You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

203 lines
6.3 KiB

  1. #!/bin/sh /etc/rc.common
  2. START=49
  3. USE_PROCD=1
  4. setup_ca() {
  5. [ -e /etc/hs20/AS/Key/server.pem ] && return 0
  6. local company friendly_name rootsubject logo_sha1 logo_sha256 logo_url domain osu_client_subject ocsp_server_subject key_passphrase osu_server_name ocsp_uri revoked_subject
  7. config_load hs20
  8. config_get company ca company
  9. config_get friendly_name ca friendly_name
  10. config_get rootsubject ca rootsubject
  11. config_get logo_sha1 ca logo_sha1
  12. config_get logo_sha256 ca logo_sha256
  13. config_get logo_url ca logo_url
  14. config_get domain ca domain
  15. config_get osu_client_subject ca osu_client_subject
  16. config_get ocsp_server_subject ca ocsp_server_subject
  17. config_get key_passphrase ca key_passphrase
  18. config_get osu_server_name ca osu_server_name
  19. config_get ocsp_uri ca ocsp_uri
  20. mkdir -p /etc/hs20/ca
  21. (
  22. cd /etc/hs20/ca
  23. /bin/busybox sh /usr/share/hs20/ca/setup.sh -c "$company" -C "$friendly_name" -g "$logo_sha1" -G "$logo_sha256" -l "$logo_url" -m "$domain" -o "$osu_client_subject" -O "$ocsp_server_subject" -p "$key_passphrase" -S "$osu_server_name" -u "$ocsp_uri" -V "$revoked_subject"
  24. )
  25. mkdir -p /etc/hs20/AS/Key
  26. cp /etc/hs20/ca/server.* /etc/hs20/ca/ca.pem /etc/hs20/AS/Key
  27. uci batch <<EOF
  28. set uhttpd.main.cert='/etc/hs20/ca/server.pem'
  29. set uhttpd.main.key='/etc/hs20/ca/server.key'
  30. commit uhttpd
  31. EOF
  32. return 0
  33. }
  34. sql_set() {
  35. echo "DELETE FROM osu_config WHERE realm='$1' AND field='$2';"
  36. echo "INSERT INTO osu_config(realm,field,value) VALUES('$1','$2','$3');"
  37. }
  38. setup_dbconf() {
  39. local domain spp_http_auth_url trust_root_cert_url
  40. config_load hs20
  41. config_get realm ca domain
  42. config_get spp_http_auth_url server spp_http_auth_url
  43. config_get trust_root_cert_url server trust_root_cert_url
  44. config_get trust_root_cert_fingerprint server trust_root_cert_fingerprint
  45. config_get aaa_trust_root_cert_url server aaa_trust_root_cert_url
  46. config_get aaa_trust_root_cert_fingerprint server aaa_trust_root_cert_fingerprint
  47. config_get free_account server free_account
  48. config_get policy_url server policy_url
  49. config_get remediation_url server remediation_url
  50. config_get free_remediation_url server free_remediation_url
  51. config_get signup_url server signup_url
  52. (
  53. sql_set $realm spp_http_auth_url "$spp_http_auth_url"
  54. sql_set $realm trust_root_cert_url "$trust_root_cert_url"
  55. sql_set $realm trust_root_cert_fingerprint "$trust_root_cert_fingerprint"
  56. sql_set $realm aaa_trust_root_cert_url "$aaa_trust_root_cert_url"
  57. sql_set $realm aaa_trust_root_cert_fingerprint "$aaa_trust_root_cert_fingerprint"
  58. sql_set $realm free_account "$free_account"
  59. sql_set $realm policy_url "$policy_url"
  60. sql_set $realm remediation_url "$remediation_url"
  61. sql_set $realm free_remediation_url "$free_remediation_url"
  62. sql_set $realm signup_url "$signup_url"
  63. echo "DELETE FROM wildcards WHERE identity='';"
  64. echo "INSERT INTO wildcards(identity,methods) VALUES('','TTLS,TLS');"
  65. ) | sqlite3 /etc/hs20/AS/DB/eap_user.db
  66. return 0
  67. }
  68. setup_policy() {
  69. local update_interval update_method restriction uri
  70. config_load hs20
  71. config_get update_interval policy update_interval
  72. config_get update_method policy update_method
  73. config_get restriction policy restriction
  74. config_get uri policy uri
  75. if [ ! -e "/etc/hs20/spp/policy/default.xml" ]; then
  76. mkdir -p /etc/hs20/spp/policy
  77. ln -s /tmp/run/spp-default-policy.xml /etc/hs20/spp/policy/default.xml
  78. fi
  79. cat > /tmp/run/spp-default-policy.xml <<EOF
  80. <Policy>
  81. <PolicyUpdate>
  82. <UpdateInterval>$update_interval</UpdateInterval>
  83. <UpdateMethod>$update_method</UpdateMethod>
  84. <Restriction>$restriction</Restriction>
  85. <URI>$uri</URI>
  86. </PolicyUpdate>
  87. </Policy>
  88. EOF
  89. return 0
  90. }
  91. prepare_config() {
  92. local key_passphrase subscr_remediation_url osu_nai as_passphrase radius_passphrase
  93. config_load hs20
  94. config_get key_passphrase ca key_passphrase
  95. config_get subscr_remediation_url policy uri
  96. config_get osu_nai server osu_nai
  97. config_get as_passphrase server as_passphrase
  98. config_get radius_passphrase server radius_passphrase
  99. cat > /tmp/run/as-sql.conf <<EOF
  100. driver=none
  101. radius_server_clients=/etc/hs20/AS/as.radius_clients
  102. eap_server=1
  103. eap_user_file=sqlite:/etc/hs20/AS/DB/eap_user.db
  104. ca_cert=/etc/hs20/AS/Key/ca.pem
  105. server_cert=/etc/hs20/AS/Key/server.pem
  106. private_key=/etc/hs20/AS/Key/server.key
  107. private_key_passwd=$key_passphrase
  108. eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/etc/hs20/AS/DB/eap_sim.db
  109. subscr_remediation_url=$subscr_remediation_url
  110. EOF
  111. mkdir -p /var/run/hostapd/hs20-radius
  112. cat > /tmp/run/radius-sql.conf <<EOF
  113. # hostapd-radius config for the radius used by the OSEN AP
  114. interface=lo
  115. driver=none
  116. logger_syslog=-1
  117. logger_syslog_level=2
  118. logger_stdout=-1
  119. logger_stdout_level=2
  120. ctrl_interface=/var/run/hostapd/hs20-radius
  121. ctrl_interface_group=0
  122. eap_server=1
  123. eap_user_file=/etc/hs20/AS/hostapd-osen.eap_user
  124. server_id=ben-ota-2-osen
  125. radius_server_auth_port=1811
  126. radius_server_clients=/etc/hs20/AS/hostap.radius_clients
  127. ca_cert=/etc/hs20/ca/ca.pem
  128. server_cert=/etc/hs20/ca/server.pem
  129. private_key=/etc/hs20/ca/server.key
  130. private_key_passwd=$key_passphrase
  131. ocsp_stapling_response=/etc/hs20/ca/ocsp-server-cache.der
  132. EOF
  133. cat > /etc/hs20/AS/hostapd-osen.eap_user <<EOF
  134. # For OSEN authentication (Hotspot 2.0 Release 2)
  135. "$osu_nai" WFA-UNAUTH-TLS
  136. EOF
  137. cat > /etc/hs20/AS/hostap.radius_clients <<EOF
  138. 0.0.0.0/0 $radius_passphrase
  139. EOF
  140. cat > /etc/hs20/AS/as.radius_clients <<EOF
  141. 0.0.0.0/0 $as_passphrase
  142. EOF
  143. return 0
  144. }
  145. start_service() {
  146. local enabled
  147. config_load hs20
  148. config_get enabled server enabled
  149. [ "$enabled" != "1" ] && [ "$enabled" != "true" ] && exit 0
  150. echo "starting"
  151. setup_ca
  152. setup_policy
  153. setup_dbconf
  154. prepare_config
  155. procd_open_instance ocsp-responder
  156. procd_set_param command /usr/bin/openssl ocsp -index /etc/hs20/ca/demoCA/index.txt -port 8888 -nmin 5 -rsigner /etc/hs20/ca/ocsp.pem -rkey /etc/hs20/ca/ocsp.key -CA /etc/hs20/ca/demoCA/cacert.pem -text -ignore_err
  157. procd_set_param stdout 1
  158. procd_set_param stderr 1
  159. procd_set_param respawn
  160. procd_close_instance
  161. procd_open_instance hs20-ac
  162. procd_set_param command /usr/sbin/hostapd-hs20-radius-server /tmp/run/as-sql.conf
  163. procd_set_param stdout 1
  164. procd_set_param stderr 1
  165. procd_set_param respawn
  166. procd_close_instance
  167. procd_open_instance hs20-radius
  168. procd_set_param command /usr/sbin/hostapd-hs20-radius-server /tmp/run/radius-sql.conf
  169. procd_set_param stdout 1
  170. procd_set_param stderr 1
  171. procd_set_param respawn
  172. procd_close_instance
  173. }