aboutsummaryrefslogtreecommitdiff
path: root/net/hs20/files/hs20.init
blob: c23fcf807200d69ef4bb10d2eff4590a44aace48 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

#!/bin/sh /etc/rc.common

START=49

USE_PROCD=1

setup_ca() {
	[ -e /etc/hs20/AS/Key/server.pem ] && return 0

	local company friendly_name rootsubject logo_sha1 logo_sha256 logo_url domain osu_client_subject ocsp_server_subject key_passphrase osu_server_name ocsp_uri revoked_subject
	config_load hs20
	config_get company ca company
	config_get friendly_name ca friendly_name
	config_get rootsubject ca rootsubject
	config_get logo_sha1 ca logo_sha1
	config_get logo_sha256 ca logo_sha256
	config_get logo_url ca logo_url
	config_get domain ca domain
	config_get osu_client_subject ca osu_client_subject
	config_get ocsp_server_subject ca ocsp_server_subject
	config_get key_passphrase ca key_passphrase
	config_get osu_server_name ca osu_server_name
	config_get ocsp_uri ca ocsp_uri

	mkdir -p /etc/hs20/ca
	(
	  cd /etc/hs20/ca
	  /bin/busybox sh /usr/share/hs20/ca/setup.sh -c "$company" -C "$friendly_name" -g "$logo_sha1" -G "$logo_sha256" -l "$logo_url" -m "$domain" -o "$osu_client_subject" -O "$ocsp_server_subject" -p "$key_passphrase" -S "$osu_server_name" -u "$ocsp_uri" -V "$revoked_subject"
	)

	mkdir -p /etc/hs20/AS/Key
	cp /etc/hs20/ca/server.* /etc/hs20/ca/ca.pem /etc/hs20/AS/Key

	uci batch <<EOF
set uhttpd.main.cert='/etc/hs20/ca/server.pem'
set uhttpd.main.key='/etc/hs20/ca/server.key'
commit uhttpd
EOF

	return 0
}

sql_set() {
	echo "DELETE FROM osu_config WHERE realm='$1' AND field='$2';"
	echo "INSERT INTO osu_config(realm,field,value) VALUES('$1','$2','$3');"
}

setup_dbconf() {
	local domain spp_http_auth_url trust_root_cert_url
	config_load hs20
	config_get realm ca domain
	config_get spp_http_auth_url server spp_http_auth_url
	config_get trust_root_cert_url server trust_root_cert_url
	config_get trust_root_cert_fingerprint server trust_root_cert_fingerprint
	config_get aaa_trust_root_cert_url server aaa_trust_root_cert_url
	config_get aaa_trust_root_cert_fingerprint server aaa_trust_root_cert_fingerprint
	config_get free_account server free_account
	config_get policy_url server policy_url
	config_get remediation_url server remediation_url
	config_get free_remediation_url server free_remediation_url
	config_get signup_url server signup_url
	(
		sql_set $realm spp_http_auth_url "$spp_http_auth_url"
		sql_set $realm trust_root_cert_url "$trust_root_cert_url"
		sql_set $realm trust_root_cert_fingerprint "$trust_root_cert_fingerprint"
		sql_set $realm aaa_trust_root_cert_url "$aaa_trust_root_cert_url"
		sql_set $realm aaa_trust_root_cert_fingerprint "$aaa_trust_root_cert_fingerprint"
		sql_set $realm free_account "$free_account"
		sql_set $realm policy_url "$policy_url"
		sql_set $realm remediation_url "$remediation_url"
		sql_set $realm free_remediation_url "$free_remediation_url"
		sql_set $realm signup_url "$signup_url"
		echo "DELETE FROM wildcards WHERE identity='';"
		echo "INSERT INTO wildcards(identity,methods) VALUES('','TTLS,TLS');"
	) | sqlite3 /etc/hs20/AS/DB/eap_user.db

	return 0
}

setup_policy() {
	local update_interval update_method restriction uri
	config_load hs20
	config_get update_interval policy update_interval
	config_get update_method policy update_method
	config_get restriction policy restriction
	config_get uri policy uri

	if [ ! -e "/etc/hs20/spp/policy/default.xml" ]; then
		mkdir -p /etc/hs20/spp/policy
		ln -s /tmp/run/spp-default-policy.xml /etc/hs20/spp/policy/default.xml
	fi

	cat > /tmp/run/spp-default-policy.xml <<EOF
<Policy>
	<PolicyUpdate>
		<UpdateInterval>$update_interval</UpdateInterval>
		<UpdateMethod>$update_method</UpdateMethod>
		<Restriction>$restriction</Restriction>
		<URI>$uri</URI>
	</PolicyUpdate>
</Policy>

EOF
	return 0
}

prepare_config() {
	local key_passphrase subscr_remediation_url osu_nai as_passphrase radius_passphrase
	config_load hs20
	config_get key_passphrase ca key_passphrase
	config_get subscr_remediation_url policy uri
	config_get osu_nai server osu_nai
	config_get as_passphrase server as_passphrase
	config_get radius_passphrase server radius_passphrase

	cat > /tmp/run/as-sql.conf <<EOF
driver=none
radius_server_clients=/etc/hs20/AS/as.radius_clients
eap_server=1
eap_user_file=sqlite:/etc/hs20/AS/DB/eap_user.db
ca_cert=/etc/hs20/AS/Key/ca.pem
server_cert=/etc/hs20/AS/Key/server.pem
private_key=/etc/hs20/AS/Key/server.key
private_key_passwd=$key_passphrase
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/etc/hs20/AS/DB/eap_sim.db
subscr_remediation_url=$subscr_remediation_url
EOF

	mkdir -p /var/run/hostapd/hs20-radius
	cat > /tmp/run/radius-sql.conf <<EOF
# hostapd-radius config for the radius used by the OSEN AP
interface=lo
driver=none
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd/hs20-radius
ctrl_interface_group=0
eap_server=1
eap_user_file=/etc/hs20/AS/hostapd-osen.eap_user
server_id=ben-ota-2-osen
radius_server_auth_port=1811
radius_server_clients=/etc/hs20/AS/hostap.radius_clients

ca_cert=/etc/hs20/ca/ca.pem
server_cert=/etc/hs20/ca/server.pem
private_key=/etc/hs20/ca/server.key
private_key_passwd=$key_passphrase

ocsp_stapling_response=/etc/hs20/ca/ocsp-server-cache.der
EOF

	cat > /etc/hs20/AS/hostapd-osen.eap_user <<EOF
# For OSEN authentication (Hotspot 2.0 Release 2)
"$osu_nai"      WFA-UNAUTH-TLS
EOF

	cat > /etc/hs20/AS/hostap.radius_clients <<EOF
0.0.0.0/0       $radius_passphrase
EOF

	cat > /etc/hs20/AS/as.radius_clients <<EOF
0.0.0.0/0       $as_passphrase
EOF

	return 0
}

start_service() {
	local enabled
	config_load hs20
	config_get enabled server enabled

	[ "$enabled" != "1" ] && [ "$enabled" != "true" ] && exit 0
	echo "starting"

	setup_ca
	setup_policy
	setup_dbconf
	prepare_config

	procd_open_instance ocsp-responder
	procd_set_param command /usr/bin/openssl ocsp -index /etc/hs20/ca/demoCA/index.txt -port 8888 -nmin 5 -rsigner /etc/hs20/ca/ocsp.pem -rkey /etc/hs20/ca/ocsp.key -CA /etc/hs20/ca/demoCA/cacert.pem -text -ignore_err
	procd_set_param stdout 1
	procd_set_param stderr 1
	procd_set_param respawn
	procd_close_instance

	procd_open_instance hs20-ac
	procd_set_param command /usr/sbin/hostapd-hs20-radius-server /tmp/run/as-sql.conf
	procd_set_param stdout 1
	procd_set_param stderr 1
	procd_set_param respawn
	procd_close_instance

	procd_open_instance hs20-radius
	procd_set_param command /usr/sbin/hostapd-hs20-radius-server /tmp/run/radius-sql.conf
	procd_set_param stdout 1
	procd_set_param stderr 1
	procd_set_param respawn
	procd_close_instance
}
Powered by cgit, Themed by Ted Yin.