#!/bin/sh
#
# description:  Start/stop wpa_supplicant. This is a daemon which manages 802.1X authentication 
#               in wired mode or WPA for WIFI
#
# NOTE: it is started by the network or if_setup.sh scripts if needed
#
# processname: wpa_supplicant
# pidfile: /var/run/wpa_supplicant.pid
# lockfile: /var/run/wpa_supplicant.pid
# crms213384 : 2010/03/16 - dechriste - update config even when 8021X mode is set to off
# crms213621 : 2010/03/22 - dechriste - 802.1x:Can't active both EAP-MD5 and EAP-TLS on VHE
# crms218564 : 2010/04/12 - dechriste - ICtouch will not answer the "EAP-TLS" request
# dev R200   : 2010/04/27 - dechriste - add TLS server authentication + custom certificate
# crms228765 : 2010/05/20 - dechriste - forward EAP packets to/from PC port
# crms234815 : 2010/05/31 - dechriste - automatic activation of server authent
# crms236500 : 2010/06/14 - dechriste - 802.1x eap frames forwarding problem
# crms251870 : 2010/08/13 - dechriste - dot1x command displayed info is not the same as configured in local MMI.
# crms252137 : 2010/08/13 - dechriste - remove md5 password from wpa8021xcfg file
# crms00252357 : 2010/08/12 - dechriste - MAC2LOGIN/LOGIN enhancement
# crms00266492 :2010/10/14 - dechriste - remove automatic management of WPA8021XCFG_SERVER_AUTHENT
# crms00277189 :2010/12/07 - jasonaz   - dot1x service works on error interface

. /etc/init.d/rc.config

# Sanity checks.
[ -x /usr/sbin/wpa_supplicant ] || exit 0

servicename=wpa_supplicant
processname=/usr/sbin/$servicename
pidfile=/var/run/$servicename.pid
lockfile=/var/lock/subsys/$servicename
configfile=/etc/wpa_wired.conf
settingsfile=wpa8021x.cfg
#crms252137
tmpsettingsfile=tmpwpa8021x.cfg
secfile=/config/local/secdat

. $NVDEFAULT_ROOT/$settingsfile
[[ -f $NVLOCAL_ROOT/$settingsfile ]] && . $NVLOCAL_ROOT/$settingsfile
[[ -f $NVDM_ROOT/$settingsfile ]] && . $NVDM_ROOT/$settingsfile

RETVAL=0

updateWPAconfigFile()
{
    rm -f ${configfile}
    echo "ctrl_interface=/var/run/wpa_supplicant" >> ${configfile}
    echo "ap_scan=0" >> ${configfile}
    echo "network={" >> ${configfile}
    echo "        key_mgmt=IEEE8021X" >> ${configfile}
    if [ "$WPA8021XCFG_MODE" == "MD5" ] 
    then 
        echo "        eap=MD5" >> ${configfile}
    # crms213621
    elif [ "$WPA8021XCFG_MODE" == "MD5_TLS" ] 
    then 
        echo "        eap=TLS MD5" >> ${configfile}
    else
        echo "        eap=TLS" >> ${configfile}
    fi

#crms00252357+
#    if [ "$WPA8021XCFG_MAC2LOGIN" == "true" ] 
#    then 
#        mac=`CLISettings get CURRENT ENETCFG_MACADDR 2>/dev/null`
#        mac=`echo "$mac" | sed 's/://g'`
#        echo "        identity=\"$WPA8021XCFG_LOGIN$mac\"" >> ${configfile}
#    else
        echo "        identity=\"$WPA8021XCFG_LOGIN\"" >> ${configfile}
#    fi
#crms00252357-

    # crms252137+
    pwd=$(cat $secfile)
    echo '        password="'$pwd'"' >> ${configfile}
    # crms252137-
    echo "        eapol_flags=0" >> ${configfile}
    cert=$(getICTinfo PKI CERT DOT1X)
    pkey=$(getICTinfo PKI CERT_PKEY DOT1X)
    if [ ! -f $cert ]
    then
        echo "wpa error: no cert found"
        exit 1
    fi
    if [ ! -f $pkey ]
    then
        echo "wpa error: no pkey found"
        exit 1
    fi
    echo '        client_cert="'$cert'"' >> ${configfile}
    echo '        private_key="'$pkey'"' >> ${configfile}

    server_authent=`CLISettings get LOCAL WPA8021XCFG_SERVER_AUTHENT 2>/dev/null`
    if [ "$server_authent" == "true" ]
    then
        ca_serveur=$(getICTinfo PKI CA DOT1X)
        if [ -f $ca_serveur ]
        then
            echo '        ca_cert="'$ca_serveur'"' >> ${configfile}
        fi
    fi
    echo "}" >> ${configfile}
}

start() {
    # crms252137
    if [ ! -f $secfile ]
    then
        #empty pwd at first init
        touch $secfile
        chmod 620 $secfile
        #remove PASSWD line in wpa8021x.cfg file
        sed -e '/^WPA8021XCFG_MD5_PASSWD/d' $settingsfile > $NVLOCAL_ROOT/$tmpsettingsfile
        rm -f $NVLOCAL_ROOT/$settingsfile
        mv $NVLOCAL_ROOT/$tmpsettingsfile $NVLOCAL_ROOT/$settingsfile
    fi

    # crms213384
    # update current info
    # no need to call readconfig here
    updateCurrentConfig $settingsfile

    [[ "$WPA8021XCFG_MODE" == "OFF" ]] && return

    # crms266492+
    # crms234815
    # server authentication setting must be activated when in secured state
    # ctl or customer cert + ca chain
    #secure_mode=$(getICTinfo PKI STATUS DM 2>/dev/null)

    ## crms251870
    #if [[ "$secure_mode" == "SECURED" ]]; then
    #    CLISettings set LOCAL WPA8021XCFG_SERVER_AUTHENT true
    #else
    #    CLISettings set LOCAL WPA8021XCFG_SERVER_AUTHENT false
    #fi
    # crms266492-

    [[ -f $pidfile ]] && [[ -e /proc/$(cat $pidfile) ]] && return

    # crms236500: eap frames forwarding is now done on network side (hw)
    # crms228765
    #echo "sending eth mport command to fwd EAP packets to PC port"
    #eth mport cfg 1 01-80-c2-00-00-03 0x103

    #Update wpa config file with values of env variables
    updateWPAconfigFile
    interf=`CLISettings get CURRENT ENETCFG_INTERFACE 2>/dev/null`
#crms00277189 jasonaz+    
    $processname -B -w -D wired -i ${interf%.*} -P $pidfile -c $configfile
#crms00277189 jasonaz-    
    RETVAL=$?
    if [ -f $pidfile ] ; then
        echo "wpa_supplicant pid = $(cat $pidfile)"
    fi
    if [ $RETVAL -eq 0 ]; then
        touch $lockfile
    fi

    return $RETVAL
}

stop() {
    # crms213384
    [[ "$WPA8021XCFG_MODE" == "OFF" ]] && return

    killall $servicename
    RETVAL=$?
    if [ $RETVAL -eq 0 ]; then
        rm -f $pidfile
        rm -f $lockfile
    fi
}

# See how we were called.
case "$1" in
    start)
        start
        ;;
    stop)
        stop
        ;;
    restart)
        stop
        start
        ;;
    condrestart)
        if [ -f $lockfile ]; then
            stop
            start
        fi
        ;;
    *)
        echo $"Usage: $0 {start|stop|restart|condrestart}"
        ;;
esac
exit $RETVAL

