aboutsummaryrefslogtreecommitdiffstats
path: root/hs20
Commit message (Collapse)AuthorAgeFilesLines
* HS 2.0: Fix EST compilation with OpenSSL 1.1.0 and newerBen Greear2019-01-011-0/+13
| | | | | | | SKM_sk_value() is not available anymore, so use DEFINE_STACK_OF() to get the appropriate accessor functions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HS 2.0 server: Allow policy to be set for SIM provisioningJouni Malinen2018-12-161-24/+69
| | | | | | | A new osu_config field "sim_policy" can now be used to specify the policy template for SIM provisioning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: SIM provisioning exchangeJouni Malinen2018-12-155-6/+264
| | | | | | | | Support SIM provisioning exchange with SPP. This uses the hotspot2dot0-mobile-identifier-hash value from the AAA server to allow subscription registration through subscription remediation exchange. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: RADIUS server support for SIM provisioningJouni Malinen2018-12-151-0/+8
| | | | | | | | | | | | | This adds support for hostapd-as-RADIUS-authentication-server to request subscription remediation for SIM-based credentials. The new hostapd.conf parameter hs20_sim_provisioning_url is used to set the URL prefix for the remediation server for SIM provisioning. The random hotspot2dot0-mobile-identifier-hash value will be added to the end of this URL prefix and the same value is stored in a new SQLite database table sim_provisioning for the subscription server implementation to use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Fix couple of memory leaksJouni Malinen2018-12-041-1/+7
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Client certificate reenrollmentJouni Malinen2018-12-043-16/+197
| | | | | | | This adds support for the SPP server to request certificate reenrollment and for the EST server to support the simplereenroll version. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Document client certificate related Apache configurationJouni Malinen2018-12-031-0/+5
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Clear remediation requirement for certificate credentialsJouni Malinen2018-12-031-2/+48
| | | | | | | | | Previous implementation updated user database only for username/password credentials. While client certificates do not need the updated password to be written, they do need the remediation requirement to be cleared, so fix that. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Do not set phase2=1 for certificate-based usersJouni Malinen2018-12-031-10/+7
| | | | | | | These are not really using Phase 2, so use more appropriate configuration when going through online signup for client certificates. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Include phase2=0 users for TLS in the user listJouni Malinen2018-12-031-1/+1
| | | | | | | EAP-TLS users are not really using phase2, so do not require the database to be set in a way that claim that inaccurately. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Do not require devinfo.xml for all hs20-osu-client operationsJouni Malinen2018-10-302-17/+16
| | | | | | | | | | | | hs20-osu-client refused to do anything if it could not find devinfo.xml from the current working directory. This is a bit excessive since that file was used in init_ctx() only to fill in ctx->devid which is used when constructing OMA DM messages. Move the check for ctx->devid into OMA DM specific code so that other hs20-osu-client functionality can be used without the devinfo.xml file. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Record policy update into users tableJouni Malinen2018-10-192-1/+5
| | | | | | | This makes it easier to track whether a policy update has been successfully completed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Rename PPS/Credential1 node to Cred01Jouni Malinen2018-10-191-5/+5
| | | | | | | | This makes it a bit easier to use existing hardcoded PPS MO files for testing purposes when the subscription remediation and policy update operations target the same path. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Fix SubscriptionUpdate UpdateMethod value in OSU serverJouni Malinen2018-10-191-1/+1
| | | | | | | This node was modified long time ago to include "SPP-" prefix. Fix the OSU server implementation to use the correct value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: OSU server test functionality for incorrect behavior (policy)Jouni Malinen2018-10-191-1/+18
| | | | | | | | Extend test=<value> special incorrect behavior testing capabilities in the OSU server to include the fingerprint of the policy update trust root: test=corrupt_polupd_hash. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: OSU server test functionality for incorrect behaviorJouni Malinen2018-10-176-12/+74
| | | | | | | | | | | | | Add a mechanism to allow special incorrect behavior to be requested from OSU server by adding an optional parameter test=<value> to the initial signup URL. This is for protocol testing purposes for the OSU client. This commit adds two special behavior cases: corrupt_aaa_hash and corrupt_subrem_hash. These can be used to generate PPS MO with invalid CertSHA256Fingerprint values for AAAServerTrustRoot and SubscriptionUpdate nodes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Reject PPS MO if polupd or AAA trust root is invalidJouni Malinen2018-10-171-5/+9
| | | | | | | | | | | Previously, this was done only for the subscription remediation/update trust root. The other downloaded files were also verified, but the OSU server was not notified if the files were found to be invalid. Modify hs20-osu-client behavior to explicitly notify the OSU server if any of the three trust root types cannot be successfully downloaded. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Subscription remediation with user selected new passwordJouni Malinen2018-10-113-12/+107
| | | | | | | | Add support for user remediation to request a new password from the user for username/password credentials that have been configured not use use machine managed password. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Show whether credential is machine managedJouni Malinen2018-10-111-0/+3
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Make user list more readableJouni Malinen2018-10-111-8/+8
| | | | | | | Order the rows based on identity and use a bit smaller font for some of the fields to make the table fit on the screen more easily. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Clarify signup page optionsJouni Malinen2018-10-111-0/+8
| | | | | | | Make it clearer that there are three different types of credentials that can be provisioned. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Do not perform subrem if not requested toJouni Malinen2018-10-111-1/+3
| | | | | | | Instead of defaulting to machine remediation, reject a request to do subscription remediation if that has not been configured to be required. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Add last_msk into users table setupJouni Malinen2018-10-071-1/+2
| | | | | | This field is used for debugging purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Reject OSU connection for Single SSID case without OSU_NAIJouni Malinen2018-10-051-0/+4
| | | | | | | | The Single SSID case can only use OSEN, so reject the case where OSU_NAI is not set and open OSU connection would be used since that connection cannot succeed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Use alternative OSU_NAI information in hs20-osu-clientJouni Malinen2018-10-051-2/+14
| | | | | | | Extend hs20-osu-client to support the new osu_nai2 value for OSU connection with the shared BSS (Single SSID) case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Remove hs20-osu-client debug file Cert/est-resp.rawJouni Malinen2018-09-262-7/+0
| | | | | | | | | This was used during initial EST development time testing, but the same information is available in the debug log and since this separate file is deleted automatically, just remove its generation completely to simplify implementation. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Store device MAC address into databaseJouni Malinen2018-09-153-21/+93
| | | | | | This is needed for tracking status of certificate enrollment cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Fix T&C server database checkJouni Malinen2018-09-121-2/+4
| | | | | | | | | It was possible for the wait loop to exit early due to the $row[0] == 1 check returning false if the database value was not yet set. Fix this by updated the $waiting default value only if the database actually has a value for this field. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow OSU SSID selection to be enforced for testing purposesJouni Malinen2018-09-122-1/+21
| | | | | | | | This allows hs20-osu-client to be requested to select a specific OSU SSID with the new command line argument (-o<OSU_SSID>). This is useful for testing single SSID transition mode cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Use shared SSID (if available) for OSU by defaultJouni Malinen2018-09-121-2/+21
| | | | | | | | When the AP is detected to have single BSS shared for RSN and OSEN, use that BSS for OSU by default instead of the one based on the OSU_SSID in the OSU Providers list. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Replace deprecated PHP function split()Jouni Malinen2018-09-101-1/+1
| | | | | | | Use explode() instead of split() because split() has been removed from PHP 7.0.0 and there is no need for using full regular expression here. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Fix hs20-osu-client handling of HomeSP/HomeOIList/<X+>/HomeOIJouni Malinen2018-08-021-2/+1
| | | | | | | | | This node was mapped to a SET_CRED roaming_consortium command with quotation marks even though this is a hexdump of the OI. Remove the quotation marks to allow this to be set correctly in the wpa_supplicant credential. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow CCMP as group cipher for OSEN single SSID caseJouni Malinen2018-07-301-1/+1
| | | | | | | | | When OSEN is used in the BSS that is shared both for production data and OSU uses, the group cipher might be either GTK_NOT_USED (like in Rel 2 OSEN) or CCMP. Modify hs20-osu-client to allow both these group ciphers to be used when requesting OSEN connection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: CoA-Request from Terms and Conditions serverJouni Malinen2018-06-223-0/+41
| | | | | | | | | | | This extends the terms.php implementation of Hotspot 2.0 Terms and Conditions server to allow it to interact with hostapd(AS) to clear the filtering rules from the AP. After requesting hostapd to send out the CoA-Request, terms.php waits for up to 10 seconds to see whether the current_sessions table gets an update to indicate that filtering has been successfully disabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Process Credential/UsernamePassword/EAPMethod nodes in PPS MOJouni Malinen2018-06-211-1/+83
| | | | | | | | This allows hs20-osu-client to configure wpa_supplicant credential with a specific EAP method so that roaming consortium OI -based matching can be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions server and managementJouni Malinen2018-04-304-1/+70
| | | | | | | Add minimal Terms and Conditions server for testing purposes. This can be used to test user interaction for Terms and Conditions acceptance. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Update server SQL DB initialization to cover new fieldsJouni Malinen2018-04-301-1/+15
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Update server instructions for Ubuntu 16.04Jouni Malinen2018-04-301-10/+4
| | | | | | Some of the Ubuntu package names have changed for PHP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: OSU client to send HomeSP/RoamingConsortiumOI to wpa_supplicantJouni Malinen2018-04-171-1/+3
| | | | | | | This adds mapping of the PPS MO HomeSP/RoamingConsortiumOI leaf node value into the wpa_supplicant cred block parameter roaming_consortiums. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Set appropriate permission(s) for cert file/folders on AndroidPurushottam Kushwaha2018-01-121-23/+34
| | | | | | | | This commit adds additional permission to 'SP' and 'Cert' folders which is needed to copy certificates from Cert to SP. Additionally, this associates AID_WIFI group id with these folders. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OSU server: Remove invalid options from documentationMasashi Honma2017-02-111-2/+2
| | | | | | Remove -d and -I options which causes "Illegal option" error. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* hs20-osu-client: Hide a trivial compiler warningMasashi Honma2017-02-061-1/+1
| | | | | | | | | | | | | | This patch hides a compiler warning: osu_client.c: In function ‘cmd_osu_select’: osu_client.c:2200:2: warning: ‘osu_count’ may be used uninitialized in this function [-Wmaybe-uninitialized] for (i = 0; i < osu_count; i++) { ^ osu_count is actually initialized in parse_osu_providers() if non-NULL value is returned. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* HS 2.0 server: Remove redundant NULL checkManeesh Jain2016-10-281-4/+2
| | | | | | | Both devinfo and devdetail are non-NULL here due to the earlier check within the same function. Signed-off-by: Maneesh Jain <maneesh.jain@samsung.com>
* HS 2.0R2: No longer use HTTP_RAW_POST_DATACedric Izoard2016-06-191-1/+2
| | | | | | As HTTP_RAW_POST_DATA is deprecated, use php://input instead. Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
* hs20-osu-client: Fix pol_upd command line parsingJouni Malinen2016-03-161-6/+3
| | | | | | | | This command was documented as having the Server URL parameter as optional, but the implementation did not match that. Allow this parameter to be left out. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hs20-osu-client: Remove dead code from sub_rem command line parsingJouni Malinen2016-03-161-8/+3
| | | | | | | | The error print could not have been reached since the exact same condition was verified above and exit(0) is called if the command line is invalid. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Android: Remove superfluous OpenSSL include pathsAdam Langley2016-03-031-1/+0
| | | | | | | | The libcrypto and libssl modules (and their respective static and host versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module is sufficient. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* Android: Allow wpa_supplicant to write files to osu-info dirKanchanapally, Vidyullatha2016-03-031-1/+12
| | | | | | | | | | | | | This commit allows any process running with group id of AID_WIFI to read/write files to osu-info directory. Also, it allows other users to read and search the osu-info directory. This fixes issues with hs20-osu-client creating a directory for wpa_supplicant use without wpa_supplicant actually having privileges to write there on Android where the wpa_supplicant process does not run as root. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hs20-osu-client: Fix check for osu_nai being availableJouni Malinen2016-01-151-1/+1
| | | | | | | This is an array, so the pointer is never NULL; need to check that the first character is not '\0' instead. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EST: Comment out X509_REQ_print calls on Android with BoringSSLJouni Malinen2015-12-041-0/+4
| | | | | | | | | | These were restored into BoringSSL in June 2015, but not all Android branches include those changes. To fix the build, comment these call out on Android for now if hs20-osu-client is built against BoringSSL. These are used only for debugging purposes, so this is fine for Hotspot 2.0 functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>