From d50526477ed510a011935747f18bd6b4ec3ec2f1 Mon Sep 17 00:00:00 2001 From: Christopher Date: Mon, 10 Jun 2024 19:52:48 +0100 Subject: wireless: T6496: support for EAP-MSCHAPv2 client over wifi MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fix: attempt to fix indentation on `wpa_supplicant.conf.j2` fix: attempt to fix indentation on `wpa_supplicant.conf.j2` fix: incorrect bssid mapping fix: use the correct jinja templating (I think) fix: “remote blank space fix: attempt to fix the formatting in j2 fix: attempt to fix the formatting in j2 feat: rename enterprise username and password + add checks in conf mode. fix: move around `bssid` config option on `wpa_supplicant.conf.j2` and fix the security config part fix: fix indentation on `wpa_supplicant.conf.j2` (cherry picked from commit fc4263021acb72d2d8afb165922d9cb7e11b2bf1) --- data/templates/wifi/wpa_supplicant.conf.j2 | 14 +++++++++++++- interface-definitions/interfaces_wireless.xml.in | 16 +++++++++++++--- src/conf_mode/interfaces_wireless.py | 9 ++++++++- 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2 index ac857a04a..8839663e1 100644 --- a/data/templates/wifi/wpa_supplicant.conf.j2 +++ b/data/templates/wifi/wpa_supplicant.conf.j2 @@ -61,6 +61,8 @@ network={ # If not set, this defaults to: WPA-PSK WPA-EAP {% if security.wpa.mode is vyos_defined('wpa3') %} key_mgmt=SAE +{% elif security.wpa.username is vyos_defined %} + key_mgmt=WPA-EAP WPA-EAP-SHA256 {% else %} key_mgmt=WPA-PSK WPA-PSK-SHA256 {% endif %} @@ -76,8 +78,18 @@ network={ # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant # startup and reconfiguration time can be optimized by generating the PSK only # only when the passphrase or SSID has actually changed. +{% if security.wpa.username is vyos_defined %} + identity="{{ security.wpa.username }}" + password="{{ security.wpa.passphrase }}" + phase2="auth=MSCHAPV2" + eap=PEAP +{% elif security.wpa.username is not vyos_defined %} psk="{{ security.wpa.passphrase }}" -{% else %} +{% else %} key_mgmt=NONE +{% endif %} +{% endif %} +{% if security.bssid is vyos_defined %} + bssid={{ security.bssid }} {% endif %} } diff --git a/interface-definitions/interfaces_wireless.xml.in b/interface-definitions/interfaces_wireless.xml.in index 4de90591b..c1a101ee8 100644 --- a/interface-definitions/interfaces_wireless.xml.in +++ b/interface-definitions/interfaces_wireless.xml.in @@ -759,6 +759,15 @@ Wireless security settings + + + Basic Service Set Identifier (BSSID) + + ([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2} + + Invalid BSSID + + Station MAC address based authentication @@ -935,15 +944,16 @@ wpa+wpa2 + #include - WPA personal shared pass phrase. If you are using special characters in the WPA passphrase then single quotes are required. + WPA passphrase. If you are using special characters in the WPA passphrase then single quotes are required. txt - Passphrase of at least 8 but not more than 63 printable characters + Passphrase of at least 8 but not more than 63 printable characters for WPA-Personal and any passphrase for WPA-Enterprise - .{8,63} + .* Invalid WPA pass phrase, must be 8 to 63 printable characters! diff --git a/src/conf_mode/interfaces_wireless.py b/src/conf_mode/interfaces_wireless.py index aa65adc10..d24675ee6 100755 --- a/src/conf_mode/interfaces_wireless.py +++ b/src/conf_mode/interfaces_wireless.py @@ -193,11 +193,18 @@ def verify(wifi): if not any(i in ['passphrase', 'radius'] for i in wpa): raise ConfigError('Misssing WPA key or RADIUS server') + if 'username' in wpa: + if 'passphrase' not in wpa: + raise ConfigError('WPA-Enterprise configured - missing passphrase!') + elif 'passphrase' in wpa: + # check if passphrase meets the regex .{8,63} + if len(wpa['passphrase']) < 8 or len(wpa['passphrase']) > 63: + raise ConfigError('WPA passphrase must be between 8 and 63 characters long') if 'radius' in wpa: if 'server' in wpa['radius']: for server in wpa['radius']['server']: if 'key' not in wpa['radius']['server'][server]: - raise ConfigError(f'Misssing RADIUS shared secret key for server: {server}') + raise ConfigError(f'Missing RADIUS shared secret key for server: {server}') if 'capabilities' in wifi: capabilities = wifi['capabilities'] -- cgit v1.2.3 From c8f116c251e5ab91b518533f595c6efd66b9c392 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 5 Jul 2024 06:44:04 +0000 Subject: wireless: T6496: use ascii regex for WPA passphrase constraint (cherry picked from commit 5a6ac65fe0684fc5298de3daa8582294ac387b46) --- interface-definitions/interfaces_wireless.xml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/interface-definitions/interfaces_wireless.xml.in b/interface-definitions/interfaces_wireless.xml.in index c1a101ee8..7016eaa24 100644 --- a/interface-definitions/interfaces_wireless.xml.in +++ b/interface-definitions/interfaces_wireless.xml.in @@ -953,7 +953,7 @@ Passphrase of at least 8 but not more than 63 printable characters for WPA-Personal and any passphrase for WPA-Enterprise - .* + [[:ascii:]]{1,256} Invalid WPA pass phrase, must be 8 to 63 printable characters! -- cgit v1.2.3 From b76a5c94cfeb1a7bad8ac5c818ed3065a4d32210 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Fri, 5 Jul 2024 08:47:54 +0200 Subject: wireless: T6496: use mac-address validator on BSSID and move it up one CLI level (cherry picked from commit 0c9499c5b3f7cc053c1f29ecf28d679c1a3156e2) --- data/templates/wifi/wpa_supplicant.conf.j2 | 4 ++-- interface-definitions/interfaces_wireless.xml.in | 22 +++++++++++++--------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2 index 8839663e1..04088e1ad 100644 --- a/data/templates/wifi/wpa_supplicant.conf.j2 +++ b/data/templates/wifi/wpa_supplicant.conf.j2 @@ -89,7 +89,7 @@ network={ key_mgmt=NONE {% endif %} {% endif %} -{% if security.bssid is vyos_defined %} - bssid={{ security.bssid }} +{% if bssid is vyos_defined %} + bssid={{ bssid }} {% endif %} } diff --git a/interface-definitions/interfaces_wireless.xml.in b/interface-definitions/interfaces_wireless.xml.in index 7016eaa24..474953500 100644 --- a/interface-definitions/interfaces_wireless.xml.in +++ b/interface-definitions/interfaces_wireless.xml.in @@ -759,15 +759,6 @@ Wireless security settings - - - Basic Service Set Identifier (BSSID) - - ([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2} - - Invalid BSSID - - Station MAC address based authentication @@ -986,6 +977,19 @@ Invalid SSID + + + Basic Service Set Identifier (BSSID) - currently station mode only + + macaddr + BSSID (MAC) address + + + + + Invalid BSSID + + Wireless device type for this interface -- cgit v1.2.3