Commit graph

65 commits

Author SHA1 Message Date
Jouni Malinen
2fd8984b05 HS 2.0: Reject OSU connection for Single SSID case without OSU_NAI
The Single SSID case can only use OSEN, so reject the case where OSU_NAI
is not set and open OSU connection would be used since that connection
cannot succeed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 21:03:46 +03:00
Jouni Malinen
2f158bc194 HS 2.0: Use alternative OSU_NAI information in hs20-osu-client
Extend hs20-osu-client to support the new osu_nai2 value for OSU
connection with the shared BSS (Single SSID) case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:53:31 +03:00
Jouni Malinen
4d1f7b6856 HS 2.0: Remove hs20-osu-client debug file Cert/est-resp.raw
This was used during initial EST development time testing, but the same
information is available in the debug log and since this separate file
is deleted automatically, just remove its generation completely to
simplify implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-26 12:59:41 +03:00
Jouni Malinen
cc6263ef60 HS 2.0 server: Store device MAC address into database
This is needed for tracking status of certificate enrollment cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-15 05:17:54 +03:00
Jouni Malinen
1d73531fdb HS 2.0: Fix T&C server database check
It was possible for the wait loop to exit early due to the $row[0] == 1
check returning false if the database value was not yet set. Fix this by
updated the $waiting default value only if the database actually has a
value for this field.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-13 01:04:40 +03:00
Jouni Malinen
25f3c270d9 HS 2.0: Allow OSU SSID selection to be enforced for testing purposes
This allows hs20-osu-client to be requested to select a specific OSU
SSID with the new command line argument (-o<OSU_SSID>). This is useful
for testing single SSID transition mode cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-13 00:17:51 +03:00
Jouni Malinen
b275c3ae51 HS 2.0: Use shared SSID (if available) for OSU by default
When the AP is detected to have single BSS shared for RSN and OSEN, use
that BSS for OSU by default instead of the one based on the OSU_SSID in
the OSU Providers list.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-13 00:17:15 +03:00
Jouni Malinen
ad5c385db9 HS 2.0 server: Replace deprecated PHP function split()
Use explode() instead of split() because split() has been removed from
PHP 7.0.0 and there is no need for using full regular expression here.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-10 23:41:35 +03:00
Jouni Malinen
c06cd3e0ac HS 2.0: Fix hs20-osu-client handling of HomeSP/HomeOIList/<X+>/HomeOI
This node was mapped to a SET_CRED roaming_consortium command with
quotation marks even though this is a hexdump of the OI. Remove the
quotation marks to allow this to be set correctly in the wpa_supplicant
credential.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-02 16:15:14 +03:00
Jouni Malinen
c1721f05a0 HS 2.0: Allow CCMP as group cipher for OSEN single SSID case
When OSEN is used in the BSS that is shared both for production data and
OSU uses, the group cipher might be either GTK_NOT_USED (like in Rel 2
OSEN) or CCMP. Modify hs20-osu-client to allow both these group ciphers
to be used when requesting OSEN connection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-31 00:32:53 +03:00
Jouni Malinen
73d3f88418 HS 2.0: CoA-Request from Terms and Conditions server
This extends the terms.php implementation of Hotspot 2.0 Terms and
Conditions server to allow it to interact with hostapd(AS) to clear the
filtering rules from the AP. After requesting hostapd to send out the
CoA-Request, terms.php waits for up to 10 seconds to see whether the
current_sessions table gets an update to indicate that filtering has
been successfully disabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-22 20:22:40 +03:00
Jouni Malinen
de3885fcc7 HS 2.0: Process Credential/UsernamePassword/EAPMethod nodes in PPS MO
This allows hs20-osu-client to configure wpa_supplicant credential with
a specific EAP method so that roaming consortium OI -based matching can
be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 19:16:26 +03:00
Jouni Malinen
c456e6e3f7 HS 2.0: Terms and Conditions server and management
Add minimal Terms and Conditions server for testing purposes. This can
be used to test user interaction for Terms and Conditions acceptance.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-30 21:04:11 +03:00
Jouni Malinen
42f4169166 HS 2.0: Update server SQL DB initialization to cover new fields
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-30 20:19:32 +03:00
Jouni Malinen
5bd5eb54d1 HS 2.0: Update server instructions for Ubuntu 16.04
Some of the Ubuntu package names have changed for PHP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-30 20:19:32 +03:00
Jouni Malinen
2e88032f1b HS 2.0: OSU client to send HomeSP/RoamingConsortiumOI to wpa_supplicant
This adds mapping of the PPS MO HomeSP/RoamingConsortiumOI leaf node
value into the wpa_supplicant cred block parameter roaming_consortiums.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Purushottam Kushwaha
727e9aacbf HS 2.0: Set appropriate permission(s) for cert file/folders on Android
This commit adds additional permission to 'SP' and 'Cert' folders
which is needed to copy certificates from Cert to SP. Additionally,
this associates AID_WIFI group id with these folders.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-12 02:12:43 +02:00
Masashi Honma
e37c0aa5d1 OSU server: Remove invalid options from documentation
Remove -d and -I options which causes "Illegal option" error.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-11 12:55:19 +02:00
Masashi Honma
00e0f0b010 hs20-osu-client: Hide a trivial compiler warning
This patch hides a compiler warning:

osu_client.c: In function ‘cmd_osu_select’:
osu_client.c:2200:2: warning: ‘osu_count’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  for (i = 0; i < osu_count; i++) {
  ^

osu_count is actually initialized in parse_osu_providers() if non-NULL
value is returned.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-06 19:28:34 +02:00
Maneesh Jain
ea06a08f85 HS 2.0 server: Remove redundant NULL check
Both devinfo and devdetail are non-NULL here due to the earlier check
within the same function.

Signed-off-by: Maneesh Jain <maneesh.jain@samsung.com>
2016-10-28 19:08:32 +03:00
Cedric Izoard
a9c52e8066 HS 2.0R2: No longer use HTTP_RAW_POST_DATA
As HTTP_RAW_POST_DATA is deprecated, use php://input instead.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2016-06-19 22:27:36 +03:00
Jouni Malinen
42a95533a8 hs20-osu-client: Fix pol_upd command line parsing
This command was documented as having the Server URL parameter as
optional, but the implementation did not match that. Allow this
parameter to be left out.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:25:11 +02:00
Jouni Malinen
ec1eae849e hs20-osu-client: Remove dead code from sub_rem command line parsing
The error print could not have been reached since the exact same
condition was verified above and exit(0) is called if the command line
is invalid.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:19:19 +02:00
Adam Langley
8f38eed628 Android: Remove superfluous OpenSSL include paths
The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2016-03-03 16:27:10 +02:00
Kanchanapally, Vidyullatha
61697c7ecc Android: Allow wpa_supplicant to write files to osu-info dir
This commit allows any process running with group id of AID_WIFI to
read/write files to osu-info directory. Also, it allows other users to
read and search the osu-info directory.

This fixes issues with hs20-osu-client creating a directory for
wpa_supplicant use without wpa_supplicant actually having privileges to
write there on Android where the wpa_supplicant process does not run as
root.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-03 14:50:29 +02:00
Jouni Malinen
2e3a41a53f hs20-osu-client: Fix check for osu_nai being available
This is an array, so the pointer is never NULL; need to check that the
first character is not '\0' instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:39:03 +02:00
Jouni Malinen
e007d538cd EST: Comment out X509_REQ_print calls on Android with BoringSSL
These were restored into BoringSSL in June 2015, but not all Android
branches include those changes. To fix the build, comment these call out
on Android for now if hs20-osu-client is built against BoringSSL. These
are used only for debugging purposes, so this is fine for Hotspot 2.0
functionality.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Jouni Malinen
e6f4832737 EST: Add CSR generation support with BoringSSL
This completes EST support with hs20-osu-client when built with
BoringSSL instead of OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Jouni Malinen
ed2566ac9b EST: Implement pkcs7_to_cert() with BoringSSL
This adds one more step in completing hs20-osu-client support when using
BoringSSL instead of OpenSSL. EST client can now parse the cacerts file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Jouni Malinen
8d27efa814 HTTP (curl): OCSP with BoringSSL
This adds experimental support for using OCSP with libcurl that is built
against BoringSSL. This needs small modifications to libcurl to allow
CURLOPT_SSL_VERIFYSTATUS to be used to call
SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Jouni Malinen
63d9bf81ab hs20-osu-client: Disable EST with BoringSSL to fix build
BoringSSL has dropped OpenSSL functionality that was used in the EST
implementation. For now, disable EST with BoringSSL to allow
hs20-osu-client to be built.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-10 00:07:32 +03:00
Nishant Chaprana
59bae7463a HS 2.0R2: Fix memory leak on error path in hs20-osu-client
fqdn was not freed before return in case the server uses an unsupported
location for the PPS MO in the addMO command.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2015-06-23 18:51:41 +03:00
Ben Greear
1b748e67ae HS 2.0: hs20-client: Fix hostname extraction from URL
It was not properly handling cases like this:

https://foo.local:443

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-05-27 12:01:23 +03:00
Ben Greear
dba68f2be2 HS 2.0: Fix hs20_spp_server compile error
Need to add a new -I path to get it to compile.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-05-27 11:56:11 +03:00
Ben Greear
e4a43a9fa3 HS 2.0: spp-client: Warn user if xml file cannot be found
Otherwise, all you get is a cryptic XML validation error out
of the SPP server.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-05-27 11:55:43 +03:00
Ben Greear
0bb20efcd0 HS 2.0R2: Allow user to specify spp.xsd file location
Allow user to specify the path to the spp.xsd file for hs20-osu-client
instead of requiring this to be spp.xsd in the current working
directory.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-04-01 20:33:28 +03:00
Ben Greear
97c9991c5b HS 2.0R2: Add more debugging messages to hs20-osu-client
Helps to figure out why some errors happen.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-04-01 20:33:25 +03:00
Ben Greear
93c2e60b36 HS 2.0R2 CA: Improve setup.sh and .conf for more flexibility
This gives more flexibility when generating keys so that users do not
have to edit files to generate their own specific keys.

Update HS 2.0 OSU server notes as well.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-04-01 20:33:23 +03:00
Ben Greear
270427ea3f HS 2.0R2: Add more logging for hs20-osu-client icon matching
Add some more verbose logging, and make sure logging
messages are unique for easier debugging.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 13:07:37 +02:00
Ben Greear
8e31cd2cf6 OSU server: Improve logging for SPP schema validation failures
Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 11:25:32 +02:00
Ben Greear
e7d285ca5c OSU server: Print out signup ID if there is some problem with it
Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 11:15:47 +02:00
Ben Greear
1b4500670f HS 2.0R2: Remove unused argument identifier from hs20-osu-client
The command line option 'i' is not handled, so I assume it should
not be in the short-options list.

Fix missing word in error message as well.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 11:13:47 +02:00
Ben Greear
2e7a228878 HS 2.0R2: Allow custom libcurl linkage for hs20-osu-client
In case someone is compiling their own libcurl and wants to link it
statically, for instance, the new CUST_CURL_LINKAGE parameter can be
used to override the default -lcurl argument.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 11:11:33 +02:00
Rajiv Ranjan
088a210d60 HS 2.0: Add NULL check before dereferencing in hs20-osu-client
xml_node_get_text() may return NULL, so need to check the return value
before using it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 13:37:16 +02:00
Subhani Shaik
715d5c45f1 hs20-osu-client: Ensure NULL checks are done before dereferencing
In some error cases, pointers were dereferenced before NULL check is
done. Fix this by adding checks before the dereference.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:39:15 +02:00
Jouni Malinen
946572ca0e Android: Remove commented out non-Android build parameters
These hs20-osu-client parameters were never applicable for Android
builds and were just copied from the non-Android Makefile as a reminder,
but not removed once rest of the Android build was fixed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 12:55:19 +02:00
Jouni Malinen
15ada7f020 Android: Remove libxml2 config defines
These need to be done in the libxml2 build, not in hs20-osu-client. This
workaround was previously used to allow parts of the build to go
through, but that was not a complete fix and resulted in warnings now
that external/libxml2 in Android 5.0 is defining the same parameters.
Remove these from hs20-osu-client Android.mk to avoid that warning.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 12:53:03 +02:00
Jouni Malinen
ebe8d3f254 Android: Silence unused function parameter warnings
Numbers of hs20-osu-client functions do not use all of the parameters
currently. This makes the compiler output difficult to read due to
undesired warning messages. Get rid of those specific warnings for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 12:48:51 +02:00
Jouni Malinen
dbd10da810 Android: Fix hs20-osu-client build on Android 5.0
The LOCAL_EXPORT_C_INCLUDE_DIRS from ICU did not seem to fully resolve
the build (e.g., "mm -B" failed to build, but following that with "mm"
allowed the build to complete). For now, add the include directory
manually here for Android 5.0.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 12:48:00 +02:00
Neelansh Mittal
a926295a55 HS 2.0R2: Fix permissions for SP/<fqdn> directory on Android
As part of OSU, the AAA TrustRoot cert is downloaded into SP/<fqdn>
directory. On Android, wpa_supplicant runs with Wifi uid privileges, and
hence might not have read access to the AAA TrustRoot present SP/<fqdn>
directory. Hence, make AID_WIFI as the group owner of SP/<fqdn>
directory and allow the members of AID_WIFI group to read files present
in this directory.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 12:11:36 +02:00