diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-04-18 08:15:19 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-18 08:15:19 +0200 |
| commit | cf1ad0c6e182dc82a8792d8a3af98de1f1b834e9 (patch) | |
| tree | aaff64fccfe5b3f2eb874c5d2bf3edfd27aa3a80 | |
| parent | 3b3b33e4ffe46747014342238807bfdacbe74db4 (diff) | |
| parent | 26010aee52bc95ca0b09a149c2b4add404dd1bef (diff) | |
| download | vyos-1x-cf1ad0c6e182dc82a8792d8a3af98de1f1b834e9.tar.gz vyos-1x-cf1ad0c6e182dc82a8792d8a3af98de1f1b834e9.zip | |
Merge pull request #353 from alainlamar/T2306
feature: T2306: Add new cipher suites to the WiFi configuration
| -rw-r--r-- | data/templates/wifi/hostapd.conf.tmpl | 10 | ||||
| -rw-r--r-- | interface-definitions/interfaces-wireless.xml.in | 55 | ||||
| -rwxr-xr-x | src/conf_mode/interfaces-wireless.py | 4 |
3 files changed, 64 insertions, 5 deletions
diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl index e2fb9ca8f..d6068e4db 100644 --- a/data/templates/wifi/hostapd.conf.tmpl +++ b/data/templates/wifi/hostapd.conf.tmpl @@ -572,6 +572,16 @@ wpa_pairwise={{ sec_wpa_cipher | join(" ") }} {%- endif -%} {% endif %} +{% if sec_wpa_group_cipher -%} +# Optional override for automatic group cipher selection +# This can be used to select a specific group cipher regardless of which +# pairwise ciphers were enabled for WPA and RSN. It should be noted that +# overriding the group cipher with an unexpected value can result in +# interoperability issues and in general, this parameter is mainly used for +# testing purposes. +group_cipher={{ sec_wpa_group_cipher | join(" ") }} +{% endif %} + {% if sec_wpa_passphrase -%} # IEEE 802.11 specifies two authentication algorithms. hostapd can be # configured to allow both of these or only one. Open system authentication diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index a5c6315fa..3edcbb8ff 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -605,22 +605,67 @@ <children> <leafNode name="cipher"> <properties> - <help>Cipher suite for WPA</help> + <help>Cipher suite for WPA unicast packets</help> <completionHelp> - <list>TKIP CCMP</list> + <list>GCMP-256 GCMP CCMP-256 CCMP TKIP</list> </completionHelp> <valueHelp> + <format>GCMP-256</format> + <description>AES in Galois/counter mode with 256-bit key</description> + </valueHelp> + <valueHelp> + <format>GCMP</format> + <description>AES in Galois/counter mode with 128-bit key</description> + </valueHelp> + <valueHelp> + <format>CCMP-256</format> + <description>AES in Counter mode with CBC-MAC with 256-bit key</description> + </valueHelp> + <valueHelp> <format>CCMP</format> - <description>AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]</description> + <description>AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] (supported on all WPA2 APs)</description> </valueHelp> <valueHelp> <format>TKIP</format> <description>Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]</description> </valueHelp> <constraint> - <regex>(CCMP|TKIP)</regex> + <regex>(GCMP-256|GCMP|CCMP-256|CCMP|TKIP)</regex> </constraint> - <constraintErrorMessage>Invalid WEP key</constraintErrorMessage> + <constraintErrorMessage>Invalid cipher selection</constraintErrorMessage> + <multi/> + </properties> + </leafNode> + <leafNode name="group-cipher"> + <properties> + <help>Cipher suite for WPA multicast and broadcast packets</help> + <completionHelp> + <list>GCMP-256 GCMP CCMP-256 CCMP TKIP</list> + </completionHelp> + <valueHelp> + <format>GCMP-256</format> + <description>AES in Galois/counter mode with 256-bit key</description> + </valueHelp> + <valueHelp> + <format>GCMP</format> + <description>AES in Galois/counter mode with 128-bit key</description> + </valueHelp> + <valueHelp> + <format>CCMP-256</format> + <description>AES in Counter mode with CBC-MAC with 256-bit key</description> + </valueHelp> + <valueHelp> + <format>CCMP</format> + <description>AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] (supported on all WPA2 APs)</description> + </valueHelp> + <valueHelp> + <format>TKIP</format> + <description>Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]</description> + </valueHelp> + <constraint> + <regex>(GCMP-256|GCMP|CCMP-256|CCMP|TKIP)</regex> + </constraint> + <constraintErrorMessage>Invalid group cipher selection</constraintErrorMessage> <multi/> </properties> </leafNode> diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index 498c24df0..1964af6e1 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -442,6 +442,10 @@ def get_config(): wifi['sec_wpa_cipher'].append('CCMP') wifi['sec_wpa_cipher'].append('TKIP') + # WPA Group Cipher suite + if conf.exists('security wpa group-cipher'): + wifi['sec_wpa_group_cipher'] = conf.return_values('security wpa group-cipher') + # WPA personal shared pass phrase if conf.exists('security wpa passphrase'): wifi['sec_wpa_passphrase'] = conf.return_value('security wpa passphrase') |