Commit graph

42 commits

Author SHA1 Message Date
Jouni Malinen
3f45b8daeb hs20-osu-client: Use size_t for certificate components
This avoids a theoretical integer overflow with 16-bit unsigned int
should a certificate be encoded with more that 65535 friendly names or
icons.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Ben Greear
440dac7558 hs20-osu-client: Use more specific debug message on OSU connection
Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-03-13 16:52:29 +02:00
Jouni Malinen
e33a0eecec hs20-osu-client: Validate HTTPS server certificate by default (browser)
This changes "hs20-osu-client browser <URL>" behavior to validate the
HTTPS server certificate against the system trust roots. The new command
line argument -T can be used to disable this validation.

This does not change behavior for SPP/OMA-DM triggered OSU operation,
i.e., they continue to not mandate server certificate validation for now
to avoid breaking existing test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 17:40:52 +02:00
Jouni Malinen
61bf9819c1 hs20_web_browser() to allow TLS server validation to be enabled
hs20_web_browser() was previously hardcoded to not perform strict TLS
server validation. Add an argument to this function to allow that
behavior to be configured. The hs20-osu-client users are still using the
old behavior, i.e., not validating server certificates, to be usable for
testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 17:40:52 +02:00
Jouni Malinen
8e5e36a184 Clean up base64_{encode,decode} pointer types
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Masashi Honma
18f4fc43f2 hs20-osu-client: Check snprintf result to avoid compiler warnings
Fix false positive warnings by gcc 8.3.0.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2019-05-25 21:58:29 +03:00
Purushottam Kushwaha
7ad7aa0e12 HS 2.0: Make hs20-osu-client SP and <FQDN> directories group writable
This updates SP/<FQDN> directory with following permissions on Android
to allow moving certificate at runtime from Cert/ to SP/<FQDN> folder:
 - user:read/write/exec
 - group:read/write/exec
(i.e., add group write permission)

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-18 19:54:36 +02:00
Jouni Malinen
02f52ab6f5 Use lchown() instead of chown() for self-created files
There is no need to allow symlink dereferencing in these cases where a
file (including directories and sockets) are created by the same
process, so use the safer lchown() variant to avoid leaving potential
windows for something external to replace the file before the chown()
call. The particular locations used here should not have write
permissions enabled for processes with less privileges, so this may not
be needed, but anyway, it is better to make these more restrictive
should there be cases where directory permissions are not as expected
for a good deployment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-06 20:28:04 +02:00
Jouni Malinen
1695b4dc37 HS 2.0: Do not require devinfo.xml for all hs20-osu-client operations
hs20-osu-client refused to do anything if it could not find devinfo.xml
from the current working directory. This is a bit excessive since that
file was used in init_ctx() only to fill in ctx->devid which is used
when constructing OMA DM messages.

Move the check for ctx->devid into OMA DM specific code so that other
hs20-osu-client functionality can be used without the devinfo.xml file.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-30 15:29:12 +02:00
Jouni Malinen
de7bcb9bc9 HS 2.0: Reject PPS MO if polupd or AAA trust root is invalid
Previously, this was done only for the subscription remediation/update
trust root. The other downloaded files were also verified, but the OSU
server was not notified if the files were found to be invalid.

Modify hs20-osu-client behavior to explicitly notify the OSU server if
any of the three trust root types cannot be successfully downloaded.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-17 19:07:27 +03:00
Jouni Malinen
2fd8984b05 HS 2.0: Reject OSU connection for Single SSID case without OSU_NAI
The Single SSID case can only use OSEN, so reject the case where OSU_NAI
is not set and open OSU connection would be used since that connection
cannot succeed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 21:03:46 +03:00
Jouni Malinen
2f158bc194 HS 2.0: Use alternative OSU_NAI information in hs20-osu-client
Extend hs20-osu-client to support the new osu_nai2 value for OSU
connection with the shared BSS (Single SSID) case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:53:31 +03:00
Jouni Malinen
4d1f7b6856 HS 2.0: Remove hs20-osu-client debug file Cert/est-resp.raw
This was used during initial EST development time testing, but the same
information is available in the debug log and since this separate file
is deleted automatically, just remove its generation completely to
simplify implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-26 12:59:41 +03:00
Jouni Malinen
25f3c270d9 HS 2.0: Allow OSU SSID selection to be enforced for testing purposes
This allows hs20-osu-client to be requested to select a specific OSU
SSID with the new command line argument (-o<OSU_SSID>). This is useful
for testing single SSID transition mode cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-13 00:17:51 +03:00
Jouni Malinen
b275c3ae51 HS 2.0: Use shared SSID (if available) for OSU by default
When the AP is detected to have single BSS shared for RSN and OSEN, use
that BSS for OSU by default instead of the one based on the OSU_SSID in
the OSU Providers list.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-09-13 00:17:15 +03:00
Jouni Malinen
c06cd3e0ac HS 2.0: Fix hs20-osu-client handling of HomeSP/HomeOIList/<X+>/HomeOI
This node was mapped to a SET_CRED roaming_consortium command with
quotation marks even though this is a hexdump of the OI. Remove the
quotation marks to allow this to be set correctly in the wpa_supplicant
credential.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-08-02 16:15:14 +03:00
Jouni Malinen
c1721f05a0 HS 2.0: Allow CCMP as group cipher for OSEN single SSID case
When OSEN is used in the BSS that is shared both for production data and
OSU uses, the group cipher might be either GTK_NOT_USED (like in Rel 2
OSEN) or CCMP. Modify hs20-osu-client to allow both these group ciphers
to be used when requesting OSEN connection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-07-31 00:32:53 +03:00
Jouni Malinen
de3885fcc7 HS 2.0: Process Credential/UsernamePassword/EAPMethod nodes in PPS MO
This allows hs20-osu-client to configure wpa_supplicant credential with
a specific EAP method so that roaming consortium OI -based matching can
be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 19:16:26 +03:00
Jouni Malinen
2e88032f1b HS 2.0: OSU client to send HomeSP/RoamingConsortiumOI to wpa_supplicant
This adds mapping of the PPS MO HomeSP/RoamingConsortiumOI leaf node
value into the wpa_supplicant cred block parameter roaming_consortiums.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Purushottam Kushwaha
727e9aacbf HS 2.0: Set appropriate permission(s) for cert file/folders on Android
This commit adds additional permission to 'SP' and 'Cert' folders
which is needed to copy certificates from Cert to SP. Additionally,
this associates AID_WIFI group id with these folders.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-12 02:12:43 +02:00
Masashi Honma
00e0f0b010 hs20-osu-client: Hide a trivial compiler warning
This patch hides a compiler warning:

osu_client.c: In function ‘cmd_osu_select’:
osu_client.c:2200:2: warning: ‘osu_count’ may be used uninitialized in this function [-Wmaybe-uninitialized]
  for (i = 0; i < osu_count; i++) {
  ^

osu_count is actually initialized in parse_osu_providers() if non-NULL
value is returned.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-06 19:28:34 +02:00
Jouni Malinen
42a95533a8 hs20-osu-client: Fix pol_upd command line parsing
This command was documented as having the Server URL parameter as
optional, but the implementation did not match that. Allow this
parameter to be left out.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:25:11 +02:00
Jouni Malinen
ec1eae849e hs20-osu-client: Remove dead code from sub_rem command line parsing
The error print could not have been reached since the exact same
condition was verified above and exit(0) is called if the command line
is invalid.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-16 21:19:19 +02:00
Kanchanapally, Vidyullatha
61697c7ecc Android: Allow wpa_supplicant to write files to osu-info dir
This commit allows any process running with group id of AID_WIFI to
read/write files to osu-info directory. Also, it allows other users to
read and search the osu-info directory.

This fixes issues with hs20-osu-client creating a directory for
wpa_supplicant use without wpa_supplicant actually having privileges to
write there on Android where the wpa_supplicant process does not run as
root.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-03 14:50:29 +02:00
Jouni Malinen
2e3a41a53f hs20-osu-client: Fix check for osu_nai being available
This is an array, so the pointer is never NULL; need to check that the
first character is not '\0' instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 18:39:03 +02:00
Nishant Chaprana
59bae7463a HS 2.0R2: Fix memory leak on error path in hs20-osu-client
fqdn was not freed before return in case the server uses an unsupported
location for the PPS MO in the addMO command.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2015-06-23 18:51:41 +03:00
Ben Greear
1b748e67ae HS 2.0: hs20-client: Fix hostname extraction from URL
It was not properly handling cases like this:

https://foo.local:443

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-05-27 12:01:23 +03:00
Ben Greear
0bb20efcd0 HS 2.0R2: Allow user to specify spp.xsd file location
Allow user to specify the path to the spp.xsd file for hs20-osu-client
instead of requiring this to be spp.xsd in the current working
directory.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-04-01 20:33:28 +03:00
Ben Greear
97c9991c5b HS 2.0R2: Add more debugging messages to hs20-osu-client
Helps to figure out why some errors happen.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-04-01 20:33:25 +03:00
Ben Greear
270427ea3f HS 2.0R2: Add more logging for hs20-osu-client icon matching
Add some more verbose logging, and make sure logging
messages are unique for easier debugging.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 13:07:37 +02:00
Ben Greear
1b4500670f HS 2.0R2: Remove unused argument identifier from hs20-osu-client
The command line option 'i' is not handled, so I assume it should
not be in the short-options list.

Fix missing word in error message as well.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 11:13:47 +02:00
Subhani Shaik
715d5c45f1 hs20-osu-client: Ensure NULL checks are done before dereferencing
In some error cases, pointers were dereferenced before NULL check is
done. Fix this by adding checks before the dereference.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:39:15 +02:00
Neelansh Mittal
a926295a55 HS 2.0R2: Fix permissions for SP/<fqdn> directory on Android
As part of OSU, the AAA TrustRoot cert is downloaded into SP/<fqdn>
directory. On Android, wpa_supplicant runs with Wifi uid privileges, and
hence might not have read access to the AAA TrustRoot present SP/<fqdn>
directory. Hence, make AID_WIFI as the group owner of SP/<fqdn>
directory and allow the members of AID_WIFI group to read files present
in this directory.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 12:11:36 +02:00
ASHUTOSH NARAYAN
73f1ee0243 HS20: Fix TrustRoot path for PolicyUpdate node in PPS MO
Incorrect TrustRoot path "PolicyUpdate/TrustRoot" was used. The
TrustRoot path is required to be "Policy/PolicyUpdate/TrustRoot" as
defined in Section 9.1 of Hotspot 2.0 (Release 2) specification. Fix the
path to "Policy/PolicyUpdate/TrustRoot".

Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
2015-01-20 02:25:41 +02:00
ASHUTOSH NARAYAN
54a0ac0ccf HS20: Return result of cmd_sub_rem in hs20-osu-client
Previously, both failure and success cases used same return value 0.
Indicate failures differently to make hs20-osu-client return value more
useful for subscription remediation cases.

Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
2015-01-20 02:17:13 +02:00
Jouni Malinen
d1ecca6c15 HS 2.0 R2: Clear hs20-osu-client configuration keys explicitly
Use an explicit memset call to clear any hs20-osu-client configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
bb2382619a HS 2.0R2: Clean up debug log during exit path
deinit_ctx() may print debug information, so do not call
wpa_debug_close_file() before deinit_ctx().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:40:04 +02:00
Jouni Malinen
48408fce2f HS 2.0R2: Do not mandate OCSP response for EST operations
OCSP validation is required only for the OSU operations and since the
EST server may use a different server certificate, it may not
necessarily support OCSP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:58 +02:00
Jouni Malinen
8f60293d3f HS 2.0R2: Do not use OSU cert validation for EST
There is no requirement for the EST server to use an OSU server
certificate, so do not require friendly name and icon hash matches for
EST cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:49 +02:00
Jouni Malinen
40bdceac88 HS 2.0R2: Configure OSU client trust root more consistently
Some of the code paths could have ended up ignoring CA file name from
command line due to overly complex way of setting ctx->ca_fname.
Configure this more consistently in osu_client.c as soon as the CA file
name has been determined.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:39 +02:00
Jouni Malinen
39b420f7b1 HS 2.0R2: Add parse_cert command for debugging purposes
This hs20-osu-client client command can be used to parse a DER encoded
X.509v3 certificate with the logotype extensions and
id-wfa-hotspot-friendlyName values shown in detail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-12 01:09:22 +02:00
Jouni Malinen
c0d701a347 HS 2.0R2: Add OSU client implementation
This adds a reference implementation of Hotspot 2.0 Release 2 OSU
client. While this implements all of the required functionality, it is
likely that a significant extensions would be used to integrate this
with user interfaces and operating system configuration components.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-12 01:09:22 +02:00