Some things are used by most of the binaries, pull them
into a common rule fragment that we can use properly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This avoids a theoretical integer overflow with 16-bit unsigned int
should a certificate be encoded with more that 65535 friendly names or
icons.
Signed-off-by: Jouni Malinen <j@w1.fi>
This changes "hs20-osu-client browser <URL>" behavior to validate the
HTTPS server certificate against the system trust roots. The new command
line argument -T can be used to disable this validation.
This does not change behavior for SPP/OMA-DM triggered OSU operation,
i.e., they continue to not mandate server certificate validation for now
to avoid breaking existing test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
hs20_web_browser() was previously hardcoded to not perform strict TLS
server validation. Add an argument to this function to allow that
behavior to be configured. The hs20-osu-client users are still using the
old behavior, i.e., not validating server certificates, to be usable for
testing purposes.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This updates SP/<FQDN> directory with following permissions on Android
to allow moving certificate at runtime from Cert/ to SP/<FQDN> folder:
- user:read/write/exec
- group:read/write/exec
(i.e., add group write permission)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no need to allow symlink dereferencing in these cases where a
file (including directories and sockets) are created by the same
process, so use the safer lchown() variant to avoid leaving potential
windows for something external to replace the file before the chown()
call. The particular locations used here should not have write
permissions enabled for processes with less privileges, so this may not
be needed, but anyway, it is better to make these more restrictive
should there be cases where directory permissions are not as expected
for a good deployment.
Signed-off-by: Jouni Malinen <j@w1.fi>
SKM_sk_value() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.
Signed-off-by: Ben Greear <greearb@candelatech.com>
hs20-osu-client refused to do anything if it could not find devinfo.xml
from the current working directory. This is a bit excessive since that
file was used in init_ctx() only to fill in ctx->devid which is used
when constructing OMA DM messages.
Move the check for ctx->devid into OMA DM specific code so that other
hs20-osu-client functionality can be used without the devinfo.xml file.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, this was done only for the subscription remediation/update
trust root. The other downloaded files were also verified, but the OSU
server was not notified if the files were found to be invalid.
Modify hs20-osu-client behavior to explicitly notify the OSU server if
any of the three trust root types cannot be successfully downloaded.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The Single SSID case can only use OSEN, so reject the case where OSU_NAI
is not set and open OSU connection would be used since that connection
cannot succeed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend hs20-osu-client to support the new osu_nai2 value for OSU
connection with the shared BSS (Single SSID) case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was used during initial EST development time testing, but the same
information is available in the debug log and since this separate file
is deleted automatically, just remove its generation completely to
simplify implementation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows hs20-osu-client to be requested to select a specific OSU
SSID with the new command line argument (-o<OSU_SSID>). This is useful
for testing single SSID transition mode cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When the AP is detected to have single BSS shared for RSN and OSEN, use
that BSS for OSU by default instead of the one based on the OSU_SSID in
the OSU Providers list.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This node was mapped to a SET_CRED roaming_consortium command with
quotation marks even though this is a hexdump of the OI. Remove the
quotation marks to allow this to be set correctly in the wpa_supplicant
credential.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When OSEN is used in the BSS that is shared both for production data and
OSU uses, the group cipher might be either GTK_NOT_USED (like in Rel 2
OSEN) or CCMP. Modify hs20-osu-client to allow both these group ciphers
to be used when requesting OSEN connection.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows hs20-osu-client to configure wpa_supplicant credential with
a specific EAP method so that roaming consortium OI -based matching can
be used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds mapping of the PPS MO HomeSP/RoamingConsortiumOI leaf node
value into the wpa_supplicant cred block parameter roaming_consortiums.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit adds additional permission to 'SP' and 'Cert' folders
which is needed to copy certificates from Cert to SP. Additionally,
this associates AID_WIFI group id with these folders.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch hides a compiler warning:
osu_client.c: In function ‘cmd_osu_select’:
osu_client.c:2200:2: warning: ‘osu_count’ may be used uninitialized in this function [-Wmaybe-uninitialized]
for (i = 0; i < osu_count; i++) {
^
osu_count is actually initialized in parse_osu_providers() if non-NULL
value is returned.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This command was documented as having the Server URL parameter as
optional, but the implementation did not match that. Allow this
parameter to be left out.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The error print could not have been reached since the exact same
condition was verified above and exit(0) is called if the command line
is invalid.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit allows any process running with group id of AID_WIFI to
read/write files to osu-info directory. Also, it allows other users to
read and search the osu-info directory.
This fixes issues with hs20-osu-client creating a directory for
wpa_supplicant use without wpa_supplicant actually having privileges to
write there on Android where the wpa_supplicant process does not run as
root.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is an array, so the pointer is never NULL; need to check that the
first character is not '\0' instead.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These were restored into BoringSSL in June 2015, but not all Android
branches include those changes. To fix the build, comment these call out
on Android for now if hs20-osu-client is built against BoringSSL. These
are used only for debugging purposes, so this is fine for Hotspot 2.0
functionality.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds one more step in completing hs20-osu-client support when using
BoringSSL instead of OpenSSL. EST client can now parse the cacerts file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds experimental support for using OCSP with libcurl that is built
against BoringSSL. This needs small modifications to libcurl to allow
CURLOPT_SSL_VERIFYSTATUS to be used to call
SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL has dropped OpenSSL functionality that was used in the EST
implementation. For now, disable EST with BoringSSL to allow
hs20-osu-client to be built.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
fqdn was not freed before return in case the server uses an unsupported
location for the PPS MO in the addMO command.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
Allow user to specify the path to the spp.xsd file for hs20-osu-client
instead of requiring this to be spp.xsd in the current working
directory.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The command line option 'i' is not handled, so I assume it should
not be in the short-options list.
Fix missing word in error message as well.
Signed-off-by: Ben Greear <greearb@candelatech.com>
In case someone is compiling their own libcurl and wants to link it
statically, for instance, the new CUST_CURL_LINKAGE parameter can be
used to override the default -lcurl argument.
Signed-off-by: Ben Greear <greearb@candelatech.com>
In some error cases, pointers were dereferenced before NULL check is
done. Fix this by adding checks before the dereference.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These hs20-osu-client parameters were never applicable for Android
builds and were just copied from the non-Android Makefile as a reminder,
but not removed once rest of the Android build was fixed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These need to be done in the libxml2 build, not in hs20-osu-client. This
workaround was previously used to allow parts of the build to go
through, but that was not a complete fix and resulted in warnings now
that external/libxml2 in Android 5.0 is defining the same parameters.
Remove these from hs20-osu-client Android.mk to avoid that warning.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Numbers of hs20-osu-client functions do not use all of the parameters
currently. This makes the compiler output difficult to read due to
undesired warning messages. Get rid of those specific warnings for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The LOCAL_EXPORT_C_INCLUDE_DIRS from ICU did not seem to fully resolve
the build (e.g., "mm -B" failed to build, but following that with "mm"
allowed the build to complete). For now, add the include directory
manually here for Android 5.0.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>