ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/external/subpack/net/hs20/files/hostapd.config b/external/subpack/net/hs20/files/hostapd.config
new file mode 100644
index 0000000..c93431d
--- /dev/null
+++ b/external/subpack/net/hs20/files/hostapd.config
@@ -0,0 +1,15 @@
+CONFIG_DRIVER_NONE=y
+CONFIG_PKCS12=y
+CONFIG_RADIUS_SERVER=y
+CONFIG_EAP=y
+CONFIG_EAP_TLS=y
+CONFIG_EAP_MSCHAPV2=y
+CONFIG_EAP_PEAP=y
+CONFIG_EAP_GTC=y
+CONFIG_EAP_TTLS=y
+CONFIG_EAP_SIM=y
+CONFIG_EAP_AKA=y
+CONFIG_EAP_AKA_PRIME=y
+CONFIG_SQLITE=y
+CONFIG_HS20=y
+CONFIG_WPS=y
diff --git a/external/subpack/net/hs20/files/hs20-server.defaults b/external/subpack/net/hs20/files/hs20-server.defaults
new file mode 100644
index 0000000..7ec5332
--- /dev/null
+++ b/external/subpack/net/hs20/files/hs20-server.defaults
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q get uhttpd.main.interpreter | grep -q "^\.php" || uci -q batch <<-EOF >/dev/null
+add_list uhttpd.main.interpreter='.php=/usr/bin/php-cgi'
+commit uhttpd
+EOF
+
+mkdir -p /etc/hs20/AS/DB
+[ -e /etc/hs20/AS/DB/eap_user.db ] || sqlite3 /etc/hs20/AS/DB/eap_user.db < /usr/share/hs20/sql.txt
+
+exit 0
diff --git a/external/subpack/net/hs20/files/hs20.config b/external/subpack/net/hs20/files/hs20.config
new file mode 100644
index 0000000..3fa2981
--- /dev/null
+++ b/external/subpack/net/hs20/files/hs20.config
@@ -0,0 +1,36 @@
+config server server
+ option enabled '0'
+ option spp_http_auth_url 'https://subscription-server.osu.example.com/hs20/spp.php?realm=example.com'
+ option trust_root_cert_url 'https://osu-server.osu.example.com/hs20/files/spp-root-ca.der'
+ option trust_root_cert_fingerprint '5b393a9246865569485c2605c3304e48212b449367858299beba9384c4cf4647'
+ option aaa_trust_root_cert_url 'https://osu-server.osu.example.com/hs20/files/aaa-root-ca.der'
+ option aaa_trust_root_cert_fingerprint '5b393a9246865569485c2605c3304e48212b449367858299beba9384c4cf4647'
+ option free_account 'free'
+ option policy_url 'https://subscription-server.osu.example.com/hs20/spp.php?realm=example.com'
+ option remediation_url 'https://subscription-server.osu.example.com/hs20/remediation.php?session_id='
+ option free_remediation_url 'https://subscription-server.osu.example.com/hs20/free-remediation.php?session_id='
+ option signup_url 'https://subscription-server.osu.example.com/hs20/signup.php?session_id='
+ option osu_nai 'osen@w1.fi'
+ option radius_passphrase 'radius-s3CReT'
+ option as_passphrase 'as-s3CReT'
+
+config ca ca
+ option company 'OpenWrt.org'
+ option friendly_name 'Example Operator'
+ option rootsubject 'Hotspot 2.0 Testing Root CA - 99'
+ option logo_sha1 '5e1d5085676eede6b02da14d31c523ec20ffba0b'
+ option logo_sha256 '4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d'
+ option logo_url 'http://osu.w1.fi/w1fi_logo.png'
+ option domain 'w1.fi'
+ option osu_client_subject 'osu-client.w1.fi'
+ option ocsp_server_subject 'ocsp.w1.fi'
+ option key_passphrase 'whatever'
+ option osu_server_name 'osu.w1.fi'
+ option ocsp_uri 'http://ocsp.w1.fi:8888/'
+ option revoked_subject 'osu-revoked.w1.fi'
+
+config policy policy
+ option update_interval '30'
+ option update_method 'ClientInitiated'
+ option restriction 'Unrestricted'
+ option uri 'https://policy-server.osu.example.com/hs20/spp.php'
diff --git a/external/subpack/net/hs20/files/hs20.init b/external/subpack/net/hs20/files/hs20.init
new file mode 100644
index 0000000..c23fcf8
--- /dev/null
+++ b/external/subpack/net/hs20/files/hs20.init
@@ -0,0 +1,203 @@
+#!/bin/sh /etc/rc.common
+
+START=49
+
+USE_PROCD=1
+
+setup_ca() {
+ [ -e /etc/hs20/AS/Key/server.pem ] && return 0
+
+ local company friendly_name rootsubject logo_sha1 logo_sha256 logo_url domain osu_client_subject ocsp_server_subject key_passphrase osu_server_name ocsp_uri revoked_subject
+ config_load hs20
+ config_get company ca company
+ config_get friendly_name ca friendly_name
+ config_get rootsubject ca rootsubject
+ config_get logo_sha1 ca logo_sha1
+ config_get logo_sha256 ca logo_sha256
+ config_get logo_url ca logo_url
+ config_get domain ca domain
+ config_get osu_client_subject ca osu_client_subject
+ config_get ocsp_server_subject ca ocsp_server_subject
+ config_get key_passphrase ca key_passphrase
+ config_get osu_server_name ca osu_server_name
+ config_get ocsp_uri ca ocsp_uri
+
+ mkdir -p /etc/hs20/ca
+ (
+ cd /etc/hs20/ca
+ /bin/busybox sh /usr/share/hs20/ca/setup.sh -c "$company" -C "$friendly_name" -g "$logo_sha1" -G "$logo_sha256" -l "$logo_url" -m "$domain" -o "$osu_client_subject" -O "$ocsp_server_subject" -p "$key_passphrase" -S "$osu_server_name" -u "$ocsp_uri" -V "$revoked_subject"
+ )
+
+ mkdir -p /etc/hs20/AS/Key
+ cp /etc/hs20/ca/server.* /etc/hs20/ca/ca.pem /etc/hs20/AS/Key
+
+ uci batch <<EOF
+set uhttpd.main.cert='/etc/hs20/ca/server.pem'
+set uhttpd.main.key='/etc/hs20/ca/server.key'
+commit uhttpd
+EOF
+
+ return 0
+}
+
+sql_set() {
+ echo "DELETE FROM osu_config WHERE realm='$1' AND field='$2';"
+ echo "INSERT INTO osu_config(realm,field,value) VALUES('$1','$2','$3');"
+}
+
+setup_dbconf() {
+ local domain spp_http_auth_url trust_root_cert_url
+ config_load hs20
+ config_get realm ca domain
+ config_get spp_http_auth_url server spp_http_auth_url
+ config_get trust_root_cert_url server trust_root_cert_url
+ config_get trust_root_cert_fingerprint server trust_root_cert_fingerprint
+ config_get aaa_trust_root_cert_url server aaa_trust_root_cert_url
+ config_get aaa_trust_root_cert_fingerprint server aaa_trust_root_cert_fingerprint
+ config_get free_account server free_account
+ config_get policy_url server policy_url
+ config_get remediation_url server remediation_url
+ config_get free_remediation_url server free_remediation_url
+ config_get signup_url server signup_url
+ (
+ sql_set $realm spp_http_auth_url "$spp_http_auth_url"
+ sql_set $realm trust_root_cert_url "$trust_root_cert_url"
+ sql_set $realm trust_root_cert_fingerprint "$trust_root_cert_fingerprint"
+ sql_set $realm aaa_trust_root_cert_url "$aaa_trust_root_cert_url"
+ sql_set $realm aaa_trust_root_cert_fingerprint "$aaa_trust_root_cert_fingerprint"
+ sql_set $realm free_account "$free_account"
+ sql_set $realm policy_url "$policy_url"
+ sql_set $realm remediation_url "$remediation_url"
+ sql_set $realm free_remediation_url "$free_remediation_url"
+ sql_set $realm signup_url "$signup_url"
+ echo "DELETE FROM wildcards WHERE identity='';"
+ echo "INSERT INTO wildcards(identity,methods) VALUES('','TTLS,TLS');"
+ ) | sqlite3 /etc/hs20/AS/DB/eap_user.db
+
+ return 0
+}
+
+setup_policy() {
+ local update_interval update_method restriction uri
+ config_load hs20
+ config_get update_interval policy update_interval
+ config_get update_method policy update_method
+ config_get restriction policy restriction
+ config_get uri policy uri
+
+ if [ ! -e "/etc/hs20/spp/policy/default.xml" ]; then
+ mkdir -p /etc/hs20/spp/policy
+ ln -s /tmp/run/spp-default-policy.xml /etc/hs20/spp/policy/default.xml
+ fi
+
+ cat > /tmp/run/spp-default-policy.xml <<EOF
+<Policy>
+ <PolicyUpdate>
+ <UpdateInterval>$update_interval</UpdateInterval>
+ <UpdateMethod>$update_method</UpdateMethod>
+ <Restriction>$restriction</Restriction>
+ <URI>$uri</URI>
+ </PolicyUpdate>
+</Policy>
+
+EOF
+ return 0
+}
+
+prepare_config() {
+ local key_passphrase subscr_remediation_url osu_nai as_passphrase radius_passphrase
+ config_load hs20
+ config_get key_passphrase ca key_passphrase
+ config_get subscr_remediation_url policy uri
+ config_get osu_nai server osu_nai
+ config_get as_passphrase server as_passphrase
+ config_get radius_passphrase server radius_passphrase
+
+ cat > /tmp/run/as-sql.conf <<EOF
+driver=none
+radius_server_clients=/etc/hs20/AS/as.radius_clients
+eap_server=1
+eap_user_file=sqlite:/etc/hs20/AS/DB/eap_user.db
+ca_cert=/etc/hs20/AS/Key/ca.pem
+server_cert=/etc/hs20/AS/Key/server.pem
+private_key=/etc/hs20/AS/Key/server.key
+private_key_passwd=$key_passphrase
+eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/etc/hs20/AS/DB/eap_sim.db
+subscr_remediation_url=$subscr_remediation_url
+EOF
+
+ mkdir -p /var/run/hostapd/hs20-radius
+ cat > /tmp/run/radius-sql.conf <<EOF
+# hostapd-radius config for the radius used by the OSEN AP
+interface=lo
+driver=none
+logger_syslog=-1
+logger_syslog_level=2
+logger_stdout=-1
+logger_stdout_level=2
+ctrl_interface=/var/run/hostapd/hs20-radius
+ctrl_interface_group=0
+eap_server=1
+eap_user_file=/etc/hs20/AS/hostapd-osen.eap_user
+server_id=ben-ota-2-osen
+radius_server_auth_port=1811
+radius_server_clients=/etc/hs20/AS/hostap.radius_clients
+
+ca_cert=/etc/hs20/ca/ca.pem
+server_cert=/etc/hs20/ca/server.pem
+private_key=/etc/hs20/ca/server.key
+private_key_passwd=$key_passphrase
+
+ocsp_stapling_response=/etc/hs20/ca/ocsp-server-cache.der
+EOF
+
+ cat > /etc/hs20/AS/hostapd-osen.eap_user <<EOF
+# For OSEN authentication (Hotspot 2.0 Release 2)
+"$osu_nai" WFA-UNAUTH-TLS
+EOF
+
+ cat > /etc/hs20/AS/hostap.radius_clients <<EOF
+0.0.0.0/0 $radius_passphrase
+EOF
+
+ cat > /etc/hs20/AS/as.radius_clients <<EOF
+0.0.0.0/0 $as_passphrase
+EOF
+
+ return 0
+}
+
+start_service() {
+ local enabled
+ config_load hs20
+ config_get enabled server enabled
+
+ [ "$enabled" != "1" ] && [ "$enabled" != "true" ] && exit 0
+ echo "starting"
+
+ setup_ca
+ setup_policy
+ setup_dbconf
+ prepare_config
+
+ procd_open_instance ocsp-responder
+ procd_set_param command /usr/bin/openssl ocsp -index /etc/hs20/ca/demoCA/index.txt -port 8888 -nmin 5 -rsigner /etc/hs20/ca/ocsp.pem -rkey /etc/hs20/ca/ocsp.key -CA /etc/hs20/ca/demoCA/cacert.pem -text -ignore_err
+ procd_set_param stdout 1
+ procd_set_param stderr 1
+ procd_set_param respawn
+ procd_close_instance
+
+ procd_open_instance hs20-ac
+ procd_set_param command /usr/sbin/hostapd-hs20-radius-server /tmp/run/as-sql.conf
+ procd_set_param stdout 1
+ procd_set_param stderr 1
+ procd_set_param respawn
+ procd_close_instance
+
+ procd_open_instance hs20-radius
+ procd_set_param command /usr/sbin/hostapd-hs20-radius-server /tmp/run/radius-sql.conf
+ procd_set_param stdout 1
+ procd_set_param stderr 1
+ procd_set_param respawn
+ procd_close_instance
+}