DPP2: Enterprise provisioning (Enrollee)
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS) configuration object. This commit is handling only the most basic case and a number of TODO items remains to handle more complete CSR generation and config object processing. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
		
							parent
							
								
									6568e5d203
								
							
						
					
					
						commit
						ace3723d98
					
				
					 5 changed files with 451 additions and 1 deletions
				
			
		
							
								
								
									
										121
									
								
								src/common/dpp.c
									
									
									
									
									
								
							
							
						
						
									
										121
									
								
								src/common/dpp.c
									
									
									
									
									
								
							|  | @ -829,6 +829,7 @@ struct wpabuf * dpp_build_conf_req_helper(struct dpp_authentication *auth, | ||||||
| 	const char *tech = "infra"; | 	const char *tech = "infra"; | ||||||
| 	const char *dpp_name; | 	const char *dpp_name; | ||||||
| 	struct wpabuf *buf, *json; | 	struct wpabuf *buf, *json; | ||||||
|  | 	char *csr = NULL; | ||||||
| 
 | 
 | ||||||
| #ifdef CONFIG_TESTING_OPTIONS | #ifdef CONFIG_TESTING_OPTIONS | ||||||
| 	if (dpp_test == DPP_TEST_INVALID_CONFIG_ATTR_OBJ_CONF_REQ) { | 	if (dpp_test == DPP_TEST_INVALID_CONFIG_ATTR_OBJ_CONF_REQ) { | ||||||
|  | @ -845,6 +846,17 @@ struct wpabuf * dpp_build_conf_req_helper(struct dpp_authentication *auth, | ||||||
| 	len = 100 + name_len * 6 + 1 + int_array_len(opclasses) * 4; | 	len = 100 + name_len * 6 + 1 + int_array_len(opclasses) * 4; | ||||||
| 	if (mud_url && mud_url[0]) | 	if (mud_url && mud_url[0]) | ||||||
| 		len += 10 + os_strlen(mud_url); | 		len += 10 + os_strlen(mud_url); | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | 	if (auth->csr) { | ||||||
|  | 		size_t csr_len; | ||||||
|  | 
 | ||||||
|  | 		csr = base64_encode_no_lf(wpabuf_head(auth->csr), | ||||||
|  | 					  wpabuf_len(auth->csr), &csr_len); | ||||||
|  | 		if (!csr) | ||||||
|  | 			return NULL; | ||||||
|  | 		len += 30 + csr_len; | ||||||
|  | 	} | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
| 	json = wpabuf_alloc(len); | 	json = wpabuf_alloc(len); | ||||||
| 	if (!json) | 	if (!json) | ||||||
| 		return NULL; | 		return NULL; | ||||||
|  | @ -871,10 +883,15 @@ struct wpabuf * dpp_build_conf_req_helper(struct dpp_authentication *auth, | ||||||
| 			wpabuf_printf(json, "%s%u", i ? "," : "", opclasses[i]); | 			wpabuf_printf(json, "%s%u", i ? "," : "", opclasses[i]); | ||||||
| 		json_end_array(json); | 		json_end_array(json); | ||||||
| 	} | 	} | ||||||
|  | 	if (csr) { | ||||||
|  | 		json_value_sep(json); | ||||||
|  | 		json_add_string(json, "pkcs10", csr); | ||||||
|  | 	} | ||||||
| 	json_end_object(json); | 	json_end_object(json); | ||||||
| 
 | 
 | ||||||
| 	buf = dpp_build_conf_req(auth, wpabuf_head(json)); | 	buf = dpp_build_conf_req(auth, wpabuf_head(json)); | ||||||
| 	wpabuf_free(json); | 	wpabuf_free(json); | ||||||
|  | 	os_free(csr); | ||||||
| 
 | 
 | ||||||
| 	return buf; | 	return buf; | ||||||
| } | } | ||||||
|  | @ -1263,9 +1280,19 @@ void dpp_auth_deinit(struct dpp_authentication *auth) | ||||||
| 
 | 
 | ||||||
| 		os_free(conf->connector); | 		os_free(conf->connector); | ||||||
| 		wpabuf_free(conf->c_sign_key); | 		wpabuf_free(conf->c_sign_key); | ||||||
|  | 		wpabuf_free(conf->certbag); | ||||||
|  | 		wpabuf_free(conf->certs); | ||||||
|  | 		wpabuf_free(conf->cacert); | ||||||
|  | 		os_free(conf->server_name); | ||||||
| 	} | 	} | ||||||
| #ifdef CONFIG_DPP2 | #ifdef CONFIG_DPP2 | ||||||
| 	dpp_free_asymmetric_key(auth->conf_key_pkg); | 	dpp_free_asymmetric_key(auth->conf_key_pkg); | ||||||
|  | 	os_free(auth->csrattrs); | ||||||
|  | 	wpabuf_free(auth->csr); | ||||||
|  | 	wpabuf_free(auth->priv_key); | ||||||
|  | 	wpabuf_free(auth->cacert); | ||||||
|  | 	wpabuf_free(auth->certbag); | ||||||
|  | 	os_free(auth->trusted_eap_server_name); | ||||||
| #endif /* CONFIG_DPP2 */ | #endif /* CONFIG_DPP2 */ | ||||||
| 	wpabuf_free(auth->net_access_key); | 	wpabuf_free(auth->net_access_key); | ||||||
| 	dpp_bootstrap_info_free(auth->tmp_own_bi); | 	dpp_bootstrap_info_free(auth->tmp_own_bi); | ||||||
|  | @ -2459,6 +2486,58 @@ fail: | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | static int dpp_parse_cred_dot1x(struct dpp_authentication *auth, | ||||||
|  | 				struct dpp_config_obj *conf, | ||||||
|  | 				struct json_token *cred) | ||||||
|  | { | ||||||
|  | 	struct json_token *ent, *name; | ||||||
|  | 
 | ||||||
|  | 	ent = json_get_member(cred, "entCreds"); | ||||||
|  | 	if (!ent || ent->type != JSON_OBJECT) { | ||||||
|  | 		dpp_auth_fail(auth, "No entCreds in JSON"); | ||||||
|  | 		return -1; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	conf->certbag = json_get_member_base64(ent, "certBag"); | ||||||
|  | 	if (!conf->certbag) { | ||||||
|  | 		dpp_auth_fail(auth, "No certBag in JSON"); | ||||||
|  | 		return -1; | ||||||
|  | 	} | ||||||
|  | 	wpa_hexdump_buf(MSG_MSGDUMP, "DPP: Received certBag", conf->certbag); | ||||||
|  | 	conf->certs = dpp_pkcs7_certs(conf->certbag); | ||||||
|  | 	if (!conf->certs) { | ||||||
|  | 		dpp_auth_fail(auth, "No certificates in certBag"); | ||||||
|  | 		return -1; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	conf->cacert = json_get_member_base64(ent, "caCert"); | ||||||
|  | 	if (conf->cacert) | ||||||
|  | 		wpa_hexdump_buf(MSG_MSGDUMP, "DPP: Received caCert", | ||||||
|  | 				conf->cacert); | ||||||
|  | 
 | ||||||
|  | 	name = json_get_member(ent, "trustedEapServerName"); | ||||||
|  | 	if (name && | ||||||
|  | 	    (name->type != JSON_STRING || | ||||||
|  | 	     has_ctrl_char((const u8 *) name->string, | ||||||
|  | 			   os_strlen(name->string)))) { | ||||||
|  | 		dpp_auth_fail(auth, | ||||||
|  | 			      "Invalid trustedEapServerName type in JSON"); | ||||||
|  | 		return -1; | ||||||
|  | 	} | ||||||
|  | 	if (name->string) { | ||||||
|  | 		wpa_printf(MSG_DEBUG, "DPP: Received trustedEapServerName: %s", | ||||||
|  | 			   name->string); | ||||||
|  | 		conf->server_name = os_strdup(name->string); | ||||||
|  | 		if (!conf->server_name) | ||||||
|  | 			return -1; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	return 0; | ||||||
|  | } | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| const char * dpp_akm_str(enum dpp_akm akm) | const char * dpp_akm_str(enum dpp_akm akm) | ||||||
| { | { | ||||||
| 	switch (akm) { | 	switch (akm) { | ||||||
|  | @ -2678,6 +2757,12 @@ static int dpp_parse_conf_obj(struct dpp_authentication *auth, | ||||||
| 		   (auth->peer_version >= 2 && dpp_akm_legacy(conf->akm))) { | 		   (auth->peer_version >= 2 && dpp_akm_legacy(conf->akm))) { | ||||||
| 		if (dpp_parse_cred_dpp(auth, conf, cred) < 0) | 		if (dpp_parse_cred_dpp(auth, conf, cred) < 0) | ||||||
| 			goto fail; | 			goto fail; | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | 	} else if (conf->akm == DPP_AKM_DOT1X) { | ||||||
|  | 		if (dpp_parse_cred_dot1x(auth, conf, cred) < 0 || | ||||||
|  | 		    dpp_parse_cred_dpp(auth, conf, cred) < 0) | ||||||
|  | 			goto fail; | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
| 	} else { | 	} else { | ||||||
| 		wpa_printf(MSG_DEBUG, "DPP: Unsupported akm: %s", | 		wpa_printf(MSG_DEBUG, "DPP: Unsupported akm: %s", | ||||||
| 			   token->string); | 			   token->string); | ||||||
|  | @ -2694,6 +2779,20 @@ fail: | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | static u8 * dpp_get_csr_attrs(const u8 *attrs, size_t attrs_len, size_t *len) | ||||||
|  | { | ||||||
|  | 	const u8 *b64; | ||||||
|  | 	u16 b64_len; | ||||||
|  | 
 | ||||||
|  | 	b64 = dpp_get_attr(attrs, attrs_len, DPP_ATTR_CSR_ATTR_REQ, &b64_len); | ||||||
|  | 	if (!b64) | ||||||
|  | 		return NULL; | ||||||
|  | 	return base64_decode((const char *) b64, b64_len, len); | ||||||
|  | } | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| int dpp_conf_resp_rx(struct dpp_authentication *auth, | int dpp_conf_resp_rx(struct dpp_authentication *auth, | ||||||
| 		     const struct wpabuf *resp) | 		     const struct wpabuf *resp) | ||||||
| { | { | ||||||
|  | @ -2771,6 +2870,28 @@ int dpp_conf_resp_rx(struct dpp_authentication *auth, | ||||||
| 	} | 	} | ||||||
| 	auth->conf_resp_status = status[0]; | 	auth->conf_resp_status = status[0]; | ||||||
| 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]); | 	wpa_printf(MSG_DEBUG, "DPP: Status %u", status[0]); | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | 	if (status[0] == DPP_STATUS_CSR_NEEDED) { | ||||||
|  | 		u8 *csrattrs; | ||||||
|  | 		size_t csrattrs_len; | ||||||
|  | 
 | ||||||
|  | 		wpa_printf(MSG_DEBUG, "DPP: Configurator requested CSR"); | ||||||
|  | 
 | ||||||
|  | 		csrattrs = dpp_get_csr_attrs(unwrapped, unwrapped_len, | ||||||
|  | 					     &csrattrs_len); | ||||||
|  | 		if (!csrattrs) { | ||||||
|  | 			dpp_auth_fail(auth, | ||||||
|  | 				      "Missing or invalid CSR Attributes Request attribute"); | ||||||
|  | 			goto fail; | ||||||
|  | 		} | ||||||
|  | 		wpa_hexdump(MSG_DEBUG, "DPP: CsrAttrs", csrattrs, csrattrs_len); | ||||||
|  | 		os_free(auth->csrattrs); | ||||||
|  | 		auth->csrattrs = csrattrs; | ||||||
|  | 		auth->csrattrs_len = csrattrs_len; | ||||||
|  | 		ret = -2; | ||||||
|  | 		goto fail; | ||||||
|  | 	} | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
| 	if (status[0] != DPP_STATUS_OK) { | 	if (status[0] != DPP_STATUS_OK) { | ||||||
| 		dpp_auth_fail(auth, "Configurator rejected configuration"); | 		dpp_auth_fail(auth, "Configurator rejected configuration"); | ||||||
| 		goto fail; | 		goto fail; | ||||||
|  |  | ||||||
|  | @ -312,6 +312,10 @@ struct dpp_authentication { | ||||||
| 		int psk_set; | 		int psk_set; | ||||||
| 		enum dpp_akm akm; | 		enum dpp_akm akm; | ||||||
| 		struct wpabuf *c_sign_key; | 		struct wpabuf *c_sign_key; | ||||||
|  | 		struct wpabuf *certbag; | ||||||
|  | 		struct wpabuf *certs; | ||||||
|  | 		struct wpabuf *cacert; | ||||||
|  | 		char *server_name; | ||||||
| 	} conf_obj[DPP_MAX_CONF_OBJ]; | 	} conf_obj[DPP_MAX_CONF_OBJ]; | ||||||
| 	unsigned int num_conf_obj; | 	unsigned int num_conf_obj; | ||||||
| 	struct dpp_asymmetric_key *conf_key_pkg; | 	struct dpp_asymmetric_key *conf_key_pkg; | ||||||
|  | @ -322,7 +326,11 @@ struct dpp_authentication { | ||||||
| 	int akm_use_selector; | 	int akm_use_selector; | ||||||
| 	int configurator_set; | 	int configurator_set; | ||||||
| 	u8 transaction_id; | 	u8 transaction_id; | ||||||
|  | 	u8 *csrattrs; | ||||||
|  | 	size_t csrattrs_len; | ||||||
| 	bool waiting_csr; | 	bool waiting_csr; | ||||||
|  | 	struct wpabuf *csr; | ||||||
|  | 	struct wpabuf *priv_key; /* DER-encoded private key used for csr */ | ||||||
| 	bool waiting_cert; | 	bool waiting_cert; | ||||||
| 	char *trusted_eap_server_name; | 	char *trusted_eap_server_name; | ||||||
| 	struct wpabuf *cacert; | 	struct wpabuf *cacert; | ||||||
|  | @ -606,6 +614,9 @@ struct dpp_pfs * dpp_pfs_init(const u8 *net_access_key, | ||||||
| int dpp_pfs_process(struct dpp_pfs *pfs, const u8 *peer_ie, size_t peer_ie_len); | int dpp_pfs_process(struct dpp_pfs *pfs, const u8 *peer_ie, size_t peer_ie_len); | ||||||
| void dpp_pfs_free(struct dpp_pfs *pfs); | void dpp_pfs_free(struct dpp_pfs *pfs); | ||||||
| 
 | 
 | ||||||
|  | struct wpabuf * dpp_build_csr(struct dpp_authentication *auth); | ||||||
|  | struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7); | ||||||
|  | 
 | ||||||
| struct dpp_bootstrap_info * dpp_add_qr_code(struct dpp_global *dpp, | struct dpp_bootstrap_info * dpp_add_qr_code(struct dpp_global *dpp, | ||||||
| 					    const char *uri); | 					    const char *uri); | ||||||
| struct dpp_bootstrap_info * dpp_add_nfc_uri(struct dpp_global *dpp, | struct dpp_bootstrap_info * dpp_add_nfc_uri(struct dpp_global *dpp, | ||||||
|  |  | ||||||
|  | @ -12,6 +12,7 @@ | ||||||
| #include <openssl/err.h> | #include <openssl/err.h> | ||||||
| #include <openssl/asn1.h> | #include <openssl/asn1.h> | ||||||
| #include <openssl/asn1t.h> | #include <openssl/asn1t.h> | ||||||
|  | #include <openssl/pem.h> | ||||||
| 
 | 
 | ||||||
| #include "utils/common.h" | #include "utils/common.h" | ||||||
| #include "utils/base64.h" | #include "utils/base64.h" | ||||||
|  | @ -2664,6 +2665,161 @@ void dpp_pfs_free(struct dpp_pfs *pfs) | ||||||
| 	os_free(pfs); | 	os_free(pfs); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | 
 | ||||||
|  | struct wpabuf * dpp_build_csr(struct dpp_authentication *auth) | ||||||
|  | { | ||||||
|  | 	X509_REQ *req = NULL; | ||||||
|  | 	struct wpabuf *buf = NULL; | ||||||
|  | 	unsigned char *der; | ||||||
|  | 	int der_len; | ||||||
|  | 	EVP_PKEY *key; | ||||||
|  | 	const EVP_MD *sign_md; | ||||||
|  | 	unsigned int hash_len = auth->curve->hash_len; | ||||||
|  | 	EC_KEY *eckey; | ||||||
|  | 	BIO *out = NULL; | ||||||
|  | 
 | ||||||
|  | 	/* TODO: use auth->csrattrs */ | ||||||
|  | 
 | ||||||
|  | 	/* TODO: support generation of a new private key if csrAttrs requests
 | ||||||
|  | 	 * a specific group to be used */ | ||||||
|  | 	key = auth->own_protocol_key; | ||||||
|  | 
 | ||||||
|  | 	eckey = EVP_PKEY_get1_EC_KEY(key); | ||||||
|  | 	if (!eckey) | ||||||
|  | 		goto fail; | ||||||
|  | 	der = NULL; | ||||||
|  | 	der_len = i2d_ECPrivateKey(eckey, &der); | ||||||
|  | 	if (der_len <= 0) | ||||||
|  | 		goto fail; | ||||||
|  | 	wpabuf_free(auth->priv_key); | ||||||
|  | 	auth->priv_key = wpabuf_alloc_copy(der, der_len); | ||||||
|  | 	OPENSSL_free(der); | ||||||
|  | 	if (!auth->priv_key) | ||||||
|  | 		goto fail; | ||||||
|  | 
 | ||||||
|  | 	req = X509_REQ_new(); | ||||||
|  | 	if (!req || !X509_REQ_set_pubkey(req, key)) | ||||||
|  | 		goto fail; | ||||||
|  | 
 | ||||||
|  | 	/* TODO */ | ||||||
|  | 
 | ||||||
|  | 	/* TODO: hash func selection based on csrAttrs */ | ||||||
|  | 	if (hash_len == SHA256_MAC_LEN) { | ||||||
|  | 		sign_md = EVP_sha256(); | ||||||
|  | 	} else if (hash_len == SHA384_MAC_LEN) { | ||||||
|  | 		sign_md = EVP_sha384(); | ||||||
|  | 	} else if (hash_len == SHA512_MAC_LEN) { | ||||||
|  | 		sign_md = EVP_sha512(); | ||||||
|  | 	} else { | ||||||
|  | 		wpa_printf(MSG_DEBUG, "DPP: Unknown signature algorithm"); | ||||||
|  | 		goto fail; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if (!X509_REQ_sign(req, key, sign_md)) | ||||||
|  | 		goto fail; | ||||||
|  | 
 | ||||||
|  | 	der = NULL; | ||||||
|  | 	der_len = i2d_X509_REQ(req, &der); | ||||||
|  | 	if (der_len < 0) | ||||||
|  | 		goto fail; | ||||||
|  | 	buf = wpabuf_alloc_copy(der, der_len); | ||||||
|  | 	OPENSSL_free(der); | ||||||
|  | 
 | ||||||
|  | 	wpa_hexdump_buf(MSG_DEBUG, "DPP: CSR", buf); | ||||||
|  | 
 | ||||||
|  | fail: | ||||||
|  | 	BIO_free_all(out); | ||||||
|  | 	X509_REQ_free(req); | ||||||
|  | 	return buf; | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | struct wpabuf * dpp_pkcs7_certs(const struct wpabuf *pkcs7) | ||||||
|  | { | ||||||
|  | #ifdef OPENSSL_IS_BORINGSSL | ||||||
|  | 	CBS pkcs7_cbs; | ||||||
|  | #else /* OPENSSL_IS_BORINGSSL */ | ||||||
|  | 	PKCS7 *p7 = NULL; | ||||||
|  | 	const unsigned char *p = wpabuf_head(pkcs7); | ||||||
|  | #endif /* OPENSSL_IS_BORINGSSL */ | ||||||
|  | 	STACK_OF(X509) *certs; | ||||||
|  | 	int i, num; | ||||||
|  | 	BIO *out = NULL; | ||||||
|  | 	size_t rlen; | ||||||
|  | 	struct wpabuf *pem = NULL; | ||||||
|  | 	int res; | ||||||
|  | 
 | ||||||
|  | #ifdef OPENSSL_IS_BORINGSSL | ||||||
|  | 	certs = sk_X509_new_null(); | ||||||
|  | 	if (!certs) | ||||||
|  | 		goto fail; | ||||||
|  | 	CBS_init(&pkcs7_cbs, wpabuf_head(pkcs7), wpabuf_len(pkcs7)); | ||||||
|  | 	if (!PKCS7_get_certificates(certs, &pkcs7_cbs)) { | ||||||
|  | 		wpa_printf(MSG_INFO, "DPP: Could not parse PKCS#7 object: %s", | ||||||
|  | 			   ERR_error_string(ERR_get_error(), NULL)); | ||||||
|  | 		goto fail; | ||||||
|  | 	} | ||||||
|  | #else /* OPENSSL_IS_BORINGSSL */ | ||||||
|  | 	p7 = d2i_PKCS7(NULL, &p, wpabuf_len(pkcs7)); | ||||||
|  | 	if (!p7) { | ||||||
|  | 		wpa_printf(MSG_INFO, "DPP: Could not parse PKCS#7 object: %s", | ||||||
|  | 			   ERR_error_string(ERR_get_error(), NULL)); | ||||||
|  | 		goto fail; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	switch (OBJ_obj2nid(p7->type)) { | ||||||
|  | 	case NID_pkcs7_signed: | ||||||
|  | 		certs = p7->d.sign->cert; | ||||||
|  | 		break; | ||||||
|  | 	case NID_pkcs7_signedAndEnveloped: | ||||||
|  | 		certs = p7->d.signed_and_enveloped->cert; | ||||||
|  | 		break; | ||||||
|  | 	default: | ||||||
|  | 		certs = NULL; | ||||||
|  | 		break; | ||||||
|  | 	} | ||||||
|  | #endif /* OPENSSL_IS_BORINGSSL */ | ||||||
|  | 
 | ||||||
|  | 	if (!certs || ((num = sk_X509_num(certs)) == 0)) { | ||||||
|  | 		wpa_printf(MSG_INFO, | ||||||
|  | 			   "DPP: No certificates found in PKCS#7 object"); | ||||||
|  | 		goto fail; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	out = BIO_new(BIO_s_mem()); | ||||||
|  | 	if (!out) | ||||||
|  | 		goto fail; | ||||||
|  | 
 | ||||||
|  | 	for (i = 0; i < num; i++) { | ||||||
|  | 		X509 *cert = sk_X509_value(certs, i); | ||||||
|  | 
 | ||||||
|  | 		PEM_write_bio_X509(out, cert); | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	rlen = BIO_ctrl_pending(out); | ||||||
|  | 	pem = wpabuf_alloc(rlen); | ||||||
|  | 	if (!pem) | ||||||
|  | 		goto fail; | ||||||
|  | 	res = BIO_read(out, wpabuf_put(pem, 0), rlen); | ||||||
|  | 	if (res <= 0) { | ||||||
|  | 		wpabuf_free(pem); | ||||||
|  | 		goto fail; | ||||||
|  | 	} | ||||||
|  | 	wpabuf_put(pem, res); | ||||||
|  | 
 | ||||||
|  | fail: | ||||||
|  | #ifdef OPENSSL_IS_BORINGSSL | ||||||
|  | 	if (certs) | ||||||
|  | 		sk_X509_pop_free(certs, X509_free); | ||||||
|  | #else /* OPENSSL_IS_BORINGSSL */ | ||||||
|  | 	PKCS7_free(p7); | ||||||
|  | #endif /* OPENSSL_IS_BORINGSSL */ | ||||||
|  | 	if (out) | ||||||
|  | 		BIO_free_all(out); | ||||||
|  | 
 | ||||||
|  | 	return pem; | ||||||
|  | } | ||||||
|  | 
 | ||||||
| #endif /* CONFIG_DPP2 */ | #endif /* CONFIG_DPP2 */ | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -179,6 +179,9 @@ extern "C" { | ||||||
| #define DPP_EVENT_CONNECTOR "DPP-CONNECTOR " | #define DPP_EVENT_CONNECTOR "DPP-CONNECTOR " | ||||||
| #define DPP_EVENT_C_SIGN_KEY "DPP-C-SIGN-KEY " | #define DPP_EVENT_C_SIGN_KEY "DPP-C-SIGN-KEY " | ||||||
| #define DPP_EVENT_NET_ACCESS_KEY "DPP-NET-ACCESS-KEY " | #define DPP_EVENT_NET_ACCESS_KEY "DPP-NET-ACCESS-KEY " | ||||||
|  | #define DPP_EVENT_SERVER_NAME "DPP-SERVER-NAME " | ||||||
|  | #define DPP_EVENT_CERTBAG "DPP-CERTBAG " | ||||||
|  | #define DPP_EVENT_CACERT "DPP-CACERT " | ||||||
| #define DPP_EVENT_MISSING_CONNECTOR "DPP-MISSING-CONNECTOR " | #define DPP_EVENT_MISSING_CONNECTOR "DPP-MISSING-CONNECTOR " | ||||||
| #define DPP_EVENT_NETWORK_ID "DPP-NETWORK-ID " | #define DPP_EVENT_NETWORK_ID "DPP-NETWORK-ID " | ||||||
| #define DPP_EVENT_CONFIGURATOR_ID "DPP-CONFIGURATOR-ID " | #define DPP_EVENT_CONFIGURATOR_ID "DPP-CONFIGURATOR-ID " | ||||||
|  |  | ||||||
|  | @ -49,6 +49,7 @@ wpas_dpp_tx_pkex_status(struct wpa_supplicant *wpa_s, | ||||||
| #ifdef CONFIG_DPP2 | #ifdef CONFIG_DPP2 | ||||||
| static void wpas_dpp_reconfig_reply_wait_timeout(void *eloop_ctx, | static void wpas_dpp_reconfig_reply_wait_timeout(void *eloop_ctx, | ||||||
| 						 void *timeout_ctx); | 						 void *timeout_ctx); | ||||||
|  | static void wpas_dpp_start_gas_client(struct wpa_supplicant *wpa_s); | ||||||
| #endif /* CONFIG_DPP2 */ | #endif /* CONFIG_DPP2 */ | ||||||
| 
 | 
 | ||||||
| static const u8 broadcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; | static const u8 broadcast[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; | ||||||
|  | @ -1218,6 +1219,106 @@ static struct wpa_ssid * wpas_dpp_add_network(struct wpa_supplicant *wpa_s, | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | 	if (conf->akm == DPP_AKM_DOT1X) { | ||||||
|  | 		int i; | ||||||
|  | 		char name[100], blobname[128]; | ||||||
|  | 		struct wpa_config_blob *blob; | ||||||
|  | 
 | ||||||
|  | 		ssid->key_mgmt = WPA_KEY_MGMT_IEEE8021X | | ||||||
|  | 			WPA_KEY_MGMT_IEEE8021X_SHA256 | | ||||||
|  | 			WPA_KEY_MGMT_IEEE8021X_SHA256; | ||||||
|  | 		ssid->ieee80211w = MGMT_FRAME_PROTECTION_OPTIONAL; | ||||||
|  | 
 | ||||||
|  | 		if (conf->cacert) { | ||||||
|  | 			/* caCert is DER-encoded X.509v3 certificate for the
 | ||||||
|  | 			 * server certificate if that is different from the | ||||||
|  | 			 * trust root included in certBag. */ | ||||||
|  | 			/* TODO: ssid->eap.cert.ca_cert */ | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		if (conf->certs) { | ||||||
|  | 			wpa_hexdump_buf(MSG_INFO, "JKM:certs", | ||||||
|  | 					conf->certs); | ||||||
|  | 			for (i = 0; ; i++) { | ||||||
|  | 				os_snprintf(name, sizeof(name), "dpp-certs-%d", | ||||||
|  | 					    i); | ||||||
|  | 				if (!wpa_config_get_blob(wpa_s->conf, name)) | ||||||
|  | 					break; | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
|  | 			blob = os_zalloc(sizeof(*blob)); | ||||||
|  | 			if (!blob) | ||||||
|  | 				goto fail; | ||||||
|  | 			blob->len = wpabuf_len(conf->certs); | ||||||
|  | 			blob->name = os_strdup(name); | ||||||
|  | 			blob->data = os_malloc(blob->len); | ||||||
|  | 			if (!blob->name || !blob->data) { | ||||||
|  | 				wpa_config_free_blob(blob); | ||||||
|  | 				goto fail; | ||||||
|  | 			} | ||||||
|  | 			os_memcpy(blob->data, wpabuf_head(conf->certs), | ||||||
|  | 				  blob->len); | ||||||
|  | 			os_snprintf(blobname, sizeof(blobname), "blob://%s", | ||||||
|  | 				    name); | ||||||
|  | 			wpa_config_set_blob(wpa_s->conf, blob); | ||||||
|  | 			wpa_printf(MSG_DEBUG, "DPP: Added certificate blob %s", | ||||||
|  | 				   name); | ||||||
|  | 			ssid->eap.cert.client_cert = os_strdup(blobname); | ||||||
|  | 			if (!ssid->eap.cert.client_cert) | ||||||
|  | 				goto fail; | ||||||
|  | 
 | ||||||
|  | 			/* TODO: ssid->eap.identity from own certificate */ | ||||||
|  | 			if (wpa_config_set(ssid, "identity", "\"dpp-ent\"", | ||||||
|  | 					   0) < 0) | ||||||
|  | 				goto fail; | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		if (auth->priv_key) { | ||||||
|  | 			for (i = 0; ; i++) { | ||||||
|  | 				os_snprintf(name, sizeof(name), "dpp-key-%d", | ||||||
|  | 					    i); | ||||||
|  | 				if (!wpa_config_get_blob(wpa_s->conf, name)) | ||||||
|  | 					break; | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
|  | 			wpa_hexdump_buf(MSG_INFO, "JKM:privkey", | ||||||
|  | 					auth->priv_key); | ||||||
|  | 			blob = os_zalloc(sizeof(*blob)); | ||||||
|  | 			if (!blob) | ||||||
|  | 				goto fail; | ||||||
|  | 			blob->len = wpabuf_len(auth->priv_key); | ||||||
|  | 			blob->name = os_strdup(name); | ||||||
|  | 			blob->data = os_malloc(blob->len); | ||||||
|  | 			if (!blob->name || !blob->data) { | ||||||
|  | 				wpa_config_free_blob(blob); | ||||||
|  | 				goto fail; | ||||||
|  | 			} | ||||||
|  | 			os_memcpy(blob->data, wpabuf_head(auth->priv_key), | ||||||
|  | 				  blob->len); | ||||||
|  | 			os_snprintf(blobname, sizeof(blobname), "blob://%s", | ||||||
|  | 				    name); | ||||||
|  | 			wpa_config_set_blob(wpa_s->conf, blob); | ||||||
|  | 			wpa_printf(MSG_DEBUG, "DPP: Added private key blob %s", | ||||||
|  | 				   name); | ||||||
|  | 			ssid->eap.cert.private_key = os_strdup(blobname); | ||||||
|  | 			if (!ssid->eap.cert.private_key) | ||||||
|  | 				goto fail; | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		if (conf->server_name) { | ||||||
|  | 			ssid->eap.cert.domain_suffix_match = | ||||||
|  | 				os_strdup(conf->server_name); | ||||||
|  | 			if (!ssid->eap.cert.domain_suffix_match) | ||||||
|  | 				goto fail; | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		/* TODO: Use entCreds::eapMethods */ | ||||||
|  | 		if (wpa_config_set(ssid, "eap", "TLS", 0) < 0) | ||||||
|  | 			goto fail; | ||||||
|  | 	} | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
|  | 
 | ||||||
| 	os_memcpy(wpa_s->dpp_last_ssid, conf->ssid, conf->ssid_len); | 	os_memcpy(wpa_s->dpp_last_ssid, conf->ssid, conf->ssid_len); | ||||||
| 	wpa_s->dpp_last_ssid_len = conf->ssid_len; | 	wpa_s->dpp_last_ssid_len = conf->ssid_len; | ||||||
| 
 | 
 | ||||||
|  | @ -1346,6 +1447,32 @@ static int wpas_dpp_handle_config_obj(struct wpa_supplicant *wpa_s, | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | 	if (conf->certbag) { | ||||||
|  | 		char *b64; | ||||||
|  | 
 | ||||||
|  | 		b64 = base64_encode_no_lf(wpabuf_head(conf->certbag), | ||||||
|  | 					  wpabuf_len(conf->certbag), NULL); | ||||||
|  | 		if (b64) | ||||||
|  | 			wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CERTBAG "%s", b64); | ||||||
|  | 		os_free(b64); | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if (conf->cacert) { | ||||||
|  | 		char *b64; | ||||||
|  | 
 | ||||||
|  | 		b64 = base64_encode_no_lf(wpabuf_head(conf->cacert), | ||||||
|  | 					  wpabuf_len(conf->cacert), NULL); | ||||||
|  | 		if (b64) | ||||||
|  | 			wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CACERT "%s", b64); | ||||||
|  | 		os_free(b64); | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if (conf->server_name) | ||||||
|  | 		wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_SERVER_NAME "%s", | ||||||
|  | 			conf->server_name); | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
|  | 
 | ||||||
| 	return wpas_dpp_process_config(wpa_s, auth, conf); | 	return wpas_dpp_process_config(wpa_s, auth, conf); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | @ -1376,6 +1503,29 @@ static int wpas_dpp_handle_key_pkg(struct wpa_supplicant *wpa_s, | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | static void wpas_dpp_build_csr(void *eloop_ctx, void *timeout_ctx) | ||||||
|  | { | ||||||
|  | 	struct wpa_supplicant *wpa_s = eloop_ctx; | ||||||
|  | 	struct dpp_authentication *auth = wpa_s->dpp_auth; | ||||||
|  | 
 | ||||||
|  | 	if (!auth || !auth->csrattrs) | ||||||
|  | 		return; | ||||||
|  | 
 | ||||||
|  | 	wpa_printf(MSG_DEBUG, "DPP: Build CSR"); | ||||||
|  | 	wpabuf_free(auth->csr); | ||||||
|  | 	/* TODO: Additional information needed for CSR based on csrAttrs */ | ||||||
|  | 	auth->csr = dpp_build_csr(auth); | ||||||
|  | 	if (!auth->csr) { | ||||||
|  | 		dpp_auth_deinit(wpa_s->dpp_auth); | ||||||
|  | 		wpa_s->dpp_auth = NULL; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	wpas_dpp_start_gas_client(wpa_s); | ||||||
|  | } | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
| static void wpas_dpp_gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token, | static void wpas_dpp_gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token, | ||||||
| 				 enum gas_query_result result, | 				 enum gas_query_result result, | ||||||
| 				 const struct wpabuf *adv_proto, | 				 const struct wpabuf *adv_proto, | ||||||
|  | @ -1420,7 +1570,15 @@ static void wpas_dpp_gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token, | ||||||
| 		goto fail; | 		goto fail; | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	if (dpp_conf_resp_rx(auth, resp) < 0) { | 	res = dpp_conf_resp_rx(auth, resp); | ||||||
|  | #ifdef CONFIG_DPP2 | ||||||
|  | 	if (res == -2) { | ||||||
|  | 		wpa_printf(MSG_DEBUG, "DPP: CSR needed"); | ||||||
|  | 		eloop_register_timeout(0, 0, wpas_dpp_build_csr, wpa_s, NULL); | ||||||
|  | 		return; | ||||||
|  | 	} | ||||||
|  | #endif /* CONFIG_DPP2 */ | ||||||
|  | 	if (res < 0) { | ||||||
| 		wpa_printf(MSG_DEBUG, "DPP: Configuration attempt failed"); | 		wpa_printf(MSG_DEBUG, "DPP: Configuration attempt failed"); | ||||||
| 		goto fail; | 		goto fail; | ||||||
| 	} | 	} | ||||||
|  | @ -3115,6 +3273,7 @@ void wpas_dpp_deinit(struct wpa_supplicant *wpa_s) | ||||||
| 	eloop_cancel_timeout(wpas_dpp_conn_status_result_timeout, wpa_s, NULL); | 	eloop_cancel_timeout(wpas_dpp_conn_status_result_timeout, wpa_s, NULL); | ||||||
| 	eloop_cancel_timeout(wpas_dpp_reconfig_reply_wait_timeout, | 	eloop_cancel_timeout(wpas_dpp_reconfig_reply_wait_timeout, | ||||||
| 			     wpa_s, NULL); | 			     wpa_s, NULL); | ||||||
|  | 	eloop_cancel_timeout(wpas_dpp_build_csr, wpa_s, NULL); | ||||||
| 	dpp_pfs_free(wpa_s->dpp_pfs); | 	dpp_pfs_free(wpa_s->dpp_pfs); | ||||||
| 	wpa_s->dpp_pfs = NULL; | 	wpa_s->dpp_pfs = NULL; | ||||||
| 	wpas_dpp_chirp_stop(wpa_s); | 	wpas_dpp_chirp_stop(wpa_s); | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue
	
	 Jouni Malinen
						Jouni Malinen