EXIT_ERROR}
+                               fi
                                ;;
                        --phy=*)
-                               PHY=$(cli_get_val ${1})
+                               PHY=$(cli_get_val "${1}")
+                               ;;
+                       --secret=*)
+                               SECRET="$(cli_get_val "${1}")"
                                ;;
                        --ssid=*)
-                               SSID=$(cli_get_val ${1})
+                               SSID=$(cli_get_val "${1}")
+                               ;;
+                       --wpa2-personal=*)
+                               WPA2_PERSONAL="$(cli_get_bool "${1}")"
+                               ;;
+                       --wpa3-personal=*)
+                               WPA3_PERSONAL="$(cli_get_bool "${1}")"
                                ;;
                        *)
                                warning "Ignoring unknown argument '${1}'"
@@ -87,65 +131,68 @@ function hook_new() {
                shift
        done
 
-       # Save address of phy do identify it again
-       PHY=$(phy_get ${PHY})
-       PHY=$(phy_get_address ${PHY})
+       # Generate a random MAC address if none is set
+       if ! isset ADDRESS; then
+               ADDRESS="$(mac_generate)"
+       fi
 
-       local port=$(port_find_free ${PORT_PATTERN_ACCESSPOINT})
-       assert isset port
+       # MODE must be set
+       if ! isset MODE; then
+               error "--mode is not set"
+               return ${EXIT_ERROR}
+       fi
 
-       port_settings_write "${port}" ${HOOK_SETTINGS}
+       # Automatically enable ACS if no channel is set and ACS is available
+       if ! isset CHANNEL && phy_supports_acs "${PHY}"; then
+               CHANNEL="0"
 
-       exit ${EXIT_OK}
-}
+               log INFO "Automatic Channel Selection (ACS) enabled"
+       fi
 
-function hook_edit() {
-       local port=${1}
-       shift
+       # Channel bandwidth must match the mode
+       if isset CHANNEL_BANDWIDTH && ! wireless_channel_bandwidth_is_valid "${MODE}" "${CHANNEL_BANDWIDTH}"; then
+               error "Channel Bandwidth '${CHANNEL_BANDWIDTH}' is not supported for ${MODE}"
+               return ${EXIT_ERROR}
+       fi
 
-       assert isset port
+       # Check if SECRET is set when WPA* is enabled
+       if enabled WPA3_PERSONAL || enabled WPA2_PERSONAL; then
+               if ! isset SECRET; then
+                       error "Secret is not set when PSK authentication is enabled"
+                       return ${EXIT_ERROR}
+               fi
+
+               # Check if SECRET is valid
+               if ! wireless_pre_shared_key_is_valid "${SECRET}"; then
+                       error "The secret is in an invalid format"
+                       return ${EXIT_ERROR}
+               fi
+       fi
 
-       port_settings_read "${port}" ${HOOK_SETTINGS}
+       # Save address of phy do identify it again
+       PHY=$(phy_get ${PHY})
+       PHY=$(phy_get_address ${PHY})
+}
 
-       while [ $# -gt 0 ]; do
-               case "${1}" in
-                       --broadcast-ssid=*)
-                               BROADCAST_SSID=$(cli_get_val ${1})
-                               ;;
-                       --channel=*)
-                               CHANNEL=$(cli_get_val ${1})
-                               ;;
-                       --encryption=*)
-                               ENCRYPTION=$(cli_get_val ${1})
-                               ;;
-                       --key=*)
-                               KEY=$(cli_get_val ${1})
-                               ;;
-                       --ssid=*)
-                               SSID=$(cli_get_val ${1})
-                               ;;
-                       --mode=*)
-                               MODE=$(cli_get_val ${1})
-                               ;;
-                       *)
-                               warning "Unknown argument '${1}'"
-                               ;;
-               esac
-               shift
-       done
+hook_edit() {
+       local port=${1}
+       assert isset port
 
-       port_settings_write "${port}" ${HOOK_SETTINGS}
+       if ! hook_default_edit "$@"; then
+               return ${EXIT_ERROR}
+       fi
 
-       exit ${EXIT_OK} 
+       # To apply all changes, we need to restart the port
+       port_restart "${port}"
 }
 
-function hook_create() {
+hook_create() {
        local port="${1}"
        assert isset port
 
        device_exists "${port}" && exit ${EXIT_OK}
 
-       port_settings_read "${port}" ${HOOK_SETTINGS}
+       port_settings_read "${port}"
 
        # Check if the PHY is present.
        local phy=$(phy_get ${PHY})
@@ -163,7 +210,7 @@ function hook_create() {
        exit ${EXIT_OK}
 }
 
-function hook_remove() {
+hook_remove() {
        local port="${1}"
        assert isset port
 
@@ -175,7 +222,7 @@ function hook_remove() {
        exit ${EXIT_OK}
 }
 
-function hook_up() {
+hook_up() {
        local port="${1}"
        assert isset port
 
@@ -187,14 +234,14 @@ function hook_up() {
        hostapd_start "${port}"
 }
 
-function hook_down() {
+hook_down() {
        local port="${1}"
        assert isset port
 
        hostapd_stop "${port}"
 }
 
-function hook_hotplug() {
+hook_hotplug() {
        local port="${1}"
        assert isset port
 
Networking code of IPFire 3.x.