1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-27 08:00:11 +00:00

Revert "wpa: Import wpa 2.10."

This reverts commit 5eb81a4b40, reversing
changes made to c6806434e7 and
this reverts commit 679ff61123.

What happend is git rebase --rebase-merges doesn't do what is expected.
This commit is contained in:
Cy Schubert 2022-01-18 08:08:03 -08:00
parent 679ff61123
commit 64e33c5cb1
79 changed files with 8828 additions and 377 deletions

View File

@ -0,0 +1 @@
YACC: e - line 17 of "./err_syntax22.y", $2 (recur) is untyped

View File

@ -0,0 +1 @@
YACC: e - line 17 of "./err_syntax22.y", $2 (recur) is untyped

File diff suppressed because it is too large Load Diff

View File

@ -143,7 +143,7 @@ The license terms used for hostap.git files
Modified BSD license (no advertisement clause):
Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors
Copyright (c) 2002-2021, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
Redistribution and use in source and binary forms, with or without

View File

@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors
Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.

View File

@ -1,7 +1,7 @@
wpa_supplicant and hostapd
--------------------------
Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors
Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
These programs are licensed under the BSD license (the one with

View File

@ -1,48 +1,5 @@
ChangeLog for hostapd
2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1)
after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed WPS UPnP SUBSCRIBE handling of invalid operations
[https://w1.fi/security/2020-1/]
* fixed PMF disconnection protection bypass
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* fixed various issues in experimental support for EAP-TEAP server
* added configuration (max_auth_rounds, max_auth_rounds_short) to
increase the maximum number of EAP message exchanges (mainly to
support cases with very large certificates) for the EAP server
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* extended HE (IEEE 802.11ax) support, including 6 GHz support
* removed obsolete IAPP functionality
* fixed EAP-FAST server with TLS GCM/CCM ciphers
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible; owe_ptk_workaround=1 can be used to enabled a
a workaround for the group 20/21 backwards compatibility
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* added support for PASN
* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
* a large number of other fixes, cleanup, and extensions
2019-08-07 - v2.9
* SAE changes
- disable use of groups using Brainpool curves

View File

@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP
Authenticator and RADIUS authentication server
================================================================
Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors
Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
This program is licensed under the BSD license (the one with

View File

@ -1,6 +1,6 @@
/*
* hostapd - command line interface for hostapd daemon
* Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@ -21,7 +21,7 @@
static const char *const hostapd_cli_version =
"hostapd_cli v" VERSION_STR "\n"
"Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi> and contributors";
"Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors";
static struct wpa_ctrl *ctrl_conn;
static int hostapd_cli_quit = 0;

View File

@ -1,6 +1,6 @@
/*
* hostapd / main()
* Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi>
* Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@ -454,7 +454,7 @@ static void show_version(void)
"hostapd v%s\n"
"User space daemon for IEEE 802.11 AP management,\n"
"IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator\n"
"Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> "
"Copyright (c) 2002-2019, Jouni Malinen <j@w1.fi> "
"and contributors\n",
VERSION_STR);
}

View File

@ -0,0 +1,42 @@
ALL=hs20_spp_server
include ../../src/build.rules
CFLAGS += -I../../src
CFLAGS += -I../../src/utils
CFLAGS += -I../../src/crypto
LIBS += -lsqlite3
# Using glibc < 2.17 requires -lrt for clock_gettime()
LIBS += -lrt
ifndef CONFIG_NO_GITVER
# Add VERSION_STR postfix for builds from a git repository
ifeq ($(wildcard ../../.git),../../.git)
GITVER := $(shell git describe --dirty=+)
ifneq ($(GITVER),)
CFLAGS += -DGIT_VERSION_STR_POSTFIX=\"-$(GITVER)\"
endif
endif
endif
OBJS=spp_server.o
OBJS += hs20_spp_server.o
OBJS += ../../src/utils/xml-utils.o
OBJS += ../../src/utils/base64.o
OBJS += ../../src/utils/common.o
OBJS += ../../src/utils/os_unix.o
OBJS += ../../src/utils/wpa_debug.o
OBJS += ../../src/crypto/md5-internal.o
CFLAGS += $(shell xml2-config --cflags)
LIBS += $(shell xml2-config --libs)
OBJS += ../../src/utils/xml_libxml2.o
_OBJS_VAR := OBJS
include ../../src/objs.mk
hs20_spp_server: $(OBJS)
$(LDO) $(LDFLAGS) -o hs20_spp_server $(OBJS) $(LIBS)
clean: common-clean
rm -f core *~

View File

@ -0,0 +1,13 @@
#!/bin/sh
for i in server-client server server-revoked user ocsp; do
rm -f $i.csr $i.key $i.pem
done
rm -f openssl.cnf.tmp
if [ -d demoCA ]; then
rm -r demoCA
fi
rm -f ca.pem logo.asn1 logo.der server.der ocsp-server-cache.der
rm -f my-openssl.cnf my-openssl-root.cnf
#rm -r rootCA

View File

@ -0,0 +1,17 @@
asn1 = SEQUENCE:attrs
[attrs]
#oid1 = OID:challengePassword
attr1 = SEQUENCE:extreq
oid2 = OID:sha256WithRSAEncryption
[extreq]
oid = OID:extensionRequest
vals = SET:extreqvals
[extreqvals]
oid1 = OID:macAddress
#oid2 = OID:imei
#oid3 = OID:meid
#oid4 = OID:DevId

View File

@ -0,0 +1,4 @@
#!/bin/sh
openssl asn1parse -genconf est-csrattrs.cnf -out est-csrattrs.der -oid hs20.oid
base64 est-csrattrs.der > est-attrs.b64

View File

@ -0,0 +1,7 @@
1.3.6.1.1.1.1.22 macAddress
1.2.840.113549.1.9.14 extensionRequest
1.3.6.1.4.1.40808.1.1.1 id-wfa-hotspot-friendlyName
1.3.6.1.4.1.40808.1.1.2 id-kp-HS2.0Auth
1.3.6.1.4.1.40808.1.1.3 imei
1.3.6.1.4.1.40808.1.1.4 meid
1.3.6.1.4.1.40808.1.1.5 DevId

View File

@ -0,0 +1,11 @@
#!/bin/sh
for i in *.pem; do
echo "===[ $i ]==================="
openssl ocsp -text -CAfile ca.pem -verify_other demoCA/cacert.pem -trust_other -issuer demoCA/cacert.pem -cert $i -url http://localhost:8888/
# openssl ocsp -text -CAfile rootCA/cacert.pem -issuer demoCA/cacert.pem -cert $i -url http://localhost:8888/
# openssl ocsp -text -CAfile rootCA/cacert.pem -verify_other demoCA/cacert.pem -trust_other -issuer demoCA/cacert.pem -cert $i -url http://localhost:8888/
# openssl ocsp -text -CAfile rootCA/cacert.pem -VAfile ca.pem -trust_other -issuer demoCA/cacert.pem -cert $i -url http://localhost:8888/
done

View File

@ -0,0 +1,3 @@
#!/bin/sh
openssl ocsp -index demoCA/index.txt -port 8888 -nmin 5 -rsigner demoCA/cacert.pem -rkey demoCA/private/cakey-plain.pem -CA demoCA/cacert.pem -resp_no_certs -text

View File

@ -0,0 +1,3 @@
#!/bin/sh
openssl ocsp -index demoCA/index.txt -port 8888 -nmin 5 -rsigner ocsp.pem -rkey ocsp.key -CA demoCA/cacert.pem -text -ignore_err

View File

@ -0,0 +1,11 @@
#!/bin/sh
# NOTE: You may need to replace 'localhost' with your OCSP server hostname.
openssl ocsp \
-no_nonce \
-CAfile ca.pem \
-verify_other demoCA/cacert.pem \
-issuer demoCA/cacert.pem \
-cert server.pem \
-url http://localhost:8888/ \
-respout ocsp-server-cache.der

View File

@ -0,0 +1,125 @@
# OpenSSL configuration file for Hotspot 2.0 PKI (Root CA)
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
#logotypeoid=1.3.6.1.5.5.7.1.12
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./rootCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
input_password = @PASSWORD@
output_password = @PASSWORD@
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
localityName_default = Tuusula
0.organizationName = Organization Name (eg, company)
0.organizationName_default = WFA Hotspot 2.0
##organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
#@OU@
commonName = Common Name (e.g. server FQDN or YOUR name)
#@CN@
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName=DNS:example.com,DNS:another.example.com
[ v3_ca ]
# Hotspot 2.0 PKI requirements
subjectKeyIdentifier=hash
basicConstraints = critical,CA:true
keyUsage = critical, cRLSign, keyCertSign
[ crl_ext ]
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

View File

@ -0,0 +1,200 @@
# OpenSSL configuration file for Hotspot 2.0 PKI (Intermediate CA)
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
#logotypeoid=1.3.6.1.5.5.7.1.12
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certificates with same subject
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = ext_client # The extentions to add to the cert
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
copy_extensions = copy
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = supplied
stateOrProvinceName = optional
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_osu_server ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
input_password = @PASSWORD@
output_password = @PASSWORD@
string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = FI
countryName_min = 2
countryName_max = 2
localityName = Locality Name (eg, city)
localityName_default = Tuusula
0.organizationName = Organization Name (eg, company)
0.organizationName_default = @DOMAIN@
##organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
#@OU@
commonName = Common Name (e.g. server FQDN or YOUR name)
#@CN@
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
[ v3_ca ]
# Hotspot 2.0 PKI requirements
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, cRLSign, keyCertSign
authorityInfoAccess = OCSP;URI:@OCSP_URI@
# For SP intermediate CA
#subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU
#nameConstraints=permitted;DNS:.@DOMAIN@
#1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
[ v3_osu_server ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyEncipherment
#@ALTNAME@
#logotypeoid=ASN1:SEQUENCE:LogotypeExtn
1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn
[LogotypeExtn]
communityLogos=EXP:0,SEQUENCE:LogotypeInfo
[LogotypeInfo]
# note: implicit tag converted to explicit for CHOICE
direct=EXP:0,SEQUENCE:LogotypeData
[LogotypeData]
image=SEQUENCE:LogotypeImage
[LogotypeImage]
imageDetails=SEQUENCE:LogotypeDetails
imageInfo=SEQUENCE:LogotypeImageInfo
[LogotypeDetails]
mediaType=IA5STRING:image/png
logotypeHash=SEQUENCE:HashAlgAndValues
logotypeURI=SEQUENCE:URI
[HashAlgAndValues]
value1=SEQUENCE:HashAlgAndValueSHA256
#value2=SEQUENCE:HashAlgAndValueSHA1
[HashAlgAndValueSHA256]
hashAlg=SEQUENCE:sha256_alg
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@
[HashAlgAndValueSHA1]
hashAlg=SEQUENCE:sha1_alg
hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@
[sha256_alg]
algorithm=OID:sha256
[sha1_alg]
algorithm=OID:sha1
[URI]
uri=IA5STRING:@LOGO_URI@
[LogotypeImageInfo]
# default value color(1), component optional
#type=IMP:0,INTEGER:1
fileSize=INTEGER:7549
xSize=INTEGER:128
ySize=INTEGER:80
language=IMP:4,IA5STRING:zxx
[ crl_ext ]
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
[ ext_client ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@
extendedKeyUsage = clientAuth
[ ext_server ]
# Hotspot 2.0 PKI requirements
basicConstraints=critical, CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
authorityInfoAccess = OCSP;URI:@OCSP_URI@
#@ALTNAME@
extendedKeyUsage = critical, serverAuth
keyUsage = critical, keyEncipherment

View File

@ -0,0 +1,209 @@
#!/bin/sh
if [ -z "$OPENSSL" ]; then
OPENSSL=openssl
fi
export OPENSSL_CONF=$PWD/openssl.cnf
PASS=whatever
if [ -z "$DOMAIN" ]; then
DOMAIN=w1.fi
fi
COMPANY=w1.fi
OPER_ENG="engw1.fi TESTING USE"
OPER_FI="finw1.fi TESTIKÄYTTÖ"
CNR="Hotspot 2.0 Trust Root CA - 99"
CNO="ocsp.$DOMAIN"
CNV="osu-revoked.$DOMAIN"
CNOC="osu-client.$DOMAIN"
OSU_SERVER_HOSTNAME="osu.$DOMAIN"
DEBUG=0
OCSP_URI="http://$CNO:8888/"
LOGO_URI="http://osu.w1.fi/w1fi_logo.png"
LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d"
LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b"
# Command line overrides
USAGE=$( cat <<EOF
Usage:\n
# -c: Company name, used to generate Subject name CN for Intermediate CA\n
# -C: Subject name CN of the Root CA ($CNR)\n
# -D: Enable debugging (set -x, etc)\n
# -g: Logo sha1 hash ($LOGO_HASH1)\n
# -G: Logo sha256 hash ($LOGO_HASH256)\n
# -h: Show this help message\n
# -l: Logo URI ($LOGO_URI)\n
# -m: Domain ($DOMAIN)\n
# -o: Subject name CN for OSU-Client Server ($CNOC)\n
# -O: Subject name CN for OCSP Server ($CNO)\n
# -p: passphrase for private keys ($PASS)\n
# -r: Operator-english ($OPER_ENG)\n
# -R: Operator-finish ($OPER_FI)\n
# -S: OSU Server name ($OSU_SERVER_HOSTNAME)\n
# -u: OCSP-URI ($OCSP_URI)\n
# -V: Subject name CN for OSU-Revoked Server ($CNV)\n
EOF
)
while getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag
do
case $flag in
c) COMPANY=$OPTARG;;
C) CNR=$OPTARG;;
D) DEBUG=1;;
g) LOGO_HASH1=$OPTARG;;
G) LOGO_HASH256=$OPTARG;;
h) echo -e $USAGE; exit 0;;
l) LOGO_URI=$OPTARG;;
m) DOMAIN=$OPTARG;;
o) CNOC=$OPTARG;;
O) CNO=$OPTARG;;
p) PASS=$OPTARG;;
r) OPER_ENG=$OPTARG;;
R) OPER_FI=$OPTARG;;
S) OSU_SERVER_HOSTNAME=$OPTARG;;
u) OCSP_URI=$OPTARG;;
V) CNV=$OPTARG;;
*) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;;
esac
done
fail()
{
echo "$*"
exit 1
}
echo
echo "---[ Root CA ]----------------------------------------------------------"
echo
if [ $DEBUG = 1 ]
then
set -x
fi
# Set the passphrase and some other common config accordingly.
cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \
> my-openssl-root.cnf
cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" |
sed "s,@OCSP_URI@,$OCSP_URI," |
sed "s,@LOGO_URI@,$LOGO_URI," |
sed "s,@LOGO_HASH1@,$LOGO_HASH1," |
sed "s,@LOGO_HASH256@,$LOGO_HASH256," |
sed "s/@DOMAIN@/$DOMAIN/" \
> my-openssl.cnf
cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp
mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private
touch rootCA/index.txt
if [ -e rootCA/private/cakey.pem ]; then
echo " * Use existing Root CA"
else
echo " * Generate Root CA private key"
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key"
echo " * Sign Root CA certificate"
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate"
$OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER"
sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint"
fi
if [ ! -e rootCA/crlnumber ]; then
echo 00 > rootCA/crlnumber
fi
echo
echo "---[ Intermediate CA ]--------------------------------------------------"
echo
cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp
mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private
touch demoCA/index.txt
if [ -e demoCA/private/cakey.pem ]; then
echo " * Use existing Intermediate CA"
else
echo " * Generate Intermediate CA private key"
$OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:2048 -keyout demoCA/private/cakey.pem -out demoCA/careq.pem || fail "Failed to generate Intermediate CA private key"
echo " * Sign Intermediate CA certificate"
$OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate"
# horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin
openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS
$OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER."
sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint"
fi
if [ ! -e demoCA/crlnumber ]; then
echo 00 > demoCA/crlnumber
fi
echo
echo "OCSP responder"
echo
cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem"
echo
echo "---[ Server - to be revoked ] ------------------------------------------"
echo
cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server
$OPENSSL ca -revoke server-revoked.pem -key $PASS
echo
echo "---[ Server - with client ext key use ] ---------------------------------"
echo "---[ Only used for negative-testing for OSU-client implementation ] -----"
echo
cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key"
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem"
echo
echo "---[ User ]-------------------------------------------------------------"
echo
cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key"
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem"
echo
echo "---[ Server ]-----------------------------------------------------------"
echo
ALT="DNS:$OSU_SERVER_HOSTNAME"
ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG"
ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI"
cat my-openssl.cnf |
sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" |
sed "s/^##organizationalUnitName/organizationalUnitName/" |
sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" |
sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \
> openssl.cnf.tmp
echo $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server
$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -sha256 -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -reqexts v3_osu_server || fail "Failed to generate server request"
$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server.csr -out server.pem -key $PASS -days 730 -extensions ext_server -policy policy_osu_server || fail "Failed to sign server certificate"
#dump logotype details for debugging
$OPENSSL x509 -in server.pem -out server.der -outform DER
openssl asn1parse -in server.der -inform DER | grep HEX | tail -1 | sed 's/.*://' | xxd -r -p > logo.der
openssl asn1parse -in logo.der -inform DER > logo.asn1
echo
echo "---[ CRL ]---------------------------------------------------------------"
echo
$OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS
echo
echo "---[ Verify ]------------------------------------------------------------"
echo
$OPENSSL verify -CAfile rootCA/cacert.pem demoCA/cacert.pem
$OPENSSL verify -CAfile rootCA/cacert.pem -untrusted demoCA/cacert.pem *.pem
cat rootCA/cacert.pem demoCA/cacert.pem > ca.pem

Binary file not shown.

After

Width:  |  Height:  |  Size: 7.4 KiB

View File

@ -0,0 +1,262 @@
Hotspot 2.0 OSU server
======================
The information in this document is based on the assumption that Ubuntu
16.04 server (64-bit) distribution is used and the web server is
Apache2. Neither of these are requirements for the installation, but if
other combinations are used, the package names and configuration
parameters may need to be adjusted.
NOTE: This implementation and the example configuration here is meant
only for testing purposes in a lab environment. This design is not
secure to be installed in a publicly available Internet server without
considerable amount of modification and review for security issues.
Build dependencies
------------------
Ubuntu 16.04 server
- default installation
- upgraded to latest package versions
sudo apt-get update
sudo apt-get upgrade
Packages needed for running the service:
sudo apt-get install sqlite3
sudo apt-get install apache2
sudo apt-get install php-sqlite3 php-xml libapache2-mod-php
Additional packages needed for building the components:
sudo apt-get install build-essential
sudo apt-get install libsqlite3-dev
sudo apt-get install libssl-dev
sudo apt-get install libxml2-dev
Installation location
---------------------
Select a location for the installation root directory. The example here
assumes /home/user/hs20-server to be used, but this can be changed by
editing couple of files as indicated below.
sudo mkdir -p /home/user/hs20-server
sudo chown $USER /home/user/hs20-server
mkdir -p /home/user/hs20-server/spp
mkdir -p /home/user/hs20-server/AS
Build
-----
# hostapd as RADIUS server
cd hostapd
#example build configuration
cat > .config <<EOF
CONFIG_DRIVER_NONE=y
CONFIG_PKCS12=y
CONFIG_RADIUS_SERVER=y
CONFIG_EAP=y
CONFIG_EAP_TLS=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_GTC=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_SIM=y
CONFIG_EAP_AKA=y
CONFIG_EAP_AKA_PRIME=y
CONFIG_SQLITE=y
CONFIG_HS20=y
EOF
make hostapd hlr_auc_gw
cp hostapd hlr_auc_gw /home/user/hs20-server/AS
# build hs20_spp_server
cd ../hs20/server
make clean
make
cp hs20_spp_server /home/user/hs20-server/spp
# prepare database (web server user/group needs to have write access)
mkdir -p /home/user/hs20-server/AS/DB
sudo chgrp www-data /home/user/hs20-server/AS/DB
sudo chmod g+w /home/user/hs20-server/AS/DB
sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql.txt
sudo chgrp www-data /home/user/hs20-server/AS/DB/eap_user.db
sudo chmod g+w /home/user/hs20-server/AS/DB/eap_user.db
# add example configuration (note: need to update URLs to match the system)
sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt
# copy PHP scripts
# Modify config.php if different installation directory is used.
# Modify PHP scripts to get the desired behavior for user interaction (or use
# the examples as-is for initial testing).
cp -r www /home/user/hs20-server
# Create /home/user/hs20-server/terms-and-conditions file (HTML segment to be
# inserted within the BODY section of the page).
cat > /home/user/hs20-server/terms-and-conditions <<EOF
<P>Terms and conditions..</P>
EOF
# Build local keys and certs
cd ca
# Display help options.
./setup.sh -h
# Remove old keys, fill in appropriate values, and generate your keys.
# For instance:
./clean.sh
rm -fr rootCA"
old_hostname=myserver.local
./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" \
-o $old_hostname-osu-client \
-O $old_hostname-oscp -p lanforge -S $old_hostname \
-V $old_hostname-osu-revoked \
-m local -u http://$old_hostname:8888/
# Configure subscription policies
mkdir -p /home/user/hs20-server/spp/policy
cat > /home/user/hs20-server/spp/policy/default.xml <<EOF
<Policy>
<PolicyUpdate>
<UpdateInterval>30</UpdateInterval>
<UpdateMethod>ClientInitiated</UpdateMethod>
<Restriction>Unrestricted</Restriction>
<URI>https://policy-server.osu.example.com/hs20/spp.php</URI>
</PolicyUpdate>
</Policy>
EOF
# Install Hotspot 2.0 SPP and OMA DM XML schema/DTD files
# XML schema for SPP
# Copy the latest XML schema into /home/user/hs20-server/spp/spp.xsd
# OMA DM Device Description Framework DTD
# Copy into /home/user/hs20-server/spp/dm_ddf-v1_2.dtd
# http://www.openmobilealliance.org/tech/DTD/dm_ddf-v1_2.dtd
# Configure RADIUS authentication service
# Note: Change the URL to match the setup
# Note: Install AAA server key/certificate and root CA in Key directory
cat > /home/user/hs20-server/AS/as-sql.conf <<EOF
driver=none
radius_server_clients=as.radius_clients
eap_server=1
eap_user_file=sqlite:DB/eap_user.db
ca_cert=Key/ca.pem
server_cert=Key/server.pem
private_key=Key/server.key
private_key_passwd=passphrase
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=eap_sim.db
subscr_remediation_url=https://subscription-server.osu.example.com/hs20/spp.php
EOF
# Set RADIUS passphrase for the APs
# Note: Modify to match the setup
cat > /home/user/hs20-server/AS/as.radius_clients <<EOF
0.0.0.0/0 radius
EOF
Start RADIUS authentication server
----------------------------------
cd /home/user/hs20-server/AS
./hostapd -B as-sql.conf
OSEN RADIUS server configuration notes
The OSEN RADIUS server config file should have the 'ocsp_stapling_response'
configuration in it. For example:
# hostapd-radius config for the radius used by the OSEN AP
interface=eth0#0
driver=none
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
eap_server=1
eap_user_file=/home/user/hs20-server/AS/hostapd-osen.eap_user
server_id=ben-ota-2-osen
radius_server_auth_port=1811
radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients
ca_cert=/home/user/hs20-server/ca/ca.pem
server_cert=/home/user/hs20-server/ca/server.pem
private_key=/home/user/hs20-server/ca/server.key
private_key_passwd=whatever
ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der
The /home/user/hs20-server/AS/hostapd-osen.eap_user file should look
similar to this, and should coorelate with the osu_nai entry in
the non-OSEN VAP config file. For instance:
# cat hostapd-osen.eap_user
# For OSEN authentication (Hotspot 2.0 Release 2)
"osen@w1.fi" WFA-UNAUTH-TLS
# Run OCSP server:
cd /home/user/hs20-server/ca
./ocsp-responder.sh&
# Update cache (This should be run periodically)
./ocsp-update-cache.sh
Configure web server
--------------------
Edit /etc/apache2/sites-available/default-ssl
Add following block just before "SSL Engine Switch" line":
Alias /hs20/ "/home/user/hs20-server/www/"
<Directory "/home/user/hs20-server/www/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Require all granted
SSLOptions +StdEnvVars
</Directory>
Update SSL configuration to use the OSU server certificate/key.
They keys and certs are called 'server.key' and 'server.pem' from
ca/setup.sh.
To support subscription remediation using client certificates, set
"SSLVerifyClient optional" and configure the trust root CA(s) for the
client certificates with SSLCACertificateFile.
Enable default-ssl site and restart Apache2:
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo service apache2 restart
Management UI
-------------
The sample PHP scripts include a management UI for testing
purposes. That is available at https://<server>/hs20/users.php
AP configuration
----------------
APs can now be configured to use the OSU server as the RADIUS
authentication server. In addition, the OSU Provider List ANQP element
should be configured to use the SPP (SOAP+XML) option and with the
following Server URL:
https://<server>/hs20/spp.php/signup?realm=example.com

View File

@ -0,0 +1,207 @@
/*
* Hotspot 2.0 SPP server - standalone version
* Copyright (c) 2012-2013, Qualcomm Atheros, Inc.
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include <time.h>
#include <sqlite3.h>
#include "common.h"
#include "common/version.h"
#include "xml-utils.h"
#include "spp_server.h"
static void write_timestamp(FILE *f)
{
time_t t;
struct tm *tm;
time(&t);
tm = localtime(&t);
fprintf(f, "%04u-%02u-%02u %02u:%02u:%02u ",
tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
tm->tm_hour, tm->tm_min, tm->tm_sec);
}
void debug_print(struct hs20_svc *ctx, int print, const char *fmt, ...)
{
va_list ap;
if (ctx->debug_log == NULL)
return;
write_timestamp(ctx->debug_log);
va_start(ap, fmt);
vfprintf(ctx->debug_log, fmt, ap);
va_end(ap);
fprintf(ctx->debug_log, "\n");
}
void debug_dump_node(struct hs20_svc *ctx, const char *title, xml_node_t *node)
{
char *str;
if (ctx->debug_log == NULL)
return;
str = xml_node_to_str(ctx->xml, node);
if (str == NULL)
return;
write_timestamp(ctx->debug_log);
fprintf(ctx->debug_log, "%s: '%s'\n", title, str);
os_free(str);
}
static int process(struct hs20_svc *ctx)
{
int dmacc = 0;
xml_node_t *soap, *spp, *resp;
char *user, *realm, *post, *str;
ctx->addr = getenv("HS20ADDR");
if (ctx->addr)
debug_print(ctx, 1, "Connection from %s", ctx->addr);
ctx->test = getenv("HS20TEST");
if (ctx->test)
debug_print(ctx, 1, "Requested test functionality: %s",
ctx->test);
user = getenv("HS20USER");
if (user && strlen(user) == 0)
user = NULL;
realm = getenv("HS20REALM");
if (realm == NULL) {
debug_print(ctx, 1, "HS20REALM not set");
return -1;
}
post = getenv("HS20POST");
if (post == NULL) {
debug_print(ctx, 1, "HS20POST not set");
return -1;
}
ctx->imsi = getenv("HS20IMSI");
if (ctx->imsi)
debug_print(ctx, 1, "IMSI %s", ctx->imsi);
ctx->eap_method = getenv("HS20EAPMETHOD");
if (ctx->eap_method)
debug_print(ctx, 1, "EAP method %s", ctx->eap_method);
ctx->id_hash = getenv("HS20IDHASH");
if (ctx->id_hash)
debug_print(ctx, 1, "ID-HASH %s", ctx->id_hash);
soap = xml_node_from_buf(ctx->xml, post);
if (soap == NULL) {
debug_print(ctx, 1, "Could not parse SOAP data");
return -1;
}
debug_dump_node(ctx, "Received SOAP message", soap);
spp = soap_get_body(ctx->xml, soap);
if (spp == NULL) {
debug_print(ctx, 1, "Could not get SPP message");
xml_node_free(ctx->xml, soap);
return -1;
}
debug_dump_node(ctx, "Received SPP message", spp);
resp = hs20_spp_server_process(ctx, spp, user, realm, dmacc);
xml_node_free(ctx->xml, soap);
if (resp == NULL && user == NULL) {
debug_print(ctx, 1, "Request HTTP authentication");
return 2; /* Request authentication */
}
if (resp == NULL) {
debug_print(ctx, 1, "No response");
return -1;
}
soap = soap_build_envelope(ctx->xml, resp);
if (soap == NULL) {
debug_print(ctx, 1, "SOAP envelope building failed");
return -1;
}
str = xml_node_to_str(ctx->xml, soap);
xml_node_free(ctx->xml, soap);
if (str == NULL) {
debug_print(ctx, 1, "Could not get node string");
return -1;
}
printf("%s", str);
free(str);
return 0;
}
static void usage(void)
{
printf("usage:\n"
"hs20_spp_server -r<root directory> [-f<debug log>]\n");
}
int main(int argc, char *argv[])
{
struct hs20_svc ctx;
int ret;
os_memset(&ctx, 0, sizeof(ctx));
for (;;) {
int c = getopt(argc, argv, "f:r:v");
if (c < 0)
break;
switch (c) {
case 'f':
if (ctx.debug_log)
break;
ctx.debug_log = fopen(optarg, "a");
if (ctx.debug_log == NULL) {
printf("Could not write to %s\n", optarg);
return -1;
}
break;
case 'r':
ctx.root_dir = optarg;
break;
case 'v':
printf("hs20_spp_server v%s\n", VERSION_STR);
return 0;
default:
usage();
return -1;
}
}
if (ctx.root_dir == NULL) {
usage();
return -1;
}
ctx.xml = xml_node_init_ctx(&ctx, NULL);
if (ctx.xml == NULL)
return -1;
if (hs20_spp_server_init(&ctx) < 0) {
xml_node_deinit_ctx(ctx.xml);
return -1;
}
ret = process(&ctx);
debug_print(&ctx, 1, "process() --> %d", ret);
xml_node_deinit_ctx(ctx.xml);
hs20_spp_server_deinit(&ctx);
if (ctx.debug_log)
fclose(ctx.debug_log);
return ret;
}

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,36 @@
/*
* Hotspot 2.0 SPP server
* Copyright (c) 2012-2013, Qualcomm Atheros, Inc.
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef SPP_SERVER_H
#define SPP_SERVER_H
struct hs20_svc {
const void *ctx;
struct xml_node_ctx *xml;
char *root_dir;
FILE *debug_log;
sqlite3 *db;
const char *addr;
const char *test;
const char *imsi;
const char *eap_method;
const char *id_hash;
};
void debug_print(struct hs20_svc *ctx, int print, const char *fmt, ...)
__attribute__ ((format (printf, 3, 4)));
void debug_dump_node(struct hs20_svc *ctx, const char *title, xml_node_t *node);
xml_node_t * hs20_spp_server_process(struct hs20_svc *ctx, xml_node_t *node,
const char *auth_user,
const char *auth_realm, int dmacc);
int hs20_spp_server_init(struct hs20_svc *ctx);
void hs20_spp_server_deinit(struct hs20_svc *ctx);
#endif /* SPP_SERVER_H */

View File

@ -0,0 +1,17 @@
INSERT INTO osu_config(realm,field,value) VALUES('example.com','fqdn','example.com');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','friendly_name','Example Operator');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','spp_http_auth_url','https://subscription-server.osu.example.com/hs20/spp.php?realm=example.com');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','trust_root_cert_url','https://osu-server.osu.example.com/hs20/files/spp-root-ca.der');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','trust_root_cert_fingerprint','5b393a9246865569485c2605c3304e48212b449367858299beba9384c4cf4647');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','aaa_trust_root_cert_url','https://osu-server.osu.example.com/hs20/files/aaa-root-ca.der');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','aaa_trust_root_cert_fingerprint','5b393a9246865569485c2605c3304e48212b449367858299beba9384c4cf4647');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','free_account','free');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','policy_url','https://subscription-server.osu.example.com/hs20/spp.php?realm=example.com');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','remediation_url','https://subscription-server.osu.example.com/hs20/remediation.php?session_id=');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','free_remediation_url','https://subscription-server.osu.example.com/hs20/free-remediation.php?session_id=');
INSERT INTO osu_config(realm,field,value) VALUES('example.com','signup_url','https://subscription-server.osu.example.com/hs20/signup.php?session_id=');
INSERT INTO users(identity,realm,methods,password,phase2,shared) VALUES('free','example.com','TTLS-MSCHAPV2','free',1,1);
INSERT INTO wildcards(identity,methods) VALUES('','TTLS,TLS');

View File

@ -0,0 +1,108 @@
CREATE TABLE eventlog(
user TEXT,
realm TEXT,
sessionid TEXT COLLATE NOCASE,
timestamp TEXT,
notes TEXT,
dump TEXT,
addr TEXT
);
CREATE TABLE sessions(
timestamp TEXT,
id TEXT COLLATE NOCASE,
user TEXT,
realm TEXT,
password TEXT,
machine_managed BOOLEAN,
operation INTEGER,
type TEXT,
pps TEXT,
redirect_uri TEXT,
devinfo TEXT,
devdetail TEXT,
cert TEXT,
cert_pem TEXT,
mac_addr TEXT,
osu_user TEXT,
osu_password TEXT,
eap_method TEXT,
mobile_identifier_hash TEXT,
test TEXT
);
CREATE index sessions_id_index ON sessions(id);
CREATE TABLE osu_config(
realm TEXT,
field TEXT,
value TEXT
);
CREATE TABLE users(
identity TEXT PRIMARY KEY,
methods TEXT,
password TEXT,
machine_managed BOOLEAN,
remediation TEXT,
phase2 INTEGER,
realm TEXT,
policy TEXT,
devinfo TEXT,
devdetail TEXT,
pps TEXT,
fetch_pps INTEGER,
osu_user TEXT,
osu_password TEXT,
shared INTEGER,
cert TEXT,
cert_pem TEXT,
t_c_timestamp INTEGER,
mac_addr TEXT,
last_msk TEXT,
polupd_done TEXT,
subrem TEXT
);
CREATE TABLE wildcards(
identity TEXT PRIMARY KEY,
methods TEXT
);
CREATE TABLE authlog(
timestamp TEXT,
session TEXT,
nas_ip TEXT,
username TEXT,
note TEXT
);
CREATE TABLE pending_tc(
mac_addr TEXT PRIMARY KEY,
identity TEXT
);
CREATE TABLE current_sessions(
mac_addr TEXT PRIMARY KEY,
identity TEXT,
start_time TEXT,
nas TEXT,
hs20_t_c_filtering BOOLEAN,
waiting_coa_ack BOOLEAN,
coa_ack_received BOOLEAN
);
CREATE TABLE cert_enroll(
mac_addr TEXT PRIMARY KEY,
user TEXT,
realm TEXT,
serialnum TEXT
);
CREATE TABLE sim_provisioning(
mobile_identifier_hash TEXT PRIMARY KEY,
imsi TEXT,
mac_addr TEXT,
eap_method TEXT,
timestamp TEXT
);

View File

@ -0,0 +1,50 @@
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_POST["id"]))
$id = preg_replace("/[^a-fA-F0-9]/", "", $_POST["id"]);
else
die("Missing session id");
if (strlen($id) < 32)
die("Invalid session id");
$row = $db->query("SELECT rowid,* FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found");
}
$uri = $row['redirect_uri'];
$rowid = $row['rowid'];
$realm = $row['realm'];
$row = $db->query("SELECT value FROM osu_config WHERE realm='$realm' AND field='free_account'")->fetch();
if (!$row || strlen($row['value']) == 0) {
die("Free account disabled");
}
$user = $row['value'];
$row = $db->query("SELECT password FROM users WHERE identity='$user' AND realm='$realm'")->fetch();
if (!$row)
die("Free account not found");
$pw = $row['password'];
if (!$db->exec("UPDATE sessions SET user='$user', password='$pw', realm='$realm', machine_managed='1' WHERE rowid=$rowid")) {
die("Failed to update session database");
}
$db->exec("INSERT INTO eventlog(user,realm,sessionid,timestamp,notes) " .
"VALUES ('$user', '$realm', '$id', " .
"strftime('%Y-%m-%d %H:%M:%f','now'), " .
"'completed user input response for a new PPS MO')");
header("Location: $uri", true, 302);
?>

View File

@ -0,0 +1,56 @@
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_POST["id"]))
$id = preg_replace("/[^a-fA-F0-9]/", "", $_POST["id"]);
else
die("Missing session id");
$user = $_POST["user"];
$pw = $_POST["password"];
if (strlen($id) < 32 || !isset($user) || !isset($pw)) {
die("Invalid POST data");
}
if (strlen($user) < 1 || strncasecmp($user, "cert-", 5) == 0) {
echo "<html><body><p><red>Invalid username</red></p>\n";
echo "<a href=\"signup.php?session_id=$id\">Try again</a>\n";
echo "</body></html>\n";
exit;
}
$row = $db->query("SELECT rowid,* FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found");
}
$realm = $row['realm'];
$userrow = $db->query("SELECT identity FROM users WHERE identity='$user' AND realm='$realm'")->fetch();
if ($userrow) {
echo "<html><body><p><red>Selected username is not available</red></p>\n";
echo "<a href=\"signup.php?session_id=$id\">Try again</a>\n";
echo "</body></html>\n";
exit;
}
$uri = $row['redirect_uri'];
$rowid = $row['rowid'];
if (!$db->exec("UPDATE sessions SET user='$user', password='$pw', realm='$realm', type='password' WHERE rowid=$rowid")) {
die("Failed to update session database");
}
$db->exec("INSERT INTO eventlog(user,realm,sessionid,timestamp,notes) " .
"VALUES ('$user', '$realm', '$id', " .
"strftime('%Y-%m-%d %H:%M:%f','now'), " .
"'completed user input response for a new PPS MO')");
header("Location: $uri", true, 302);
?>

View File

@ -0,0 +1,39 @@
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_GET["id"]))
$id = preg_replace("/[^a-fA-F0-9]/", "", $_GET["id"]);
else
die("Missing session id");
if (strlen($id) < 32)
die("Invalid session id");
$row = $db->query("SELECT rowid,* FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found");
}
$uri = $row['redirect_uri'];
$rowid = $row['rowid'];
$realm = $row['realm'];
$user = sha1(mt_rand());
if (!$db->exec("UPDATE sessions SET user='$user', type='cert' WHERE rowid=$rowid")) {
die("Failed to update session database");
}
$db->exec("INSERT INTO eventlog(user,realm,sessionid,timestamp,notes) " .
"VALUES ('', '$realm', '$id', " .
"strftime('%Y-%m-%d %H:%M:%f','now'), " .
"'completed user input response for client certificate enrollment')");
header("Location: $uri", true, 302);
?>

View File

@ -0,0 +1,7 @@
<?php
$osu_root = "/home/user/hs20-server";
$osu_db = "sqlite:$osu_root/AS/DB/eap_user.db";
$t_c_file = "$osu_root/terms-and-conditions";
$t_c_timestamp = 123456789;
$hostapd_ctrl = "udg:///home/user/hs20-server/AS/ctrl/as"
?>

View File

@ -0,0 +1,232 @@
<?php
require('config.php');
$params = explode("/", $_SERVER["PATH_INFO"], 3);
$realm = $params[1];
$cmd = $params[2];
$method = $_SERVER["REQUEST_METHOD"];
unset($user);
unset($rowid);
$db = new PDO($osu_db);
if (!$db) {
error_log("EST: Could not access database");
die("Could not access database");
}
if (!empty($_SERVER['PHP_AUTH_DIGEST'])) {
$needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1,
'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
$_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed[$m[1]]);
}
if ($needed) {
error_log("EST: Missing auth parameter");
die('Authentication failed');
}
$user = $data['username'];
if (strlen($user) < 1) {
error_log("EST: Empty username");
die('Authentication failed');
}
$sql = "SELECT rowid,password,operation FROM sessions " .
"WHERE user='$user' AND realm='$realm'";
$q = $db->query($sql);
if (!$q) {
error_log("EST: Session not found for user=$user realm=$realm");
die("Session not found");
}
$row = $q->fetch();
if (!$row) {
error_log("EST: Session fetch failed for user=$user realm=$realm");
die('Session not found');
}
$rowid = $row['rowid'];
$oper = $row['operation'];
if ($oper != '5') {
error_log("EST: Unexpected operation $oper for user=$user realm=$realm");
die("Session not found");
}
$pw = $row['password'];
if (strlen($pw) < 1) {
error_log("EST: Empty password for user=$user realm=$realm");
die('Authentication failed');
}
$A1 = md5($user . ':' . $realm . ':' . $pw);
$A2 = md5($method . ':' . $data['uri']);
$resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .
$data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $resp) {
error_log("EST: Incorrect authentication response for user=$user realm=$realm");
die('Authentication failed');
}
} else if (isset($_SERVER["SSL_CLIENT_VERIFY"]) &&
$_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" &&
isset($_SERVER["SSL_CLIENT_M_SERIAL"])) {
$user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"];
$sql = "SELECT rowid,password,operation FROM sessions " .
"WHERE user='$user' AND realm='$realm'";
$q = $db->query($sql);
if (!$q) {
error_log("EST: Session not found for user=$user realm=$realm");
die("Session not found");
}
$row = $q->fetch();
if (!$row) {
error_log("EST: Session fetch failed for user=$user realm=$realm");
die('Session not found');
}
$rowid = $row['rowid'];
$oper = $row['operation'];
if ($oper != '10') {
error_log("EST: Unexpected operation $oper for user=$user realm=$realm");
die("Session not found");
}
}
if ($method == "GET" && $cmd == "cacerts") {
$fname = "$osu_root/est/$realm-cacerts.pkcs7";
if (!file_exists($fname)) {
error_log("EST: cacerts - unknown realm $realm");
die("Unknown realm");
}
header("Content-Transfer-Encoding: base64");
header("Content-Type: application/pkcs7-mime");
$data = file_get_contents($fname);
echo wordwrap(base64_encode($data), 72, "\n", true);
echo "\n";
error_log("EST: cacerts");
} else if ($method == "GET" && $cmd == "csrattrs") {
header("Content-Transfer-Encoding: base64");
header("Content-Type: application/csrattrs");
readfile("$osu_root/est/est-attrs.b64");
error_log("EST: csrattrs");
} else if ($method == "POST" &&
($cmd == "simpleenroll" || $cmd == "simplereenroll")) {
$reenroll = $cmd == "simplereenroll";
if (!$reenroll && (!isset($user) || strlen($user) == 0)) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
error_log("EST: simpleenroll - require authentication");
die('Authentication required');
}
if ($reenroll &&
(!isset($user) ||
!isset($_SERVER["SSL_CLIENT_VERIFY"]) ||
$_SERVER["SSL_CLIENT_VERIFY"] != "SUCCESS")) {
header('HTTP/1.1 403 Forbidden');
error_log("EST: simplereenroll - require certificate authentication");
die('Authentication required');
}
if (!isset($_SERVER["CONTENT_TYPE"])) {
error_log("EST: simpleenroll without Content-Type");
die("Missing Content-Type");
}
if (!stristr($_SERVER["CONTENT_TYPE"], "application/pkcs10")) {
error_log("EST: simpleenroll - unexpected Content-Type: " .
$_SERVER["CONTENT_TYPE"]);
die("Unexpected Content-Type");
}
$data = file_get_contents("php://input");
error_log("EST: simpleenroll - POST data from php://input: " . $data);
$req = base64_decode($data);
if ($req == FALSE) {
error_log("EST: simpleenroll - Invalid base64-encoded PKCS#10 data");
die("Invalid base64-encoded PKCS#10 data");
}
$cadir = "$osu_root/est";
$reqfile = "$cadir/tmp/cert-req.pkcs10";
$f = fopen($reqfile, "wb");
fwrite($f, $req);
fclose($f);
$req_pem = "$reqfile.pem";
if (file_exists($req_pem))
unlink($req_pem);
exec("openssl req -in $reqfile -inform DER -out $req_pem -outform PEM");
if (!file_exists($req_pem)) {
error_log("EST: simpleenroll - Failed to parse certificate request");
die("Failed to parse certificate request");
}
/* FIX: validate request and add HS 2.0 extensions to cert */
$cert_pem = "$cadir/tmp/req-signed.pem";
if (file_exists($cert_pem))
unlink($cert_pem);
exec("openssl x509 -req -in $req_pem -CAkey $cadir/cakey.pem -out $cert_pem -CA $cadir/cacert.pem -CAserial $cadir/serial -days 365 -text");
if (!file_exists($cert_pem)) {
error_log("EST: simpleenroll - Failed to sign certificate");
die("Failed to sign certificate");
}
$cert = file_get_contents($cert_pem);
$handle = popen("openssl x509 -in $cert_pem -serial -noout", "r");
$serial = fread($handle, 200);
pclose($handle);
$pattern = "/serial=(?P<snhex>[0-9a-fA-F:]*)/m";
preg_match($pattern, $serial, $matches);
if (!isset($matches['snhex']) || strlen($matches['snhex']) < 1) {
error_log("EST: simpleenroll - Could not get serial number");
die("Could not get serial number");
}
$sn = str_replace(":", "", strtoupper($matches['snhex']));
$user = "cert-$sn";
error_log("EST: user = $user");
$cert_der = "$cadir/tmp/req-signed.der";
if (file_exists($cert_der))
unlink($cert_der);
exec("openssl x509 -in $cert_pem -inform PEM -out $cert_der -outform DER");
if (!file_exists($cert_der)) {
error_log("EST: simpleenroll - Failed to convert certificate");
die("Failed to convert certificate");
}
$der = file_get_contents($cert_der);
$fingerprint = hash("sha256", $der);
error_log("EST: sha256(DER cert): $fingerprint");
$pkcs7 = "$cadir/tmp/est-client.pkcs7";
if (file_exists($pkcs7))
unlink($pkcs7);
exec("openssl crl2pkcs7 -nocrl -certfile $cert_pem -out $pkcs7 -outform DER");
if (!file_exists($pkcs7)) {
error_log("EST: simpleenroll - Failed to prepare PKCS#7 file");
die("Failed to prepare PKCS#7 file");
}
if (!$db->exec("UPDATE sessions SET user='$user', cert='$fingerprint', cert_pem='$cert' WHERE rowid=$rowid")) {
error_log("EST: simpleenroll - Failed to update session database");
die("Failed to update session database");
}
header("Content-Transfer-Encoding: base64");
header("Content-Type: application/pkcs7-mime");
$data = file_get_contents($pkcs7);
$resp = wordwrap(base64_encode($data), 72, "\n", true);
echo $resp . "\n";
error_log("EST: simpleenroll - PKCS#7 response: " . $resp);
} else {
header("HTTP/1.0 404 Not Found");
error_log("EST: Unexpected method or path");
die("Unexpected method or path");
}
?>

View File

@ -0,0 +1,19 @@
<html>
<head>
<title>Hotspot 2.0 - public and free hotspot - remediation</title>
</head>
<body>
<h3>Hotspot 2.0 - public and free hotspot</h3>
<p>Terms and conditions have changed. You need to accept the new terms
to continue using this network.</p>
<p>Terms and conditions..</p>
<?php
echo "<a href=\"redirect.php?id=" . $_GET["session_id"] . "\">Accept</a><br>\n";
?>
</body>
</html>

View File

@ -0,0 +1,23 @@
<html>
<head>
<title>Hotspot 2.0 - public and free hotspot</title>
</head>
<body>
<?php
$id = $_GET["session_id"];
echo "<h3>Hotspot 2.0 - public and free hotspot</h3>\n";
echo "<form action=\"add-free.php\" method=\"POST\">\n";
echo "<input type=\"hidden\" name=\"id\" value=\"$id\">\n";
?>
<p>Terms and conditions..</p>
<input type="submit" value="Accept">
</form>
</body>
</html>

View File

@ -0,0 +1,32 @@
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_GET["id"]))
$id = preg_replace("/[^a-fA-F0-9]/", "", $_GET["id"]);
else
$id = 0;
$row = $db->query("SELECT rowid,* FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found");
}
$uri = $row['redirect_uri'];
header("Location: $uri", true, 302);
$user = $row['user'];
$realm = $row['realm'];
$db->exec("INSERT INTO eventlog(user,realm,sessionid,timestamp,notes) " .
"VALUES ('$user', '$realm', '$id', " .
"strftime('%Y-%m-%d %H:%M:%f','now'), " .
"'redirected after user input')");
?>

View File

@ -0,0 +1,41 @@
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_POST["id"]))
$id = preg_replace("/[^a-fA-F0-9]/", "", $_POST["id"]);
else
die("Missing session id");
$pw = $_POST["password"];
if (strlen($id) < 32 || !isset($pw)) {
die("Invalid POST data");
}
$row = $db->query("SELECT rowid,* FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found");
}
$user = $row['user'];
$realm = $row['realm'];
$uri = $row['redirect_uri'];
$rowid = $row['rowid'];
if (!$db->exec("UPDATE sessions SET password='$pw' WHERE rowid=$rowid")) {
die("Failed to update session database");
}
$db->exec("INSERT INTO eventlog(user,realm,sessionid,timestamp,notes) " .
"VALUES ('$user', '$realm', '$id', " .
"strftime('%Y-%m-%d %H:%M:%f','now'), " .
"'completed user input response for subscription remediation')");
header("Location: $uri", true, 302);
?>

View File

@ -0,0 +1,55 @@
<html>
<head>
<title>Hotspot 2.0 subscription remediation</title>
</head>
<body>
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_GET["session_id"]))
$id = preg_replace("/[^a-fA-F0-9]/", "", $_GET["session_id"]);
else
$id = 0;
echo "SessionID: " . $id . "<br>\n";
$row = $db->query("SELECT * FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found");
}
$username = $row['user'];
echo "User: " . $username . "@" . $row['realm'] . "<br>\n";
$user = $db->query("SELECT machine_managed,methods FROM users WHERE identity='$username'")->fetch();
if ($user == false) {
die("User not found");
}
echo "<hr><br>\n";
$cert = $user['methods'] == "TLS" || strncmp($username, "cert-", 5) == 0;
if ($cert) {
echo "<a href=\"redirect.php?id=" . $_GET["session_id"] . "\">Complete user subscription remediation</a><br>\n";
} else if ($user['machine_managed'] == "1") {
echo "<a href=\"redirect.php?id=" . $_GET["session_id"] . "\">Complete user subscription remediation</a><br>\n";
echo "This will provide a new machine-generated password.<br>\n";
} else {
echo "<form action=\"remediation-pw.php\" method=\"POST\">\n";
echo "<input type=\"hidden\" name=\"id\" value=\"$id\">\n";
echo "New password: <input type=\"password\" name=\"password\"><br>\n";
echo "<input type=\"submit\" value=\"Change password\">\n";
echo "</form>\n";
}
?>
</body>
</html>

View File

@ -0,0 +1,59 @@
<html>
<head>
<title>Hotspot 2.0 signup</title>
</head>
<body>
<?php
$id = $_GET["session_id"];
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
$row = $db->query("SELECT realm,test FROM sessions WHERE id='$id'")->fetch();
if ($row == false) {
die("Session not found for id: $id");
}
$realm = $row['realm'];
$test = $row['test'];
if (strlen($test) > 0) {
echo "<p style=\"color:#FF0000\">Special test functionality: $test</red></big></p>\n";
}
echo "<h3>Sign up for a subscription - $realm</h3>\n";
echo "<p>This page can be used to select between three different types of subscriptions for testing purposes.</p>\n";
echo "<h4>Option 1 - shared free access credential</h4>\n";
$row = $db->query("SELECT value FROM osu_config WHERE realm='$realm' AND field='free_account'")->fetch();
if ($row && strlen($row['value']) > 0) {
echo "<p><a href=\"free.php?session_id=$id\">Sign up for free access</a></p>\n";
}
echo "<h4>Option 2 - username/password credential</h4>\n";
echo "<form action=\"add-mo.php\" method=\"POST\">\n";
echo "<input type=\"hidden\" name=\"id\" value=\"$id\">\n";
?>
Select a username and password. Leave password empty to get automatically
generated and machine managed password.<br>
Username: <input type="text" name="user"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Complete subscription registration">
</form>
<?php
echo "<h4>Option 3 - client certificate credential</h4>\n";
echo "<p><a href=\"cert-enroll.php?id=$id\">Enroll a client certificate</a></p>\n"
?>
</body>
</html>

View File

@ -0,0 +1,168 @@
<?php
require('config.php');
if (!stristr($_SERVER["CONTENT_TYPE"], "application/soap+xml")) {
error_log("spp.php - Unexpected Content-Type " . $_SERVER["CONTENT_TYPE"]);
die("Unexpected Content-Type");
}
if ($_SERVER["REQUEST_METHOD"] != "POST") {
error_log("spp.php - Unexpected method " . $_SERVER["REQUEST_METHOD"]);
die("Unexpected method");
}
if (isset($_GET["realm"])) {
$realm = $_GET["realm"];
$realm = PREG_REPLACE("/[^0-9a-zA-Z\.\-]/i", '', $realm);
} else {
error_log("spp.php - Realm not specified");
die("Realm not specified");
}
if (isset($_GET["test"]))
$test = PREG_REPLACE("/[^0-9a-zA-Z\_\-]/i", '', $_GET["test"]);
else
$test = "";
unset($user);
putenv("HS20CERT");
if (!empty($_SERVER['PHP_AUTH_DIGEST'])) {
$needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1,
'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@',
$_SERVER['PHP_AUTH_DIGEST'], $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed[$m[1]]);
}
if ($needed) {
error_log("spp.php - Authentication failed - missing: " . print_r($needed));
die('Authentication failed');
}
$user = $data['username'];
if (strlen($user) < 1) {
error_log("spp.php - Authentication failed - empty username");
die('Authentication failed');
}
$db = new PDO($osu_db);
if (!$db) {
error_log("spp.php - Could not access database");
die("Could not access database");
}
$row = $db->query("SELECT password FROM users " .
"WHERE identity='$user' AND realm='$realm'")->fetch();
if (!$row) {
$row = $db->query("SELECT osu_password FROM users " .
"WHERE osu_user='$user' AND realm='$realm'")->fetch();
$pw = $row['osu_password'];
} else
$pw = $row['password'];
if (!$row) {
error_log("spp.php - Authentication failed - user '$user' not found");
die('Authentication failed');
}
if (strlen($pw) < 1) {
error_log("spp.php - Authentication failed - empty password");
die('Authentication failed');
}
$A1 = md5($user . ':' . $realm . ':' . $pw);
$A2 = md5($_SERVER['REQUEST_METHOD'] . ':' . $data['uri']);
$resp = md5($A1 . ':' . $data['nonce'] . ':' . $data['nc'] . ':' .
$data['cnonce'] . ':' . $data['qop'] . ':' . $A2);
if ($data['response'] != $resp) {
error_log("Authentication failure - response mismatch");
die('Authentication failed');
}
} else if (isset($_SERVER["SSL_CLIENT_VERIFY"]) &&
$_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" &&
isset($_SERVER["SSL_CLIENT_M_SERIAL"])) {
$user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"];
putenv("HS20CERT=yes");
} else if (isset($_GET["hotspot2dot0-mobile-identifier-hash"])) {
$id_hash = $_GET["hotspot2dot0-mobile-identifier-hash"];
$id_hash = PREG_REPLACE("/[^0-9a-h]/i", '', $id_hash);
$db = new PDO($osu_db);
if (!$db) {
error_log("spp.php - Could not access database");
die("Could not access database");
}
$row = $db->query("SELECT * FROM sim_provisioning " .
"WHERE mobile_identifier_hash='$id_hash'")->fetch();
if (!$row) {
error_log("spp.php - SIM provisioning failed - mobile_identifier_hash not found");
die('SIM provisioning failed - mobile_identifier_hash not found');
}
$imsi = $row['imsi'];
$mac_addr = $row['mac_addr'];
$eap_method = $row['eap_method'];
$row = $db->query("SELECT COUNT(*) FROM osu_config " .
"WHERE realm='$realm'")->fetch();
if (!$row || intval($row[0]) < 1) {
error_log("spp.php - SIM provisioning failed - realm $realm not found");
die('SIM provisioning failed');
}
error_log("spp.php - SIM provisioning for IMSI $imsi");
putenv("HS20SIMPROV=yes");
putenv("HS20IMSI=$imsi");
putenv("HS20MACADDR=$mac_addr");
putenv("HS20EAPMETHOD=$eap_method");
putenv("HS20IDHASH=$id_hash");
} else if (!isset($_SERVER["PATH_INFO"]) ||
$_SERVER["PATH_INFO"] != "/signup") {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
error_log("spp.php - Authentication required (not signup)");
die('Authentication required (not signup)');
}
if (isset($user) && strlen($user) > 0)
putenv("HS20USER=$user");
else
putenv("HS20USER");
putenv("HS20REALM=$realm");
$postdata = file_get_contents("php://input");
putenv("HS20POST=$postdata");
$addr = $_SERVER["REMOTE_ADDR"];
putenv("HS20ADDR=$addr");
putenv("HS20TEST=$test");
$last = exec("$osu_root/spp/hs20_spp_server -r$osu_root -f/tmp/hs20_spp_server.log", $output, $ret);
if ($ret == 2) {
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$realm.
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"');
error_log("spp.php - Authentication required (ret 2)");
die('Authentication required');
} else {
error_log("spp.php - Unexpected authentication error");
die("Unexpected authentication error");
}
}
if ($ret != 0) {
error_log("spp.php - Failed to process SPP request");
die("Failed to process SPP request");
}
//error_log("spp.php: Response: " . implode($output));
header("Content-Type: application/soap+xml");
echo implode($output);
?>

View File

@ -0,0 +1,87 @@
<?php
require('config.php');
function print_header()
{
echo "<html>\n";
echo "<head><title>HS 2.0 Terms and Conditions</title></head>\n";
echo "<body>\n";
}
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (!isset($_GET["addr"])) {
die("Missing addr parameter");
}
$addr = $_GET["addr"];
$accept = isset($_GET["accept"]) && $_GET["accept"] == "yes";
$res = $db->prepare("SELECT identity FROM pending_tc WHERE mac_addr=?");
$res->execute(array($addr));
$row = $res->fetch();
if (!$row) {
die("No pending session for the specified MAC address");
}
$identity = $row[0];
if (!$accept) {
print_header();
echo "<p>Accept the following terms and conditions by clicking here: <a href=\"terms.php?addr=$addr&accept=yes\">Accept</a></p>\n<hr>\n";
readfile($t_c_file);
} else {
$res = $db->prepare("UPDATE users SET t_c_timestamp=? WHERE identity=?");
if (!$res->execute(array($t_c_timestamp, $identity))) {
die("Failed to update user account.");
}
$res = $db->prepare("DELETE FROM pending_tc WHERE mac_addr=?");
$res->execute(array($addr));
$fp = fsockopen($hostapd_ctrl);
if (!$fp) {
die("Could not connect to hostapd(AS)");
}
fwrite($fp, "DAC_REQUEST coa $addr t_c_clear");
fclose($fp);
$waiting = true;
$ack = false;
for ($i = 1; $i <= 10; $i++) {
$res = $db->prepare("SELECT waiting_coa_ack,coa_ack_received FROM current_sessions WHERE mac_addr=?");
$res->execute(array($addr));
$row = $res->fetch();
if (!$row) {
die("No current session for the specified MAC address");
}
if (strlen($row[0]) > 0)
$waiting = $row[0] == 1;
if (strlen($row[1]) > 0)
$ack = $row[1] == 1;
$res->closeCursor();
if (!$waiting)
break;
sleep(1);
}
if ($ack) {
header('X-WFA-Hotspot20-Filtering: removed');
print_header();
echo "<p>Terms and conditions were accepted.</p>\n";
echo "<P>Filtering disabled.</P>\n";
} else {
print_header();
echo "<P>Failed to disable filtering.</P>\n";
}
}
?>
</body>
</html>

View File

@ -0,0 +1,377 @@
<?php
require('config.php');
$db = new PDO($osu_db);
if (!$db) {
die($sqliteerror);
}
if (isset($_GET["id"])) {
$id = $_GET["id"];
if (!is_numeric($id))
$id = 0;
} else
$id = 0;
if (isset($_GET["cmd"]))
$cmd = $_GET["cmd"];
else
$cmd = '';
if ($cmd == 'eventlog' && $id > 0) {
$row = $db->query("SELECT dump FROM eventlog WHERE rowid=$id")->fetch();
$dump = $row['dump'];
if ($dump[0] == '<') {
header("Content-type: text/xml");
echo "<?xml version=\"1.0\"?>\n";
echo $dump;
} else {
header("Content-type: text/plain");
echo $dump;
}
exit;
}
if ($cmd == 'mo' && $id > 0) {
$mo = $_GET["mo"];
if (!isset($mo))
exit;
if ($mo != "devinfo" && $mo != "devdetail" && $mo != "pps")
exit;
$row = $db->query("SELECT $mo FROM users WHERE rowid=$id")->fetch();
header("Content-type: text/xml");
echo "<?xml version=\"1.0\"?>\n";
echo $row[$mo];
exit;
}
if ($cmd == 'cert' && $id > 0) {
$row = $db->query("SELECT cert_pem FROM users WHERE rowid=$id")->fetch();
header("Content-type: text/plain");
echo $row['cert_pem'];
exit;
}
?>
<html>
<head><title>HS 2.0 users</title></head>
<body>
<?php
if ($cmd == 'subrem-clear' && $id > 0) {
$db->exec("UPDATE users SET remediation='' WHERE rowid=$id");
}
if ($cmd == 'subrem-add-user' && $id > 0) {
$db->exec("UPDATE users SET remediation='user' WHERE rowid=$id");
}
if ($cmd == 'subrem-add-machine' && $id > 0) {
$db->exec("UPDATE users SET remediation='machine' WHERE rowid=$id");
}
if ($cmd == 'subrem-add-reenroll' && $id > 0) {
$db->exec("UPDATE users SET remediation='reenroll' WHERE rowid=$id");
}
if ($cmd == 'subrem-add-policy' && $id > 0) {
$db->exec("UPDATE users SET remediation='policy' WHERE rowid=$id");
}
if ($cmd == 'subrem-add-free' && $id > 0) {
$db->exec("UPDATE users SET remediation='free' WHERE rowid=$id");
}
if ($cmd == 'fetch-pps-on' && $id > 0) {
$db->exec("UPDATE users SET fetch_pps=1 WHERE rowid=$id");
}
if ($cmd == 'fetch-pps-off' && $id > 0) {
$db->exec("UPDATE users SET fetch_pps=0 WHERE rowid=$id");
}
if ($cmd == 'reset-pw' && $id > 0) {
$db->exec("UPDATE users SET password='ChangeMe' WHERE rowid=$id");
}
if ($cmd == "policy" && $id > 0 && isset($_GET["policy"])) {
$policy = $_GET["policy"];
if ($policy == "no-policy" ||
is_readable("$osu_root/spp/policy/$policy.xml")) {
$db->exec("UPDATE users SET policy='$policy' WHERE rowid=$id");
}
}
if ($cmd == "account-type" && $id > 0 && isset($_GET["type"])) {
$type = $_GET["type"];
if ($type == "shared")
$db->exec("UPDATE users SET shared=1 WHERE rowid=$id");
if ($type == "default")
$db->exec("UPDATE users SET shared=0 WHERE rowid=$id");
}
if ($cmd == "set-osu-cred" && $id > 0) {
$osu_user = $_POST["osu_user"];
$osu_password = $_POST["osu_password"];
if (strlen($osu_user) == 0)
$osu_password = "";
$db->exec("UPDATE users SET osu_user='$osu_user', osu_password='$osu_password' WHERE rowid=$id");
}
if ($cmd == 'clear-t-c' && $id > 0) {
$db->exec("UPDATE users SET t_c_timestamp=NULL WHERE rowid=$id");
}
$dump = 0;
if ($id > 0) {
if (isset($_GET["dump"])) {
$dump = $_GET["dump"];
if (!is_numeric($dump))
$dump = 0;
} else
$dump = 0;
echo "[<a href=\"users.php\">All users</a>] ";
if ($dump == 0)
echo "[<a href=\"users.php?id=$id&dump=1\">Include debug dump</a>] ";
else
echo "[<a href=\"users.php?id=$id\">Without debug dump</a>] ";
echo "<br>\n";
$row = $db->query("SELECT rowid,* FROM users WHERE rowid=$id")->fetch();
echo "<H3>" . $row['identity'] . "@" . $row['realm'] . "</H3>\n";
echo "MO: ";
if (strlen($row['devinfo']) > 0) {
echo "[<a href=\"users.php?cmd=mo&id=$id&mo=devinfo\">DevInfo</a>]\n";
}
if (strlen($row['devdetail']) > 0) {
echo "[<a href=\"users.php?cmd=mo&id=$id&mo=devdetail\">DevDetail</a>]\n";
}
if (strlen($row['pps']) > 0) {
echo "[<a href=\"users.php?cmd=mo&id=$id&mo=pps\">PPS</a>]\n";
}
if (strlen($row['cert_pem']) > 0) {
echo "[<a href=\"users.php?cmd=cert&id=$id\">Certificate</a>]\n";
}
echo "<BR>\n";
echo "Fetch PPS MO: ";
if ($row['fetch_pps'] == "1") {
echo "On next connection " .
"[<a href=\"users.php?cmd=fetch-pps-off&id=$id\">" .
"do not fetch</a>]<br>\n";
} else {
echo "Do not fetch " .
"[<a href=\"users.php?cmd=fetch-pps-on&id=$id\">" .
"request fetch</a>]<br>\n";
}
$cert = $row['cert'];
if (strlen($cert) > 0) {
echo "Certificate fingerprint: $cert<br>\n";
}
echo "Remediation: ";
$rem = $row['remediation'];
if ($rem == "") {
echo "Not required";
echo " [<a href=\"users.php?cmd=subrem-add-user&id=" .
$row['rowid'] . "\">add:user</a>]";
echo " [<a href=\"users.php?cmd=subrem-add-machine&id=" .
$row['rowid'] . "\">add:machine</a>]";
if ($row['methods'] == 'TLS') {
echo " [<a href=\"users.php?cmd=subrem-add-reenroll&id=" .
$row['rowid'] . "\">add:reenroll</a>]";
}
echo " [<a href=\"users.php?cmd=subrem-add-policy&id=" .
$row['rowid'] . "\">add:policy</a>]";
echo " [<a href=\"users.php?cmd=subrem-add-free&id=" .
$row['rowid'] . "\">add:free</a>]";
} else if ($rem == "user") {
echo "User [<a href=\"users.php?cmd=subrem-clear&id=" .
$row['rowid'] . "\">clear</a>]";
} else if ($rem == "policy") {
echo "Policy [<a href=\"users.php?cmd=subrem-clear&id=" .
$row['rowid'] . "\">clear</a>]";
} else if ($rem == "free") {
echo "Free [<a href=\"users.php?cmd=subrem-clear&id=" .
$row['rowid'] . "\">clear</a>]";
} else if ($rem == "reenroll") {
echo "Reenroll [<a href=\"users.php?cmd=subrem-clear&id=" .
$row['rowid'] . "\">clear</a>]";
} else {
echo "Machine [<a href=\"users.php?cmd=subrem-clear&id=" .
$row['rowid'] . "\">clear</a>]";
}
echo "<br>\n";
if (strncmp($row['identity'], "cert-", 5) != 0)
echo "Machine managed: " . ($row['machine_managed'] == "1" ? "TRUE" : "FALSE") . "<br>\n";
echo "<form>Policy: <select name=\"policy\" " .
"onChange=\"window.location='users.php?cmd=policy&id=" .
$row['rowid'] . "&policy=' + this.value;\">\n";
echo "<option value=\"" . $row['policy'] . "\" selected>" . $row['policy'] .
"</option>\n";
$files = scandir("$osu_root/spp/policy");
foreach ($files as $file) {
if (!preg_match("/.xml$/", $file))
continue;
if ($file == $row['policy'] . ".xml")
continue;
$p = substr($file, 0, -4);
echo "<option value=\"$p\">$p</option>\n";
}
echo "<option value=\"no-policy\">no policy</option>\n";
echo "</select></form>\n";
echo "<form>Account type: <select name=\"type\" " .
"onChange=\"window.location='users.php?cmd=account-type&id=" .
$row['rowid'] . "&type=' + this.value;\">\n";
if ($row['shared'] > 0) {
$default_sel = "";
$shared_sel = " selected";
} else {
$default_sel = " selected";
$shared_sel = "";
}
echo "<option value=\"default\"$default_sel>default</option>\n";
echo "<option value=\"shared\"$shared_sel>shared</option>\n";
echo "</select></form>\n";
echo "Phase 2 method(s): " . $row['methods'] . "<br>\n";
echo "<br>\n";
echo "<a href=\"users.php?cmd=reset-pw&id=" .
$row['rowid'] . "\">Reset AAA password</a><br>\n";
echo "<br>\n";
echo "<form action=\"users.php?cmd=set-osu-cred&id=" . $row['rowid'] .
"\" method=\"POST\">\n";
echo "OSU credentials (if username empty, AAA credentials are used):<br>\n";
echo "username: <input type=\"text\" name=\"osu_user\" value=\"" .
$row['osu_user'] . "\">\n";
echo "password: <input type=\"password\" name=\"osu_password\">\n";
echo "<input type=\"submit\" value=\"Set OSU credentials\">\n";
echo "</form>\n";
if (strlen($row['t_c_timestamp']) > 0) {
echo "<br>\n";
echo "<a href=\"users.php?cmd=clear-t-c&id=" .
$row['rowid'] .
"\">Clear Terms and Conditions acceptance</a><br>\n";
}
echo "<hr>\n";
$user = $row['identity'];
$osu_user = $row['osu_user'];
$realm = $row['realm'];
}
if ($id > 0 || ($id == 0 && $cmd == 'eventlog')) {
if ($id == 0) {
echo "[<a href=\"users.php\">All users</a>] ";
echo "<br>\n";
}
echo "<table border=1>\n";
echo "<tr>";
if ($id == 0) {
echo "<th>user<th>realm";
}
echo "<th>time<th>address<th>sessionID<th>notes";
if ($dump > 0)
echo "<th>dump";
echo "\n";
if (isset($_GET["limit"])) {
$limit = $_GET["limit"];
if (!is_numeric($limit))
$limit = 20;
} else
$limit = 20;
if ($id == 0)
$res = $db->query("SELECT rowid,* FROM eventlog ORDER BY timestamp DESC LIMIT $limit");
else if (strlen($osu_user) > 0)
$res = $db->query("SELECT rowid,* FROM eventlog WHERE (user='$user' OR user='$osu_user') AND realm='$realm' ORDER BY timestamp DESC LIMIT $limit");
else
$res = $db->query("SELECT rowid,* FROM eventlog WHERE user='$user' AND realm='$realm' ORDER BY timestamp DESC LIMIT $limit");
foreach ($res as $row) {
echo "<tr>";
if ($id == 0) {
echo "<td>" . $row['user'] . "\n";
echo "<td>" . $row['realm'] . "\n";
}
echo "<td>" . $row['timestamp'] . "\n";
echo "<td>" . $row['addr'] . "\n";
echo "<td>" . $row['sessionid'] . "\n";
echo "<td>" . $row['notes'] . "\n";
$d = $row['dump'];
if (strlen($d) > 0) {
echo "[<a href=\"users.php?cmd=eventlog&id=" . $row['rowid'] .
"\">";
if ($d[0] == '<')
echo "XML";
else
echo "txt";
echo "</a>]\n";
if ($dump > 0)
echo "<td>" . htmlspecialchars($d) . "\n";
}
}
echo "</table>\n";
}
if ($id == 0 && $cmd != 'eventlog') {
echo "[<a href=\"users.php?cmd=eventlog&limit=50\">Eventlog</a>] ";
echo "<br>\n";
echo "<table border=1 cellspacing=0 cellpadding=0>\n";
echo "<tr><th>User<th>Realm<th><small>Remediation</small><th>Policy<th><small>Account type</small><th><small>Phase 2 method(s)</small><th>DevId<th>MAC Address<th>T&C\n";
$res = $db->query('SELECT rowid,* FROM users WHERE (phase2=1 OR methods=\'TLS\') ORDER BY identity');
foreach ($res as $row) {
echo "<tr><td><a href=\"users.php?id=" . $row['rowid'] . "\"> " .
$row['identity'] . " </a>";
echo "<td>" . $row['realm'];
$rem = $row['remediation'];
echo "<td>";
if ($rem == "") {
echo "-";
} else if ($rem == "user") {
echo "User";
} else if ($rem == "policy") {
echo "Policy";
} else if ($rem == "free") {
echo "Free";
} else if ($rem == "reenroll") {
echo "Reenroll";
} else {
echo "Machine";
}
echo "<td>" . $row['policy'];
if ($row['shared'] > 0)
echo "<td>shared";
else
echo "<td>default";
echo "<td><small>" . $row['methods'] . "</small>";
echo "<td>";
$xml = xml_parser_create();
xml_parse_into_struct($xml, $row['devinfo'], $devinfo);
foreach($devinfo as $k) {
if ($k['tag'] == 'DEVID') {
echo "<small>" . $k['value'] . "</small>";
break;
}
}
echo "<td><small>" . $row['mac_addr'] . "</small>";
echo "<td><small>" . $row['t_c_timestamp'] . "</small>";
echo "\n";
}
echo "</table>\n";
}
?>
</html>

View File

@ -213,37 +213,3 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
"dragonfly: Unable to get randomness for own scalar");
return -1;
}
/* res = sqrt(val) */
int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
struct crypto_bignum *res)
{
const struct crypto_bignum *prime;
struct crypto_bignum *tmp, *one;
int ret = 0;
u8 prime_bin[DRAGONFLY_MAX_ECC_PRIME_LEN];
size_t prime_len;
/* For prime p such that p = 3 mod 4, sqrt(w) = w^((p+1)/4) mod p */
prime = crypto_ec_get_prime(ec);
prime_len = crypto_ec_prime_len(ec);
tmp = crypto_bignum_init();
one = crypto_bignum_init_uint(1);
if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
prime_len) < 0 ||
(prime_bin[prime_len - 1] & 0x03) != 3 ||
!tmp || !one ||
/* tmp = (p+1)/4 */
crypto_bignum_add(prime, one, tmp) < 0 ||
crypto_bignum_rshift(tmp, 2, tmp) < 0 ||
/* res = sqrt(val) */
crypto_bignum_exptmod(val, tmp, prime, res) < 0)
ret = -1;
crypto_bignum_deinit(tmp, 0);
crypto_bignum_deinit(one, 0);
return ret;
}

View File

@ -27,7 +27,5 @@ int dragonfly_generate_scalar(const struct crypto_bignum *order,
struct crypto_bignum *_rand,
struct crypto_bignum *_mask,
struct crypto_bignum *scalar);
int dragonfly_sqrt(struct crypto_ec *ec, const struct crypto_bignum *val,
struct crypto_bignum *res);
#endif /* DRAGONFLY_H */

View File

@ -1462,11 +1462,6 @@ enum qca_wlan_vendor_attr_p2p_listen_offload {
* Used with event to notify the puncture pattern selected in ACS operation.
* Encoding for this attribute will follow the convention used in the Disabled
* Subchannel Bitmap field of the EHT Operation IE.
*
* @QCA_WLAN_VENDOR_ATTR_ACS_EHT_ENABLED: Flag attribute.
* Used with command to configure ACS operation for EHT mode.
* Disable (flag attribute not present) - EHT disabled and
* Enable (flag attribute present) - EHT enabled.
*/
enum qca_wlan_vendor_attr_acs_offload {
QCA_WLAN_VENDOR_ATTR_ACS_CHANNEL_INVALID = 0,
@ -1488,7 +1483,6 @@ enum qca_wlan_vendor_attr_acs_offload {
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED = 16,
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_CHANNEL = 17,
QCA_WLAN_VENDOR_ATTR_ACS_PUNCTURE_BITMAP = 18,
QCA_WLAN_VENDOR_ATTR_ACS_EHT_ENABLED = 19,
/* keep last */
QCA_WLAN_VENDOR_ATTR_ACS_AFTER_LAST,
@ -1794,53 +1788,36 @@ enum qca_access_policy {
};
/**
* enum qca_vendor_attr_tsf_cmd: Vendor attributes for TSF capture
* @QCA_WLAN_VENDOR_ATTR_TSF_CMD: Required (u32)
* Specify the TSF command. Possible values are defined in
* &enum qca_tsf_cmd.
* @QCA_WLAN_VENDOR_ATTR_TSF_TIMER_VALUE: Optional (u64)
* This attribute contains TSF timer value. This attribute is only available
* in %QCA_TSF_GET or %QCA_TSF_SYNC_GET response.
* @QCA_WLAN_VENDOR_ATTR_TSF_SOC_TIMER_VALUE: Optional (u64)
* This attribute contains SOC timer value at TSF capture. This attribute is
* only available in %QCA_TSF_GET or %QCA_TSF_SYNC_GET response.
* @QCA_WLAN_VENDOR_ATTR_TSF_SYNC_INTERVAL: Optional (u32)
* This attribute is used to provide TSF sync interval and only applicable when
* TSF command is %QCA_TSF_SYNC_START. If this attribute is not provided, the
* driver will use the default value. Time unit is in milliseconds.
* enum qca_vendor_attr_get_tsf: Vendor attributes for TSF capture
* @QCA_WLAN_VENDOR_ATTR_TSF_CMD: enum qca_tsf_operation (u32)
* @QCA_WLAN_VENDOR_ATTR_TSF_TIMER_VALUE: Unsigned 64 bit TSF timer value
* @QCA_WLAN_VENDOR_ATTR_TSF_SOC_TIMER_VALUE: Unsigned 64 bit Synchronized
* SOC timer value at TSF capture
*/
enum qca_vendor_attr_tsf_cmd {
QCA_WLAN_VENDOR_ATTR_TSF_INVALID = 0,
QCA_WLAN_VENDOR_ATTR_TSF_CMD,
QCA_WLAN_VENDOR_ATTR_TSF_TIMER_VALUE,
QCA_WLAN_VENDOR_ATTR_TSF_SOC_TIMER_VALUE,
QCA_WLAN_VENDOR_ATTR_TSF_SYNC_INTERVAL,
QCA_WLAN_VENDOR_ATTR_TSF_AFTER_LAST,
QCA_WLAN_VENDOR_ATTR_TSF_MAX =
QCA_WLAN_VENDOR_ATTR_TSF_AFTER_LAST - 1
};
/**
* enum qca_tsf_cmd: TSF driver commands
* enum qca_tsf_operation: TSF driver commands
* @QCA_TSF_CAPTURE: Initiate TSF Capture
* @QCA_TSF_GET: Get TSF capture value
* @QCA_TSF_SYNC_GET: Initiate TSF capture and return with captured value
* @QCA_TSF_AUTO_REPORT_ENABLE: Used in STA mode only. Once set, the target
* will automatically send TSF report to the host. To query
* %QCA_WLAN_VENDOR_ATTR_GET_STA_INFO_UPLINK_DELAY, this operation needs to be
* QCA_WLAN_VENDOR_ATTR_GET_STA_INFO_UPLINK_DELAY, this operation needs to be
* initiated first.
* @QCA_TSF_AUTO_REPORT_DISABLE: Used in STA mode only. Once set, the target
* will not automatically send TSF report to the host. If
* %QCA_TSF_AUTO_REPORT_ENABLE is initiated and
* %QCA_WLAN_VENDOR_ATTR_GET_STA_INFO_UPLINK_DELAY is not queried anymore, this
* QCA_TSF_AUTO_REPORT_ENABLE is initiated and
* QCA_WLAN_VENDOR_ATTR_GET_STA_INFO_UPLINK_DELAY is not queried anymore, this
* operation needs to be initiated.
* @QCA_TSF_SYNC_START: Start periodic TSF sync feature. The driver periodically
* fetches TSF and host time mapping from the firmware with interval configured
* through the %QCA_WLAN_VENDOR_ATTR_TSF_SYNC_INTERVAL attribute. If the
* interval value is not provided the driver will use the default value. The
* userspace can query the TSF and host time mapping via the %QCA_TSF_GET
* command.
* @QCA_TSF_SYNC_STOP: Stop periodic TSF sync feature.
*/
enum qca_tsf_cmd {
QCA_TSF_CAPTURE,
@ -1848,8 +1825,6 @@ enum qca_tsf_cmd {
QCA_TSF_SYNC_GET,
QCA_TSF_AUTO_REPORT_ENABLE,
QCA_TSF_AUTO_REPORT_DISABLE,
QCA_TSF_SYNC_START,
QCA_TSF_SYNC_STOP,
};
/**

View File

@ -290,16 +290,14 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
int pwd_seed_odd = 0;
u8 prime[SAE_MAX_ECC_PRIME_LEN];
size_t prime_len;
struct crypto_bignum *x = NULL, *y = NULL, *qr = NULL, *qnr = NULL;
struct crypto_bignum *x = NULL, *qr = NULL, *qnr = NULL;
u8 x_bin[SAE_MAX_ECC_PRIME_LEN];
u8 x_cand_bin[SAE_MAX_ECC_PRIME_LEN];
u8 qr_bin[SAE_MAX_ECC_PRIME_LEN];
u8 qnr_bin[SAE_MAX_ECC_PRIME_LEN];
u8 x_y[2 * SAE_MAX_ECC_PRIME_LEN];
int res = -1;
u8 found = 0; /* 0 (false) or 0xff (true) to be used as const_time_*
* mask */
unsigned int is_eq;
os_memset(x_bin, 0, sizeof(x_bin));
@ -398,42 +396,25 @@ static int sae_derive_pwe_ecc(struct sae_data *sae, const u8 *addr1,
goto fail;
}
/* y = sqrt(x^3 + ax + b) mod p
* if LSB(save) == LSB(y): PWE = (x, y)
* else: PWE = (x, p - y)
*
* Calculate y and the two possible values for PWE and after that,
* use constant time selection to copy the correct alternative.
*/
y = crypto_ec_point_compute_y_sqr(sae->tmp->ec, x);
if (!y ||
dragonfly_sqrt(sae->tmp->ec, y, y) < 0 ||
crypto_bignum_to_bin(y, x_y, SAE_MAX_ECC_PRIME_LEN,
prime_len) < 0 ||
crypto_bignum_sub(sae->tmp->prime, y, y) < 0 ||
crypto_bignum_to_bin(y, x_y + SAE_MAX_ECC_PRIME_LEN,
SAE_MAX_ECC_PRIME_LEN, prime_len) < 0) {
wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
goto fail;
}
is_eq = const_time_eq(pwd_seed_odd, x_y[prime_len - 1] & 0x01);
const_time_select_bin(is_eq, x_y, x_y + SAE_MAX_ECC_PRIME_LEN,
prime_len, x_y + prime_len);
os_memcpy(x_y, x_bin, prime_len);
wpa_hexdump_key(MSG_DEBUG, "SAE: PWE", x_y, 2 * prime_len);
crypto_ec_point_deinit(sae->tmp->pwe_ecc, 1);
sae->tmp->pwe_ecc = crypto_ec_point_from_bin(sae->tmp->ec, x_y);
if (!sae->tmp->pwe_ecc) {
wpa_printf(MSG_DEBUG, "SAE: Could not generate PWE");
if (!sae->tmp->pwe_ecc)
sae->tmp->pwe_ecc = crypto_ec_point_init(sae->tmp->ec);
if (!sae->tmp->pwe_ecc)
res = -1;
else
res = crypto_ec_point_solve_y_coord(sae->tmp->ec,
sae->tmp->pwe_ecc, x,
pwd_seed_odd);
if (res < 0) {
/*
* This should not happen since we already checked that there
* is a result.
*/
wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
}
fail:
forced_memzero(x_y, sizeof(x_y));
crypto_bignum_deinit(qr, 0);
crypto_bignum_deinit(qnr, 0);
crypto_bignum_deinit(y, 1);
os_free(stub_password);
bin_clear_free(tmp_password, password_len);
crypto_bignum_deinit(x, 1);
@ -766,9 +747,19 @@ static struct crypto_ec_point * sswu(struct crypto_ec *ec, int group,
const_time_select_bin(is_qr, bin1, bin2, prime_len, x_y);
wpa_hexdump_key(MSG_DEBUG, "SSWU: x = CSEL(l, x1, x2)", x_y, prime_len);
/* y = sqrt(v) */
/* y = sqrt(v)
* For prime p such that p = 3 mod 4 --> v^((p+1)/4) */
if (crypto_bignum_to_bin(prime, bin1, sizeof(bin1), prime_len) < 0)
goto fail;
if ((bin1[prime_len - 1] & 0x03) != 3) {
wpa_printf(MSG_DEBUG, "SSWU: prime does not have p = 3 mod 4");
goto fail;
}
y = crypto_bignum_init();
if (!y || dragonfly_sqrt(ec, v, y) < 0)
if (!y ||
crypto_bignum_add(prime, one, t1) < 0 ||
crypto_bignum_rshift(t1, 2, t1) < 0 ||
crypto_bignum_exptmod(v, t1, prime, y) < 0)
goto fail;
debug_print_bignum("SSWU: y = sqrt(v)", y, prime_len);

View File

@ -9,6 +9,6 @@
#define GIT_VERSION_STR_POSTFIX ""
#endif /* GIT_VERSION_STR_POSTFIX */
#define VERSION_STR "2.10" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX
#define VERSION_STR "2.10-devel" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX
#endif /* VERSION_H */

View File

@ -882,6 +882,18 @@ int crypto_ec_point_mul(struct crypto_ec *e, const struct crypto_ec_point *p,
*/
int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p);
/**
* crypto_ec_point_solve_y_coord - Solve y coordinate for an x coordinate
* @e: EC context from crypto_ec_init()
* @p: EC point to use for the returning the result
* @x: x coordinate
* @y_bit: y-bit (0 or 1) for selecting the y value to use
* Returns: 0 on success, -1 on failure
*/
int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
struct crypto_ec_point *p,
const struct crypto_bignum *x, int y_bit);
/**
* crypto_ec_point_compute_y_sqr - Compute y^2 = x^3 + ax + b
* @e: EC context from crypto_ec_init()

View File

@ -24,9 +24,6 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#endif /* CONFIG_ECC */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/provider.h>
#endif /* OpenSSL version >= 3.0 */
#include "common.h"
#include "utils/const_time.h"
@ -120,26 +117,6 @@ static const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x)
}
#endif /* OpenSSL version < 1.1.0 */
void openssl_load_legacy_provider(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
static bool loaded = false;
OSSL_PROVIDER *legacy;
if (loaded)
return;
legacy = OSSL_PROVIDER_load(NULL, "legacy");
if (legacy) {
OSSL_PROVIDER_load(NULL, "default");
loaded = true;
}
#endif /* OpenSSL version >= 3.0 */
}
static BIGNUM * get_group5_prime(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
@ -246,7 +223,6 @@ static int openssl_digest_vector(const EVP_MD *type, size_t num_elem,
#ifndef CONFIG_FIPS
int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac)
{
openssl_load_legacy_provider();
return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac);
}
#endif /* CONFIG_FIPS */
@ -258,8 +234,6 @@ int des_encrypt(const u8 *clear, const u8 *key, u8 *cypher)
int i, plen, ret = -1;
EVP_CIPHER_CTX *ctx;
openssl_load_legacy_provider();
/* Add parity bits to the key */
next = 0;
for (i = 0; i < 7; i++) {
@ -297,8 +271,6 @@ int rc4_skip(const u8 *key, size_t keylen, size_t skip,
int res = -1;
unsigned char skip_buf[16];
openssl_load_legacy_provider();
ctx = EVP_CIPHER_CTX_new();
if (!ctx ||
!EVP_CipherInit_ex(ctx, EVP_rc4(), NULL, NULL, NULL, 1) ||
@ -1951,27 +1923,48 @@ int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
}
int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
struct crypto_ec_point *p,
const struct crypto_bignum *x, int y_bit)
{
if (TEST_FAIL())
return -1;
if (!EC_POINT_set_compressed_coordinates_GFp(e->group, (EC_POINT *) p,
(const BIGNUM *) x, y_bit,
e->bnctx) ||
!EC_POINT_is_on_curve(e->group, (EC_POINT *) p, e->bnctx))
return -1;
return 0;
}
struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
const struct crypto_bignum *x)
{
BIGNUM *tmp;
BIGNUM *tmp, *tmp2, *y_sqr = NULL;
if (TEST_FAIL())
return NULL;
tmp = BN_new();
tmp2 = BN_new();
/* y^2 = x^3 + ax + b = (x^2 + a)x + b */
if (tmp &&
/* y^2 = x^3 + ax + b */
if (tmp && tmp2 &&
BN_mod_sqr(tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
BN_mod_add_quick(tmp, e->a, tmp, e->prime) &&
BN_mod_mul(tmp, tmp, (const BIGNUM *) x, e->prime, e->bnctx) &&
BN_mod_add_quick(tmp, tmp, e->b, e->prime))
return (struct crypto_bignum *) tmp;
BN_mod_mul(tmp2, e->a, (const BIGNUM *) x, e->prime, e->bnctx) &&
BN_mod_add_quick(tmp2, tmp2, tmp, e->prime) &&
BN_mod_add_quick(tmp2, tmp2, e->b, e->prime)) {
y_sqr = tmp2;
tmp2 = NULL;
}
BN_clear_free(tmp);
return NULL;
BN_clear_free(tmp2);
return (struct crypto_bignum *) y_sqr;
}
@ -2487,13 +2480,12 @@ struct crypto_ec_key * crypto_ec_key_gen(int group)
goto fail;
}
eckey = EVP_PKEY_get1_EC_KEY(key);
eckey = EVP_PKEY_get0_EC_KEY(key);
if (!eckey) {
key = NULL;
goto fail;
}
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
EC_KEY_free(eckey);
fail:
EC_KEY_free(ec_params);
@ -2603,34 +2595,12 @@ struct wpabuf * crypto_ec_key_get_subject_public_key(struct crypto_ec_key *key)
unsigned char *der = NULL;
int der_len;
struct wpabuf *buf;
EC_KEY *eckey;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY *tmp;
#endif /* OpenSSL version >= 3.0 */
eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
if (!eckey)
return NULL;
/* For now, all users expect COMPRESSED form */
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_COMPRESSED);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
tmp = EVP_PKEY_new();
if (!tmp)
return NULL;
if (EVP_PKEY_set1_EC_KEY(tmp, eckey) != 1) {
EVP_PKEY_free(tmp);
return NULL;
}
key = (struct crypto_ec_key *) tmp;
#endif /* OpenSSL version >= 3.0 */
EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key),
POINT_CONVERSION_COMPRESSED);
der_len = i2d_PUBKEY((EVP_PKEY *) key, &der);
EC_KEY_free(eckey);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_PKEY_free(tmp);
#endif /* OpenSSL version >= 3.0 */
if (der_len <= 0) {
wpa_printf(MSG_INFO, "OpenSSL: i2d_PUBKEY() failed: %s",
ERR_error_string(ERR_get_error(), NULL));
@ -2653,7 +2623,7 @@ struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
struct wpabuf *buf;
unsigned int key_flags;
eckey = EVP_PKEY_get1_EC_KEY((EVP_PKEY *) key);
eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
if (!eckey)
return NULL;
@ -2667,7 +2637,6 @@ struct wpabuf * crypto_ec_key_get_ecprivate_key(struct crypto_ec_key *key,
EC_KEY_set_conv_form(eckey, POINT_CONVERSION_UNCOMPRESSED);
der_len = i2d_ECPrivateKey(eckey, &der);
EC_KEY_free(eckey);
if (der_len <= 0)
return NULL;
buf = wpabuf_alloc_copy(der, der_len);
@ -2728,7 +2697,7 @@ struct wpabuf * crypto_ec_key_get_pubkey_point(struct crypto_ec_key *key,
const struct crypto_ec_point *
crypto_ec_key_get_public_key(struct crypto_ec_key *key)
{
const EC_KEY *eckey;
EC_KEY *eckey;
eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
if (!eckey)
@ -2740,7 +2709,7 @@ crypto_ec_key_get_public_key(struct crypto_ec_key *key)
const struct crypto_bignum *
crypto_ec_key_get_private_key(struct crypto_ec_key *key)
{
const EC_KEY *eckey;
EC_KEY *eckey;
eckey = EVP_PKEY_get0_EC_KEY((EVP_PKEY *) key);
if (!eckey)

View File

@ -1630,6 +1630,30 @@ int crypto_ec_point_invert(struct crypto_ec *e, struct crypto_ec_point *p)
}
int crypto_ec_point_solve_y_coord(struct crypto_ec *e,
struct crypto_ec_point *p,
const struct crypto_bignum *x, int y_bit)
{
byte buf[1 + 2 * MAX_ECC_BYTES];
int ret;
int prime_len = crypto_ec_prime_len(e);
if (TEST_FAIL())
return -1;
buf[0] = y_bit ? ECC_POINT_COMP_ODD : ECC_POINT_COMP_EVEN;
ret = crypto_bignum_to_bin(x, buf + 1, prime_len, prime_len);
if (ret <= 0)
return -1;
ret = wc_ecc_import_point_der(buf, 1 + 2 * ret, e->key.idx,
(ecc_point *) p);
if (ret != 0)
return -1;
return 0;
}
struct crypto_bignum *
crypto_ec_point_compute_y_sqr(struct crypto_ec *e,
const struct crypto_bignum *x)

View File

@ -957,10 +957,6 @@ void * tls_init(const struct tls_config *conf)
const char *ciphers;
if (tls_openssl_ref_count == 0) {
void openssl_load_legacy_provider(void);
openssl_load_legacy_provider();
tls_global = context = tls_context_new(conf);
if (context == NULL)
return NULL;
@ -3023,23 +3019,13 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags,
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
!defined(LIBRESSL_VERSION_NUMBER) && \
!defined(OPENSSL_IS_BORINGSSL)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
int need_level = 0;
#else
int need_level = 1;
#endif
if ((flags &
(TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
SSL_get_security_level(ssl) > need_level) {
/*
* Need to drop to security level 1 (or 0 with OpenSSL
* 3.0) to allow TLS versions older than 1.2 to be used
* when explicitly enabled in configuration.
*/
SSL_set_security_level(conn->ssl, need_level);
}
if ((flags & (TLS_CONN_ENABLE_TLSv1_0 | TLS_CONN_ENABLE_TLSv1_1)) &&
SSL_get_security_level(ssl) >= 2) {
/*
* Need to drop to security level 1 to allow TLS versions older
* than 1.2 to be used when explicitly enabled in configuration.
*/
SSL_set_security_level(conn->ssl, 1);
}
#endif

View File

@ -127,8 +127,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN];
u8 x_bin[MAX_ECC_PRIME_LEN];
u8 prime_bin[MAX_ECC_PRIME_LEN];
u8 x_y[2 * MAX_ECC_PRIME_LEN];
struct crypto_bignum *tmp2 = NULL, *y = NULL;
struct crypto_bignum *tmp2 = NULL;
struct crypto_hash *hash;
unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr;
int ret = 0, res;
@ -140,7 +139,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
u8 found_ctr = 0, is_odd = 0;
int cmp_prime;
unsigned int in_range;
unsigned int is_eq;
if (grp->pwe)
return -1;
@ -153,6 +151,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin),
primebytelen) < 0)
return -1;
grp->pwe = crypto_ec_point_init(grp->group);
if (!grp->pwe) {
wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums");
goto fail;
}
if ((prfbuf = os_malloc(primebytelen)) == NULL) {
wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf "
@ -258,37 +261,10 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
*/
crypto_bignum_deinit(x_candidate, 1);
x_candidate = crypto_bignum_init_set(x_bin, primebytelen);
if (!x_candidate)
goto fail;
/* y = sqrt(x^3 + ax + b) mod p
* if LSB(y) == LSB(pwd-seed): PWE = (x, y)
* else: PWE = (x, p - y)
*
* Calculate y and the two possible values for PWE and after that,
* use constant time selection to copy the correct alternative.
*/
y = crypto_ec_point_compute_y_sqr(grp->group, x_candidate);
if (!y ||
dragonfly_sqrt(grp->group, y, y) < 0 ||
crypto_bignum_to_bin(y, x_y, MAX_ECC_PRIME_LEN, primebytelen) < 0 ||
crypto_bignum_sub(prime, y, y) < 0 ||
crypto_bignum_to_bin(y, x_y + MAX_ECC_PRIME_LEN,
MAX_ECC_PRIME_LEN, primebytelen) < 0) {
wpa_printf(MSG_DEBUG, "SAE: Could not solve y");
goto fail;
}
/* Constant time selection of the y coordinate from the two
* options */
is_eq = const_time_eq(is_odd, x_y[primebytelen - 1] & 0x01);
const_time_select_bin(is_eq, x_y, x_y + MAX_ECC_PRIME_LEN,
primebytelen, x_y + primebytelen);
os_memcpy(x_y, x_bin, primebytelen);
wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: PWE", x_y, 2 * primebytelen);
grp->pwe = crypto_ec_point_from_bin(grp->group, x_y);
if (!grp->pwe) {
wpa_printf(MSG_DEBUG, "EAP-pwd: Could not generate PWE");
if (!x_candidate ||
crypto_ec_point_solve_y_coord(grp->group, grp->pwe, x_candidate,
is_odd) != 0) {
wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y");
goto fail;
}
@ -313,7 +289,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
/* cleanliness and order.... */
crypto_bignum_deinit(x_candidate, 1);
crypto_bignum_deinit(tmp2, 1);
crypto_bignum_deinit(y, 1);
crypto_bignum_deinit(qr, 1);
crypto_bignum_deinit(qnr, 1);
bin_clear_free(prfbuf, primebytelen);
@ -321,7 +296,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num,
os_memset(qnr_bin, 0, sizeof(qnr_bin));
os_memset(qr_or_qnr_bin, 0, sizeof(qr_or_qnr_bin));
os_memset(pwe_digest, 0, sizeof(pwe_digest));
forced_memzero(x_y, sizeof(x_y));
return ret;
}

View File

@ -1,58 +1,5 @@
ChangeLog for wpa_supplicant
2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* extended D-Bus interface
* added support for PASN
* added a file-based backend for external password storage to allow
secret information to be moved away from the main configuration file
without requiring external tools
* added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
* added support for SCS, MSCS, DSCP policy
* changed driver interface selection to default to automatic fallback
to other compiled in options
* a large number of other fixes, cleanup, and extensions
2019-08-07 - v2.9
* SAE changes
- disable use of groups using Brainpool curves

View File

@ -1,7 +1,7 @@
wpa_supplicant
==============
Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors
Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
This program is licensed under the BSD license (the one with

View File

@ -0,0 +1,16 @@
/*
* binder interface for wpa_supplicant daemon
* Copyright (c) 2004-2016, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2016, Roshan Pius <rpius@google.com>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
package fi.w1.wpa_supplicant;
/**
* Interface exposed by wpa_supplicant for each network interface it controls.
*/
interface IIface {
}

View File

@ -0,0 +1,59 @@
/*
* WPA Supplicant - binder interface for wpa_supplicant daemon
* Copyright (c) 2004-2016, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2016, Roshan Pius <rpius@google.com>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
package fi.w1.wpa_supplicant;
import android.os.PersistableBundle;
import fi.w1.wpa_supplicant.IIface;
/**
* Interface exposed by the wpa_supplicant binder service registered
* with the service manager with name: fi.w1.wpa_supplicant.
*/
interface ISupplicant {
/* Error values returned by the service to RPC method calls. */
const int ERROR_INVALID_ARGS = 1;
const int ERROR_UNKNOWN = 2;
const int ERROR_IFACE_EXISTS = 3;
const int ERROR_IFACE_UNKNOWN = 4;
/**
* Registers a wireless interface in wpa_supplicant.
*
* @param args A dictionary with arguments used to add the interface to
* wpa_supplicant.
* The dictionary may contain the following entries:
* Ifname(String) Name of the network interface to control, e.g.,
* wlan0.
* BridgeIfname(String) Name of the bridge interface to control, e.g.,
* br0.
* Driver(String) Driver name which the interface uses, e.g., nl80211.
* ConfigFile(String) Configuration file path.
*
* @return Binder object representing the interface.
*/
IIface CreateInterface(in PersistableBundle args);
/**
* Deregisters a wireless interface from wpa_supplicant.
*
* @param ifname Name of the network interface, e.g., wlan0
*/
void RemoveInterface(in @utf8InCpp String ifname);
/**
* Gets a binder object for the interface corresponding to ifname
* which wpa_supplicant already controls.
*
* @param ifname Name of the network interface, e.g., wlan0
*
* @return Binder object representing the interface.
*/
IIface GetInterface(in @utf8InCpp String ifname);
}

View File

@ -0,0 +1,20 @@
/*
* binder interface for wpa_supplicant daemon
* Copyright (c) 2004-2016, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2016, Roshan Pius <rpius@google.com>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
package fi.w1.wpa_supplicant;
import android.os.PersistableBundle;
/**
* Callback Interface exposed by the wpa_supplicant service. Clients need
* to host an instance of this binder object and pass a reference of the object
* to wpa_supplicant via the registerCallbacksObject method.
*/
interface ISupplicantCallbacks {
}

View File

@ -1780,7 +1780,6 @@ DBusMessage * wpas_dbus_handler_remove_all_creds(DBusMessage *message,
}
#ifdef CONFIG_INTERWORKING
DBusMessage *
wpas_dbus_handler_interworking_select(DBusMessage *message,
struct wpa_supplicant *wpa_s)
@ -1801,7 +1800,6 @@ wpas_dbus_handler_interworking_select(DBusMessage *message,
return reply;
}
#endif /* CONFIG_INTERWORKING */
/**

View File

@ -198,7 +198,7 @@ eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1
</refsect1>
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -94,7 +94,7 @@
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -349,7 +349,7 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
</refsect1>
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -95,7 +95,7 @@
</refsect1>
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -66,7 +66,7 @@
</refsect1>
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -141,7 +141,7 @@ wpa_supplicant -i ath0 -c wpa_supplicant.conf
</refsect1>
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -753,7 +753,7 @@ fi
</refsect1>
<refsect1>
<title>Legal</title>
<para>wpa_supplicant is copyright (c) 2003-2022,
<para>wpa_supplicant is copyright (c) 2003-2019,
Jouni Malinen <email>j@w1.fi</email> and
contributors.
All Rights Reserved.</para>

View File

@ -946,9 +946,6 @@ static void sme_auth_start_cb(struct wpa_radio_work *work, int deinit)
struct wpa_supplicant *wpa_s = work->wpa_s;
wpa_s->roam_in_progress = false;
#ifdef CONFIG_WNM
wpa_s->bss_trans_mgmt_in_progress = false;
#endif /* CONFIG_WNM */
if (deinit) {
if (work->started)
@ -995,13 +992,6 @@ void sme_authenticate(struct wpa_supplicant *wpa_s,
"SME: Reject sme_authenticate() in favor of explicit roam request");
return;
}
#ifdef CONFIG_WNM
if (wpa_s->bss_trans_mgmt_in_progress) {
wpa_dbg(wpa_s, MSG_DEBUG,
"SME: Reject sme_authenticate() in favor of BSS transition management request");
return;
}
#endif /* CONFIG_WNM */
if (radio_work_pending(wpa_s, "sme-connect")) {
/*
* The previous sme-connect work might no longer be valid due to

View File

@ -0,0 +1,477 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="8.00"
Name="eapol_test"
ProjectGUID="{0E3F2C6D-1372-48D6-BCAB-E584917C4DE3}"
RootNamespace="eapol_test"
Keyword="Win32Proj"
>
<Platforms>
<Platform
Name="Win32"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="..\..;..\..\..\src;..\..\..\src\utils;C:\dev\WpdPack\include;C:\dev\openssl\include"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="4"
DisableSpecificWarnings="4244;4267;4311"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="ws2_32.lib Crypt32.lib Winscard.lib Packet.lib wpcap.lib libeay32MT.lib ssleay32Mt.lib"
LinkIncremental="2"
AdditionalLibraryDirectories="C:\dev\WpdPack\lib;C:\dev\openssl\lib"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="1"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
AdditionalIncludeDirectories="..\..;..\..\..\src;..\..\..\src\utils;C:\dev\WpdPack\include;C:\dev\openssl\include"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
RuntimeLibrary="2"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="3"
DisableSpecificWarnings="4244;4267;4311"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="ws2_32.lib Crypt32.lib Winscard.lib Packet.lib wpcap.lib libeay32MT.lib ssleay32Mt.lib"
LinkIncremental="1"
AdditionalLibraryDirectories="C:\dev\WpdPack\lib;C:\dev\openssl\lib"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath="..\..\..\src\crypto\aes-cbc.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-ctr.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-eax.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-encblock.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-omac1.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-unwrap.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-wrap.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\base64.c"
>
</File>
<File
RelativePath="..\..\bssid_ignore.c"
>
</File>
<File
RelativePath="..\..\bss.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\chap.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\common.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\config.c"
>
</File>
<File
RelativePath="..\..\config.c"
>
</File>
<File
RelativePath="..\..\config_file.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\crypto_openssl.c"
>
</File>
<File
RelativePath="..\..\ctrl_iface.c"
>
</File>
<File
RelativePath="..\..\ctrl_iface_named_pipe.c"
>
</File>
<File
RelativePath="..\..\..\src\drivers\driver_common.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_aka.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\eap_common.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_gtc.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_leap.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_md5.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_methods.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_mschapv2.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_otp.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_peap.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\eap_peap_common.c"
>
</File>
<File
RelativePath="..\..\eap_register.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_sim.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\eap_sim_common.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_tls.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_tls_common.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_tnc.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_ttls.c"
>
</File>
<File
RelativePath="..\..\..\src\eapol_supp\eapol_supp_sm.c"
>
</File>
<File
RelativePath="..\..\eapol_test.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\eloop_win.c"
>
</File>
<File
RelativePath="..\..\events.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\fips_prf_openssl.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\ip_addr.c"
>
</File>
<File
RelativePath="..\..\..\src\l2_packet\l2_packet_winpcap.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\md5.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\ms_funcs.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\mschapv2.c"
>
</File>
<File
RelativePath="..\..\notify.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\os_win32.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\pcsc_funcs.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\peerkey.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\pmksa_cache.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\preauth.c"
>
</File>
<File
RelativePath="..\..\..\src\radius\radius.c"
>
</File>
<File
RelativePath="..\..\..\src\radius\radius_client.c"
>
</File>
<File
RelativePath="..\..\scan.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-pbkdf2.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-prf.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-tlsprf.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\tls_openssl.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\tncc.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\wpa.c"
>
</File>
<File
RelativePath="..\..\..\src\common\wpa_common.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\wpa_debug.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\wpa_ie.c"
>
</File>
<File
RelativePath="..\..\wpa_supplicant.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\wpabuf.c"
>
</File>
<File
RelativePath="..\..\wpas_glue.c"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

View File

@ -0,0 +1,215 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="8.00"
Name="wpa_cli"
ProjectGUID="{E3A7B181-22CC-4DA3-8410-6AD69879A9EC}"
RootNamespace="wpa_cli"
Keyword="Win32Proj"
>
<Platforms>
<Platform
Name="Win32"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="0"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="..\..\..\src;..\..\..\src\utils"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="4"
DisableSpecificWarnings="4244;4267"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="ws2_32.lib"
LinkIncremental="2"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="0"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
AdditionalIncludeDirectories="..\..\..\src;..\..\..\src\utils"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
RuntimeLibrary="2"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="3"
DisableSpecificWarnings="4244;4267"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="ws2_32.lib"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath="..\..\..\src\utils\common.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\os_win32.c"
>
</File>
<File
RelativePath="..\..\wpa_cli.c"
>
</File>
<File
RelativePath="..\..\..\src\common\wpa_ctrl.c"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

View File

@ -0,0 +1,236 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="8.00"
Name="wpa_passphrase"
ProjectGUID="{ADBE4EA8-F0C5-40C2-AE89-C56D0F2EC1DF}"
RootNamespace="wpa_passphrase"
Keyword="Win32Proj"
>
<Platforms>
<Platform
Name="Win32"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="0"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="..\..\..\src;..\..\..\src\utils;C:\dev\openssl\include"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="4"
DisableSpecificWarnings="4244;4267"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="ws2_32.lib"
LinkIncremental="2"
AdditionalLibraryDirectories=""
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="0"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
AdditionalIncludeDirectories="..\..\..\src;..\..\..\src\utils;C:\dev\openssl\include"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
RuntimeLibrary="2"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="3"
DisableSpecificWarnings="4244;4267"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="ws2_32.lib"
LinkIncremental="1"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath="..\..\..\src\utils\common.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\md5.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\md5-internal.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\os_win32.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-internal.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-prf.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-pbkdf2.c"
>
</File>
<File
RelativePath="..\..\wpa_passphrase.c"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

View File

@ -0,0 +1,465 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="8.00"
Name="wpa_supplicant"
ProjectGUID="{8BCFDA77-AEDC-4168-8897-5B73105BBB87}"
RootNamespace="wpa_supplicant"
Keyword="Win32Proj"
>
<Platforms>
<Platform
Name="Win32"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="0"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="..\..;..\..\..\src;..\..\..\src\utils;C:\dev\WpdPack\include;C:\dev\openssl\include"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="3"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="4"
DisableSpecificWarnings="4244;4267;4311"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="wbemuuid.lib ws2_32.lib Crypt32.lib Winscard.lib Packet.lib wpcap.lib libeay32MT.lib ssleay32Mt.lib"
LinkIncremental="2"
AdditionalLibraryDirectories="C:\dev\WpdPack\lib;C:\dev\openssl\lib"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="1"
CharacterSet="0"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
AdditionalIncludeDirectories="..\..;..\..\..\src;..\..\..\src\utils;C:\dev\WpdPack\include;C:\dev\openssl\include"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE;CONFIG_WIN32_DEFAULTS"
RuntimeLibrary="2"
UsePrecompiledHeader="0"
WarningLevel="3"
Detect64BitPortabilityProblems="true"
DebugInformationFormat="3"
DisableSpecificWarnings="4244;4267;4311"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="wbemuuid.lib ws2_32.lib Crypt32.lib Winscard.lib Packet.lib wpcap.lib libeay32MT.lib ssleay32Mt.lib"
LinkIncremental="1"
AdditionalLibraryDirectories="C:\dev\WpdPack\lib;C:\dev\openssl\lib"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCWebDeploymentTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="Source Files"
Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
>
<File
RelativePath="..\..\..\src\crypto\aes-cbc.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-ctr.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-eax.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-encblock.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-omac1.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-unwrap.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\aes-wrap.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\base64.c"
>
</File>
<File
RelativePath="..\..\bssid_ignore.c"
>
</File>
<File
RelativePath="..\..\bss.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\chap.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\common.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\config.c"
>
</File>
<File
RelativePath="..\..\config.c"
>
</File>
<File
RelativePath="..\..\config_file.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\crypto_openssl.c"
>
</File>
<File
RelativePath="..\..\ctrl_iface.c"
>
</File>
<File
RelativePath="..\..\ctrl_iface_named_pipe.c"
>
</File>
<File
RelativePath="..\..\..\src\drivers\driver_common.c"
>
</File>
<File
RelativePath="..\..\..\src\drivers\driver_ndis.c"
>
</File>
<File
RelativePath="..\..\..\src\drivers\driver_ndis_.c"
>
</File>
<File
RelativePath="..\..\..\src\drivers\drivers.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\eap_common.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_gtc.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_leap.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_md5.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_methods.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_mschapv2.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_otp.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_peap.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_common\eap_peap_common.c"
>
</File>
<File
RelativePath="..\..\eap_register.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_tls.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_tls_common.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_tnc.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\eap_ttls.c"
>
</File>
<File
RelativePath="..\..\..\src\eapol_supp\eapol_supp_sm.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\eloop_win.c"
>
</File>
<File
RelativePath="..\..\events.c"
>
</File>
<File
RelativePath="..\..\..\src\l2_packet\l2_packet_winpcap.c"
>
</File>
<File
RelativePath="..\..\main.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\md5.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\ms_funcs.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\mschapv2.c"
>
</File>
<File
RelativePath="..\..\..\src\drivers\ndis_events.c"
>
</File>
<File
RelativePath="..\..\notify.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\os_win32.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\pcsc_funcs.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\peerkey.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\pmksa_cache.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\preauth.c"
>
</File>
<File
RelativePath="..\..\scan.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-pbkdf2.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-prf.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\sha1-tlsprf.c"
>
</File>
<File
RelativePath="..\..\..\src\crypto\tls_openssl.c"
>
</File>
<File
RelativePath="..\..\..\src\eap_peer\tncc.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\wpa.c"
>
</File>
<File
RelativePath="..\..\..\src\common\wpa_common.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\wpa_debug.c"
>
</File>
<File
RelativePath="..\..\..\src\rsn_supp\wpa_ie.c"
>
</File>
<File
RelativePath="..\..\wpa_supplicant.c"
>
</File>
<File
RelativePath="..\..\..\src\utils\wpabuf.c"
>
</File>
<File
RelativePath="..\..\wpas_glue.c"
>
</File>
</Filter>
<Filter
Name="Header Files"
Filter="h;hpp;hxx;hm;inl;inc;xsd"
UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
>
</Filter>
<Filter
Name="Resource Files"
Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
>
</Filter>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

View File

@ -1097,8 +1097,6 @@ static void wnm_bss_tm_connect(struct wpa_supplicant *wpa_s,
struct wpa_bss *bss, struct wpa_ssid *ssid,
int after_new_scan)
{
struct wpa_radio_work *already_connecting;
wpa_dbg(wpa_s, MSG_DEBUG,
"WNM: Transition to BSS " MACSTR
" based on BSS Transition Management Request (old BSSID "
@ -1123,18 +1121,9 @@ static void wnm_bss_tm_connect(struct wpa_supplicant *wpa_s,
return;
}
already_connecting = radio_work_pending(wpa_s, "sme-connect");
wpa_s->reassociate = 1;
wpa_printf(MSG_DEBUG, "WNM: Issuing connect");
wpa_supplicant_connect(wpa_s, bss, ssid);
/*
* Indicate that a BSS transition is in progress so scan results that
* come in before the 'sme-connect' radio work gets executed do not
* override the original connection attempt.
*/
if (!already_connecting && radio_work_pending(wpa_s, "sme-connect"))
wpa_s->bss_trans_mgmt_in_progress = true;
wnm_deallocate_memory(wpa_s);
}

View File

@ -1,6 +1,6 @@
/*
* WPA Supplicant - command line interface for wpa_supplicant daemon
* Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@ -29,7 +29,7 @@
static const char *const wpa_cli_version =
"wpa_cli v" VERSION_STR "\n"
"Copyright (c) 2004-2022, Jouni Malinen <j@w1.fi> and contributors";
"Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors";
#define VENDOR_ELEM_FRAME_ID \
" 0: Probe Req (P2P), 1: Probe Resp (P2P) , 2: Probe Resp (GO), " \

View File

@ -1,6 +1,6 @@
/*
* WPA Supplicant
* Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi>
* Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@ -71,7 +71,7 @@
const char *const wpa_supplicant_version =
"wpa_supplicant v" VERSION_STR "\n"
"Copyright (c) 2003-2022, Jouni Malinen <j@w1.fi> and contributors";
"Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and contributors";
const char *const wpa_supplicant_license =
"This software may be distributed under the terms of the BSD license.\n"
@ -3621,11 +3621,6 @@ static void wpas_start_assoc_cb(struct wpa_radio_work *work, int deinit)
struct ieee80211_vht_capabilities vhtcaps_mask;
#endif /* CONFIG_VHT_OVERRIDES */
wpa_s->roam_in_progress = false;
#ifdef CONFIG_WNM
wpa_s->bss_trans_mgmt_in_progress = false;
#endif /* CONFIG_WNM */
if (deinit) {
if (work->started) {
wpa_s->connect_work = NULL;
@ -8178,10 +8173,6 @@ void wpas_request_disconnection(struct wpa_supplicant *wpa_s)
eloop_cancel_timeout(wpas_network_reenabled, wpa_s, NULL);
radio_remove_works(wpa_s, "connect", 0);
radio_remove_works(wpa_s, "sme-connect", 0);
wpa_s->roam_in_progress = false;
#ifdef CONFIG_WNM
wpa_s->bss_trans_mgmt_in_progress = false;
#endif /* CONFIG_WNM */
}

View File

@ -1286,7 +1286,6 @@ struct wpa_supplicant {
struct os_reltime wnm_cand_valid_until;
u8 wnm_cand_from_bss[ETH_ALEN];
enum bss_trans_mgmt_status_code bss_tm_status;
bool bss_trans_mgmt_in_progress;
struct wpabuf *coloc_intf_elems;
u8 coloc_intf_dialog_token;
u8 coloc_intf_auto_report;

View File

@ -0,0 +1 @@
/send_doall

22
tests/Makefile Normal file
View File

@ -0,0 +1,22 @@
# $FreeBSD$
PACKAGE= tests
TESTSDIR= ${TESTSBASE}
${PACKAGE}FILES+= README
KYUAFILE= yes
SUBDIR+= etc
SUBDIR+= sys
SUBDIR_PARALLEL=
afterinstall: install-tests-local
install-tests-local: .PHONY
${INSTALL_SYMLINK} -T 'package=tests' \
../local/tests ${DESTDIR}${TESTSDIR}/local
.include "Makefile.inc0"
.include <bsd.test.mk>

62
tests/README Normal file
View File

@ -0,0 +1,62 @@
src/tests: The FreeBSD test suite
=================================
Usage of the FreeBSD test suite:
(1) Run the tests:
kyua test -k /usr/tests/Kyuafile
(2) See the test results:
kyua report
For further information on using the test suite, read tests(7):
man tests
Description of FreeBSD test suite
=================================
The build of the test suite is organized in the following manner:
* The build of all test artifacts is protected by the MK_TESTS knob.
The user can disable these with the WITHOUT_TESTS setting in
src.conf(5).
* The goal for /usr/tests/ (the installed test programs) is to follow
the same hierarchy as /usr/src/ wherever possible, which in turn drives
several of the design decisions described below. This simplifies the
discoverability of tests. We want a mapping such as:
/usr/src/bin/cp/ -> /usr/tests/bin/cp/
/usr/src/lib/libc/ -> /usr/tests/lib/libc/
/usr/src/usr.bin/cut/ -> /usr/tests/usr.bin/cut/
... and many more ...
* Test programs for specific utilities and libraries are located next
to the source code of such programs. For example, the tests for the
src/lib/libcrypt/ library live in src/lib/libcrypt/tests/. The tests/
subdirectory is optional and should, in general, be avoided.
* The src/tests/ hierarchy (this directory) provides generic test
infrastructure and glue code to join all test programs together into
a single test suite definition.
* The src/tests/ hierarchy also includes cross-functional test programs:
i.e. test programs that cover more than a single utility or library
and thus don't fit anywhere else in the tree. Consider this to follow
the same rationale as src/share/man/: this directory contains generic
manual pages while the manual pages that are specific to individual
tools or libraries live next to the source code.
In order to keep the src/tests/ hierarchy decoupled from the actual test
programs being installed --which is a worthy goal because it simplifies
the addition of new test programs and simplifies the maintenance of the
tree-- the top-level Kyuafile does not know which subdirectories may
exist upfront. Instead, such Kyuafile automatically detects, at
run-time, which */Kyuafile files exist and uses those directly.
Similarly, every directory in src/ that wants to install a Kyuafile to
just recurse into other subdirectories reuses this Kyuafile with
auto-discovery features. As an example, take a look at src/lib/tests/
whose sole purpose is to install a Kyuafile into /usr/tests/lib/.
The goal in this specific case is for /usr/tests/lib/ to be generated
entirely from src/lib/.
--
$FreeBSD$

View File

@ -0,0 +1 @@
0