DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

HS 2.0R2: Do not use OSU cert validation for EST

Browse source 
There is no requirement for the EST server to use an OSU server
certificate, so do not require friendly name and icon hash matches for
EST cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2014-03-17 23:56:17 +02:00 committed by Jouni Malinen
parent 40bdceac88
commit 8f60293d3f
3 changed files with 16 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
hs20/client/est.c
View file

@ -1,6 +1,6 @@
/* /*
* Hotspot 2.0 OSU client - EST client * Hotspot 2.0 OSU client - EST client
* Copyright (c) 2012-2013, Qualcomm Atheros, Inc. * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
* *
* This software may be distributed under the terms of the BSD license. * This software may be distributed under the terms of the BSD license.
* See README for more details. * See README for more details.
@ -108,8 +108,10 @@ int est_load_cacerts(struct hs20_osu_client *ctx, const char *url)
os_snprintf(buf, buflen, "%s/cacerts", url); os_snprintf(buf, buflen, "%s/cacerts", url);
wpa_printf(MSG_INFO, "Download EST cacerts from %s", buf); wpa_printf(MSG_INFO, "Download EST cacerts from %s", buf);
write_summary(ctx, "Download EST cacerts from %s", buf); write_summary(ctx, "Download EST cacerts from %s", buf);
ctx->no_osu_cert_validation = 1;
res = http_download_file(ctx->http, buf, "Cert/est-cacerts.txt", res = http_download_file(ctx->http, buf, "Cert/est-cacerts.txt",
ctx->ca_fname); ctx->ca_fname);
ctx->no_osu_cert_validation = 0;
if (res < 0) { if (res < 0) {
wpa_printf(MSG_INFO, "Failed to download EST cacerts from %s", wpa_printf(MSG_INFO, "Failed to download EST cacerts from %s",
buf); buf);
@ -550,8 +552,10 @@ int est_build_csr(struct hs20_osu_client *ctx, const char *url)
os_snprintf(buf, buflen, "%s/csrattrs", url); os_snprintf(buf, buflen, "%s/csrattrs", url);
wpa_printf(MSG_INFO, "Download csrattrs from %s", buf); wpa_printf(MSG_INFO, "Download csrattrs from %s", buf);
write_summary(ctx, "Download EST csrattrs from %s", buf); write_summary(ctx, "Download EST csrattrs from %s", buf);
ctx->no_osu_cert_validation = 1;
res = http_download_file(ctx->http, buf, "Cert/est-csrattrs.txt", res = http_download_file(ctx->http, buf, "Cert/est-csrattrs.txt",
ctx->ca_fname); ctx->ca_fname);
ctx->no_osu_cert_validation = 0;
os_free(buf); os_free(buf);
if (res < 0) { if (res < 0) {
wpa_printf(MSG_INFO, "Failed to download EST csrattrs - assume no extra attributes are needed"); wpa_printf(MSG_INFO, "Failed to download EST csrattrs - assume no extra attributes are needed");
@ -647,10 +651,12 @@ int est_simple_enroll(struct hs20_osu_client *ctx, const char *url,
os_snprintf(buf, buflen, "%s/simpleenroll", url); os_snprintf(buf, buflen, "%s/simpleenroll", url);
wpa_printf(MSG_INFO, "EST simpleenroll URL: %s", buf); wpa_printf(MSG_INFO, "EST simpleenroll URL: %s", buf);
write_summary(ctx, "EST simpleenroll URL: %s", buf); write_summary(ctx, "EST simpleenroll URL: %s", buf);
ctx->no_osu_cert_validation = 1;
resp = http_post(ctx->http, buf, req, "application/pkcs10", resp = http_post(ctx->http, buf, req, "application/pkcs10",
"Content-Transfer-Encoding: base64", "Content-Transfer-Encoding: base64",
ctx->ca_fname, user, pw, client_cert, client_key, ctx->ca_fname, user, pw, client_cert, client_key,
&resp_len); &resp_len);
ctx->no_osu_cert_validation = 0;
os_free(buf); os_free(buf);
if (resp == NULL) { if (resp == NULL) {
wpa_printf(MSG_INFO, "EST certificate enrollment failed"); wpa_printf(MSG_INFO, "EST certificate enrollment failed");

12
hs20/client/osu_client.c
View file

@ -302,7 +302,9 @@ static int download_cert(struct hs20_osu_client *ctx, xml_node_t *params,
xml_node_get_text_free(ctx->xml, hash); xml_node_get_text_free(ctx->xml, hash);
write_summary(ctx, "Download certificate from %s", url); write_summary(ctx, "Download certificate from %s", url);
ctx->no_osu_cert_validation = 1;
res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL); res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL);
ctx->no_osu_cert_validation = 0;
xml_node_get_text_free(ctx->xml, url); xml_node_get_text_free(ctx->xml, url);
if (res < 0) if (res < 0)
return -1; return -1;
@ -2692,7 +2694,8 @@ static int osu_cert_cb(void *_ctx, struct http_cert *cert)
int found; int found;
char *host = NULL; char *host = NULL;
wpa_printf(MSG_INFO, "osu_cert_cb"); wpa_printf(MSG_INFO, "osu_cert_cb(osu_cert_validation=%d)",
!ctx->no_osu_cert_validation);
host = get_hostname(ctx->server_url); host = get_hostname(ctx->server_url);
@ -2736,7 +2739,8 @@ static int osu_cert_cb(void *_ctx, struct http_cert *cert)
} }
} }
for (j = 0; j < ctx->friendly_name_count; j++) { for (j = 0; !ctx->no_osu_cert_validation &&
j < ctx->friendly_name_count; j++) {
int found = 0; int found = 0;
for (i = 0; i < cert->num_othername; i++) { for (i = 0; i < cert->num_othername; i++) {
if (os_strcmp(cert->othername[i].oid, if (os_strcmp(cert->othername[i].oid,
@ -2775,7 +2779,7 @@ static int osu_cert_cb(void *_ctx, struct http_cert *cert)
logo->hash, logo->hash_len); logo->hash, logo->hash_len);
} }
for (j = 0; j < ctx->icon_count; j++) { for (j = 0; !ctx->no_osu_cert_validation && j < ctx->icon_count; j++) {
int found = 0; int found = 0;
char *name = ctx->icon_filename[j]; char *name = ctx->icon_filename[j];
size_t name_len = os_strlen(name); size_t name_len = os_strlen(name);
@ -2811,7 +2815,7 @@ static int osu_cert_cb(void *_ctx, struct http_cert *cert)
} }
} }
for (j = 0; j < ctx->icon_count; j++) { for (j = 0; !ctx->no_osu_cert_validation && j < ctx->icon_count; j++) {
int found = 0; int found = 0;
for (i = 0; i < cert->num_logo; i++) { for (i = 0; i < cert->num_logo; i++) {

1
hs20/client/osu_client.h
View file

@ -34,6 +34,7 @@ struct hs20_osu_client {
const char *summary_file; const char *summary_file;
const char *ifname; const char *ifname;
const char *ca_fname; const char *ca_fname;
int no_osu_cert_validation; /* for EST operations */
char *fqdn; char *fqdn;
char *server_url; char *server_url;
struct osu_lang_text friendly_name[MAX_OSU_VALS]; struct osu_lang_text friendly_name[MAX_OSU_VALS];