From patchwork Thu Oct 14 16:16:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Damien Dejean X-Patchwork-Id: 1541004 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=gzRHYN6Z; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=chromium.org header.i=@chromium.org header.a=rsa-sha256 header.s=google header.b=cRFom5By; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HVZMX1fznz9s0r for ; Fri, 15 Oct 2021 03:18:32 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=P8h4+LqPuKwJEXjP0JLOp9v/9nvQrRPmwhotvl2vXQw=; b=gzRHYN6ZPHq6pw yxGBNVRGnOWdhgplH4RFHXY7xswAMsZA9cj09RL1/rXr0In039xfTyoy7AJKo1PkbULcp9Yoysb1I Ca61+cpujHFhmMMHKtevydArzu/GIHNFYEfTYT42VjGuzPvgAGY/inQZGZ4DwcHDVM/h1dIJm0Bru gZFRujRsJSmq8kXSb16pvclyQ+88QAqfGPAdnQVaxsY9a72ZXR4XRq/cBXgOepB5HRnJfhKQt7eLD 8zqYbQ4dsGzxXigknu0tliN1WEOpbzlejQ4AAWrYPXeyfLMWe81OyBjxNckD+5X7ukQgbnZOoXSC+ 5/WOvOCnbkYhYjfVSlKg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1mb3Pj-003oVs-55; Thu, 14 Oct 2021 16:17:03 +0000 Received: from mail-wr1-x42d.google.com ([2a00:1450:4864:20::42d]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1mb3Pg-003oVF-3y for hostap@lists.infradead.org; Thu, 14 Oct 2021 16:17:02 +0000 Received: by mail-wr1-x42d.google.com with SMTP id i12so21163696wrb.7 for ; Thu, 14 Oct 2021 09:16:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=GkmPL0VedD/OJunxpt7HSQk1TiMGdu+Up6AQvtn2pHc=; b=cRFom5ByX28BYTAZQ0r/jkNqV/El63AXbC5AdEHSDv7FMBx2zjmog2dA+3gaXfNAqG omg/4/Rf7/O+h0s7ReOioutPi04zzt0E8xniqYbtno/73c5NFko3SsGm3zijIPD6X21r fB88RnjVqaHBFlaOF5TgMwELsSxZw/9QpjTjc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=GkmPL0VedD/OJunxpt7HSQk1TiMGdu+Up6AQvtn2pHc=; b=aA9dzQ8NJN5gMpSCs0QC308OqyTQLR3fyJolhTwX9VWyMHcLlA01y4IomC6yxRk/Iu PTE6ISBDe9qulqeeAfuqtDyzuSqWDUpLXV+KtDu+xVgsNTHKK4/KyFEDpqu6N4kuUk2e 4DrhJAgfLC4By+LAG6wq7C9F18exkZVRetrivjdoTdlmDnvK2zGW19oiQxTpWi+DWG57 rOFBbOyK9qMgFzEnCH1AAZRh5bwq9pQcJIH9ZecjOe7bJcA6z5JBxTArhufNfs3gvF3G VY2Fz89ewkquxlG9/DAhLJ9lIB+JtbN27BiCGi8sM2IitdmcI+sADnqjOin2iGR+k7gx vjUQ== X-Gm-Message-State: AOAM531N355c4ynI5eafQX+52vLJf0yMQc3EKb16wrJxKqQz9wG0m7YO pt1a2Cli5IM/Uj64ZGorU32JWrEymn3Xsw== X-Google-Smtp-Source: ABdhPJx849sSiVIcK7/QQjwX5D5Irz3aw3xWT1L/RUQx/ulUj0hAVqwQITIDdGYbkqm+2xPx+OaSJg== X-Received: by 2002:adf:a31d:: with SMTP id c29mr7686995wrb.381.1634228217637; Thu, 14 Oct 2021 09:16:57 -0700 (PDT) Received: from ddejean-cros.c.googlers.com.com (110.121.148.146.bc.googleusercontent.com. [146.148.121.110]) by smtp.gmail.com with ESMTPSA id c204sm8422039wme.11.2021.10.14.09.16.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 09:16:57 -0700 (PDT) From: damiendejean@chromium.org To: hostap@lists.infradead.org Cc: Damien Dejean Subject: [PATCH 1/3] HS 2.0: crypto engine support for creds. Date: Thu, 14 Oct 2021 16:16:52 +0000 Message-Id: <20211014161654.3981468-1-damiendejean@chromium.org> X-Mailer: git-send-email 2.33.0.1079.g6e70778dc9-goog MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20211014_091700_191757_DAAE83BE X-CRM114-Status: GOOD ( 17.03 ) X-Spam-Score: -0.4 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Damien Dejean Adds the support of engine, engine_id, ca_cert_id, cert_id and key_id to credential blocks for Hotspot 2.0. Signed-off-by: Damien Dejean --- wpa_supplicant/config.c | 33 +++++++++++++++++++++++++++++++++ wpa_supplicant/config.h | 25 +++++++++++++++++++++++++ wpa_supplicant/interw [...] Content analysis details: (-0.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:42d listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Damien Dejean Adds the support of engine, engine_id, ca_cert_id, cert_id and key_id to credential blocks for Hotspot 2.0. Signed-off-by: Damien Dejean --- wpa_supplicant/config.c | 33 +++++++++++++++++++++++++++++++++ wpa_supplicant/config.h | 25 +++++++++++++++++++++++++ wpa_supplicant/interworking.c | 30 ++++++++++++++++++++++++++---- wpa_supplicant/wpa_cli.c | 1 + 4 files changed, 85 insertions(+), 4 deletions(-) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index bf97de698..c5f1a126b 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2855,6 +2855,10 @@ void wpa_config_free_cred(struct wpa_cred *cred) os_free(cred->client_cert); os_free(cred->private_key); str_clear_free(cred->private_key_passwd); + os_free(cred->engine_id); + os_free(cred->ca_cert_id); + os_free(cred->cert_id); + os_free(cred->key_id); os_free(cred->imsi); str_clear_free(cred->milenage); for (i = 0; i < cred->num_domain; i++) @@ -3618,6 +3622,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, return 0; } + if (os_strcmp(var, "engine") == 0) { + cred->engine = atoi(value); + return 0; + } + val = wpa_config_parse_string(value, &len); if (val == NULL || (os_strcmp(var, "excluded_ssid") != 0 && @@ -3673,6 +3682,30 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, return 0; } + if (os_strcmp(var, "engine_id") == 0) { + os_free(cred->engine_id); + cred->engine_id = val; + return 0; + } + + if (os_strcmp(var, "ca_cert_id") == 0) { + os_free(cred->ca_cert_id); + cred->ca_cert_id = val; + return 0; + } + + if (os_strcmp(var, "cert_id") == 0) { + os_free(cred->cert_id); + cred->cert_id = val; + return 0; + } + + if (os_strcmp(var, "key_id") == 0) { + os_free(cred->key_id); + cred->key_id = val; + return 0; + } + if (os_strcmp(var, "imsi") == 0) { os_free(cred->imsi); cred->imsi = val; diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index 0320d9eeb..c7a55202b 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -179,6 +179,31 @@ struct wpa_cred { */ char *milenage; + /** + * engine - Use an engine for private key operations. + */ + int engine; + + /** + * engine_id - String identifying the engine to use. + */ + char *engine_id; + + /** + * ca_cert_id - The CA certificate identifier when using an engine. + */ + char *ca_cert_id; + + /** + * cert_id - The certificate identifier when using an engine. + */ + char *cert_id; + + /** + * key_id - The private key identifier when using an engine. + */ + char *key_id; + /** * domain_suffix_match - Constraint for server domain name * diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c index 1c82d2117..066e344a0 100644 --- a/wpa_supplicant/interworking.c +++ b/wpa_supplicant/interworking.c @@ -702,12 +702,15 @@ static struct nai_realm_eap * nai_realm_find_eap(struct wpa_supplicant *wpa_s, ((cred->password == NULL || cred->password[0] == '\0') && (cred->private_key == NULL || - cred->private_key[0] == '\0'))) { + cred->private_key[0] == '\0') && + (cred->key_id == NULL || + cred->key_id[0] == '\0'))) { wpa_msg(wpa_s, MSG_DEBUG, - "nai-realm-find-eap: incomplete cred info: username: %s password: %s private_key: %s", + "nai-realm-find-eap: incomplete cred info: username: %s password: %s private_key: %s key_id: %s", cred->username ? cred->username : "NULL", cred->password ? cred->password : "NULL", - cred->private_key ? cred->private_key : "NULL"); + cred->private_key ? cred->private_key : "NULL", + cred->key_id ? cred->private_key : "NULL"); return NULL; } @@ -716,7 +719,8 @@ static struct nai_realm_eap * nai_realm_find_eap(struct wpa_supplicant *wpa_s, if (cred->password && cred->password[0] && nai_realm_cred_username(wpa_s, eap)) return eap; - if (cred->private_key && cred->private_key[0] && + if (((cred->private_key && cred->private_key[0]) || + (cred->key_id && cred->key_id[0])) && nai_realm_cred_cert(wpa_s, eap)) return eap; } @@ -1539,6 +1543,24 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid, cred->private_key_passwd) < 0) return -1; + if (cred->ca_cert_id && cred->ca_cert_id[0] && + wpa_config_set_quoted(ssid, "ca_cert_id", cred->ca_cert_id) < 0) + return -1; + + if (cred->cert_id && cred->cert_id[0] && + wpa_config_set_quoted(ssid, "cert_id", cred->cert_id) < 0) + return -1; + + if (cred->key_id && cred->key_id[0] && + wpa_config_set_quoted(ssid, "key_id", cred->key_id) < 0) + return -1; + + if (cred->engine_id && cred->engine_id[0] && + wpa_config_set_quoted(ssid, "engine_id", cred->engine_id) < 0) + return -1; + + ssid->eap.cert.engine = cred->engine; + if (cred->phase1) { os_free(ssid->eap.phase1); ssid->eap.phase1 = os_strdup(cred->phase1); diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c index b72983e9c..17b14c824 100644 --- a/wpa_supplicant/wpa_cli.c +++ b/wpa_supplicant/wpa_cli.c @@ -1591,6 +1591,7 @@ static const char * const cred_fields[] = { "min_dl_bandwidth_roaming", "min_ul_bandwidth_roaming", "max_bss_load", "req_conn_capab", "ocsp", "sim_num", "realm", "username", "password", "ca_cert", "client_cert", "private_key", "private_key_passwd", "imsi", + "ca_cert_id", "cert_id", "key_id", "engine_id", "engine", "milenage", "domain_suffix_match", "domain", "phase1", "phase2", "roaming_consortium", "required_roaming_consortium", "excluded_ssid", "roaming_partner", "provisioning_sp"