HOSTAPD_SUPPORTED_MODES="802.11a 802.11a/n 802.11ac 802.11g 802.11g/n"
+HOSTAPD_SUPPORTED_PAIRWISE_CIPHERS=(
+ "GCMP-256" # Galois/counter mode protocol with 256 bit key
+ "CCMP-256" # AES in Counter mode with CBC-MAC with 256 bit key
+ "GCMP-128" # Galois/counter mode protocol with 128 bit key
+ "CCMP-128" # AES in Counter mode with CBC-MAC with 128 bit key
+)
+
+# This must be supported by all stations on the network and therefore
+# can effectively only be CCMP
+HOSTAPD_SUPPORTED_GROUP_CIPHERS=(
+ "CCMP-128"
+)
+
hostapd_config_write() {
local device=${1}
assert isset device
# Shift the device and file argument.
shift 2
+ # Device must exist
+ if ! device_exists "${device}"; then
+ error "Cannot write hostapd configuration for non-existant device: ${device}"
+ return ${EXIT_ERROR}
+ fi
+
+ # Get the phy for device
+ local phy="$(device_get_phy "${device}")"
+ assert isset phy
+
local broadcast_ssid
local channel
local channel_bandwidth
local encryption
local environment="${WIRELESS_DEFAULT_ENVIRONMENT}"
local key
+ local mfp="off"
local mode
local ssid
local wmm="1"
--key=*)
key=$(cli_get_val "${1}")
;;
+ --mfp=*)
+ mfp="$(cli_get_val "${1}")"
+ ;;
--mode=*)
mode=$(cli_get_val "${1}")
# Check if key is set when encryption is used.
if isset encryption; then
- assert isoneof encryption WPA WPA2 WPA/WPA2
+ assert isoneof encryption WPA2
assert isset key
fi
return ${EXIT_ERROR}
fi
+ # Management Frame Proection
+ if ! isbool mfp; then
+ error "Invalid value for --mfp: ${mfp}"
+ return ${EXIT_ERROR}
+ fi
+
# 802.11ac/n flags
local ieee80211ac
local ieee80211n
;;
esac
+ # Cryptography
+ local cipher
+
+ # Get all supported pairwise ciphers
+ local pairwise_ciphers=()
+ for cipher in ${HOSTAPD_SUPPORTED_PAIRWISE_CIPHERS[*]}; do
+ if phy_supports_cipher "${phy}" "${cipher}"; then
+ pairwise_ciphers+=( "$(hostapd_cipher_name "${cipher}")" )
+ fi
+ done
+
+ # Get all supported group ciphers
+ local group_ciphers=()
+ for cipher in ${HOSTAPD_SUPPORTED_GROUP_CIPHERS[*]}; do
+ if phy_supports_cipher "${phy}" "${cipher}"; then
+ group_ciphers+=( "$(hostapd_cipher_name "${cipher}")" )
+ fi
+ done
+
# Create configuration directory.
local config_dir=$(dirname ${file})
mkdir -p ${HOSTAPD_CONTROL_INTERFACE_DIR} ${config_dir} 2>/dev/null
print "channel=${channel}"
print "ignore_broadcast_ssid=${ignore_broadcast_ssid}"
- if contains_spaces "${ssid}"; then
- print "ssid=\"${ssid}\""
- else
- print "ssid=${ssid}"
- fi
+ print "ssid2=\"${ssid}\""
+ print "utf8_ssid=1"
# Kick stations that are too far away
print "disassoc_low_ack=1"
print "vht_oper_chwidth=${vht_oper_chwidth}"
print
+
+ # 802.11w - Management Frame Protection (MFP)
+ if enabled mfp; then
+ print "ieee80211w=2" # required
+ else
+ print "ieee80211w=0"
+ fi
) >> ${file}
# Control interface.
if isset encryption; then
local encryption_mode=0
case "${encryption}" in
- WPA)
- encryption_mode=1
- ;;
WPA2)
encryption_mode=2
;;
- WPA/WPA2)
- encryption_mode=3
- ;;
esac
(
print "# Encryption settings"
print "wpa=${encryption_mode}"
print "wpa_passphrase=${key}"
- print "wpa_key_mgmt=WPA-PSK"
- print "wpa_pairwise=TKIP"
- print "rsn_pairwise=CCMP"
+ print "wpa_key_mgmt=WPA-PSK-SHA256 WPA-PSK"
+ print "wpa_pairwise=${pairwise_ciphers[*]}"
+ print "rsn_pairwise=${pairwise_ciphers[*]}"
+ print "group_cipher=${group_ciphers[*]}"
print
) >> ${file}
fi
+ # Log configuration file
+ file_to_log DEBUG "${file}"
+
return ${EXIT_OK}
}
service_stop "hostapd@${device}.service"
}
+
+hostapd_cipher_name() {
+ local cipher="${1}"
+
+ case "${cipher}" in
+ CCMP-128)
+ print "CCMP"
+ ;;
+
+ GCMP-128)
+ print "GCMP"
+ ;;
+
+ *)
+ print "${cipher}"
+ ;;
+ esac
+}