2 * Hotspot 2.0 OSU client
3 * Copyright (c) 2012-2014, Qualcomm Atheros, Inc.
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
14 #include "utils/browser.h"
15 #include "utils/base64.h"
16 #include "utils/xml-utils.h"
17 #include "utils/http-utils.h"
18 #include "common/wpa_ctrl.h"
19 #include "common/wpa_helpers.h"
20 #include "eap_common/eap_defs.h"
21 #include "crypto/crypto.h"
22 #include "crypto/sha256.h"
23 #include "osu_client.h"
26 void write_result(struct hs20_osu_client *ctx, const char *fmt, ...)
33 vsnprintf(buf, sizeof(buf), fmt, ap);
35 write_summary(ctx, "%s", buf);
37 if (!ctx->result_file)
40 f = fopen(ctx->result_file, "w");
52 void write_summary(struct hs20_osu_client *ctx, const char *fmt, ...)
57 if (!ctx->summary_file)
60 f = fopen(ctx->summary_file, "a");
72 void debug_dump_node(struct hs20_osu_client *ctx, const char *title,
75 char *str = xml_node_to_str(ctx->xml, node);
76 wpa_printf(MSG_DEBUG, "[hs20] %s: '%s'", title, str);
81 static int valid_fqdn(const char *fqdn)
85 /* TODO: could make this more complete.. */
86 if (strchr(fqdn, '.') == 0 || strlen(fqdn) > 255)
88 for (pos = fqdn; *pos; pos++) {
89 if (*pos >= 'a' && *pos <= 'z')
91 if (*pos >= 'A' && *pos <= 'Z')
93 if (*pos >= '0' && *pos <= '9')
95 if (*pos == '-' || *pos == '.' || *pos == '_')
103 int osu_get_certificate(struct hs20_osu_client *ctx, xml_node_t *getcert)
106 char *url, *user = NULL, *pw = NULL;
110 proto = xml_node_get_attr_value(ctx->xml, getcert,
111 "enrollmentProtocol");
114 wpa_printf(MSG_INFO, "getCertificate - enrollmentProtocol=%s", proto);
115 write_summary(ctx, "getCertificate - enrollmentProtocol=%s", proto);
116 if (os_strcasecmp(proto, "EST") != 0) {
117 wpa_printf(MSG_INFO, "Unsupported enrollmentProtocol");
118 xml_node_get_attr_value_free(ctx->xml, proto);
121 xml_node_get_attr_value_free(ctx->xml, proto);
123 node = get_node(ctx->xml, getcert, "enrollmentServerURI");
125 wpa_printf(MSG_INFO, "Could not find enrollmentServerURI node");
126 xml_node_get_attr_value_free(ctx->xml, proto);
129 url = xml_node_get_text(ctx->xml, node);
131 wpa_printf(MSG_INFO, "Could not get URL text");
134 wpa_printf(MSG_INFO, "enrollmentServerURI: %s", url);
135 write_summary(ctx, "enrollmentServerURI: %s", url);
137 node = get_node(ctx->xml, getcert, "estUserID");
138 if (node == NULL && !ctx->client_cert_present) {
139 wpa_printf(MSG_INFO, "Could not find estUserID node");
143 user = xml_node_get_text(ctx->xml, node);
145 wpa_printf(MSG_INFO, "Could not get estUserID text");
148 wpa_printf(MSG_INFO, "estUserID: %s", user);
149 write_summary(ctx, "estUserID: %s", user);
152 node = get_node(ctx->xml, getcert, "estPassword");
153 if (node == NULL && !ctx->client_cert_present) {
154 wpa_printf(MSG_INFO, "Could not find estPassword node");
158 pw = xml_node_get_base64_text(ctx->xml, node, NULL);
160 wpa_printf(MSG_INFO, "Could not get estPassword text");
163 wpa_printf(MSG_INFO, "estPassword: %s", pw);
166 mkdir("Cert", S_IRWXU);
167 if (est_load_cacerts(ctx, url) < 0 ||
168 est_build_csr(ctx, url) < 0 ||
169 est_simple_enroll(ctx, url, user, pw) < 0)
174 xml_node_get_text_free(ctx->xml, url);
175 xml_node_get_text_free(ctx->xml, user);
176 xml_node_get_text_free(ctx->xml, pw);
182 static int process_est_cert(struct hs20_osu_client *ctx, xml_node_t *cert,
185 u8 digest1[SHA256_MAC_LEN], digest2[SHA256_MAC_LEN];
187 size_t der_len, pem_len;
191 wpa_printf(MSG_INFO, "PPS for certificate credential - fqdn=%s", fqdn);
193 fingerprint = xml_node_get_text(ctx->xml, cert);
194 if (fingerprint == NULL)
196 if (hexstr2bin(fingerprint, digest1, SHA256_MAC_LEN) < 0) {
197 wpa_printf(MSG_INFO, "Invalid SHA256 hash value");
198 write_result(ctx, "Invalid client certificate SHA256 hash value in PPS");
199 xml_node_get_text_free(ctx->xml, fingerprint);
202 xml_node_get_text_free(ctx->xml, fingerprint);
204 der = os_readfile("Cert/est_cert.der", &der_len);
206 wpa_printf(MSG_INFO, "Could not find client certificate from EST");
207 write_result(ctx, "Could not find client certificate from EST");
211 if (sha256_vector(1, (const u8 **) &der, &der_len, digest2) < 0) {
217 if (os_memcmp(digest1, digest2, sizeof(digest1)) != 0) {
218 wpa_printf(MSG_INFO, "Client certificate from EST does not match fingerprint from PPS MO");
219 write_result(ctx, "Client certificate from EST does not match fingerprint from PPS MO");
223 wpa_printf(MSG_INFO, "Client certificate from EST matches PPS MO");
224 unlink("Cert/est_cert.der");
226 os_snprintf(buf, sizeof(buf), "SP/%s/client-ca.pem", fqdn);
227 if (rename("Cert/est-cacerts.pem", buf) < 0) {
228 wpa_printf(MSG_INFO, "Could not move est-cacerts.pem to client-ca.pem: %s",
232 pem = os_readfile(buf, &pem_len);
234 os_snprintf(buf, sizeof(buf), "SP/%s/client-cert.pem", fqdn);
235 if (rename("Cert/est_cert.pem", buf) < 0) {
236 wpa_printf(MSG_INFO, "Could not move est_cert.pem to client-cert.pem: %s",
243 FILE *f = fopen(buf, "a");
245 fwrite(pem, pem_len, 1, f);
251 os_snprintf(buf, sizeof(buf), "SP/%s/client-key.pem", fqdn);
252 if (rename("Cert/privkey-plain.pem", buf) < 0) {
253 wpa_printf(MSG_INFO, "Could not move privkey-plain.pem to client-key.pem: %s",
258 unlink("Cert/est-req.b64");
259 unlink("Cert/est-req.pem");
260 unlink("Cert/est-resp.raw");
267 #define TMP_CERT_DL_FILE "tmp-cert-download"
269 static int download_cert(struct hs20_osu_client *ctx, xml_node_t *params,
272 xml_node_t *url_node, *hash_node;
276 u8 digest1[SHA256_MAC_LEN], digest2[SHA256_MAC_LEN];
281 url_node = get_node(ctx->xml, params, "CertURL");
282 hash_node = get_node(ctx->xml, params, "CertSHA256Fingerprint");
283 if (url_node == NULL || hash_node == NULL)
285 url = xml_node_get_text(ctx->xml, url_node);
286 hash = xml_node_get_text(ctx->xml, hash_node);
287 if (url == NULL || hash == NULL) {
288 xml_node_get_text_free(ctx->xml, url);
289 xml_node_get_text_free(ctx->xml, hash);
293 wpa_printf(MSG_INFO, "CertURL: %s", url);
294 wpa_printf(MSG_INFO, "SHA256 hash: %s", hash);
296 if (hexstr2bin(hash, digest1, SHA256_MAC_LEN) < 0) {
297 wpa_printf(MSG_INFO, "Invalid SHA256 hash value");
298 write_result(ctx, "Invalid SHA256 hash value for downloaded certificate");
299 xml_node_get_text_free(ctx->xml, hash);
302 xml_node_get_text_free(ctx->xml, hash);
304 write_summary(ctx, "Download certificate from %s", url);
305 ctx->no_osu_cert_validation = 1;
306 res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL);
307 ctx->no_osu_cert_validation = 0;
308 xml_node_get_text_free(ctx->xml, url);
312 cert = os_readfile(TMP_CERT_DL_FILE, &len);
313 remove(TMP_CERT_DL_FILE);
317 if (sha256_vector(1, (const u8 **) &cert, &len, digest2) < 0) {
322 if (os_memcmp(digest1, digest2, sizeof(digest1)) != 0) {
323 wpa_printf(MSG_INFO, "Downloaded certificate fingerprint did not match");
324 write_result(ctx, "Downloaded certificate fingerprint did not match");
329 b64 = base64_encode((unsigned char *) cert, len, NULL);
334 f = fopen(fname, "wb");
340 fprintf(f, "-----BEGIN CERTIFICATE-----\n"
342 "-----END CERTIFICATE-----\n",
348 wpa_printf(MSG_INFO, "Downloaded certificate into %s and validated fingerprint",
350 write_summary(ctx, "Downloaded certificate into %s and validated fingerprint",
357 static int cmd_dl_osu_ca(struct hs20_osu_client *ctx, const char *pps_fname,
358 const char *ca_fname)
360 xml_node_t *pps, *node;
363 pps = node_from_file(ctx->xml, pps_fname);
365 wpa_printf(MSG_INFO, "Could not read or parse '%s'", pps_fname);
369 node = get_child_node(ctx->xml, pps,
370 "SubscriptionUpdate/TrustRoot");
372 wpa_printf(MSG_INFO, "No SubscriptionUpdate/TrustRoot/CertURL found from PPS");
373 xml_node_free(ctx->xml, pps);
377 ret = download_cert(ctx, node, ca_fname);
378 xml_node_free(ctx->xml, pps);
384 static int cmd_dl_polupd_ca(struct hs20_osu_client *ctx, const char *pps_fname,
385 const char *ca_fname)
387 xml_node_t *pps, *node;
390 pps = node_from_file(ctx->xml, pps_fname);
392 wpa_printf(MSG_INFO, "Could not read or parse '%s'", pps_fname);
396 node = get_child_node(ctx->xml, pps,
397 "PolicyUpdate/TrustRoot");
399 wpa_printf(MSG_INFO, "No PolicyUpdate/TrustRoot/CertURL found from PPS");
400 xml_node_free(ctx->xml, pps);
404 ret = download_cert(ctx, node, ca_fname);
405 xml_node_free(ctx->xml, pps);
411 static int cmd_dl_aaa_ca(struct hs20_osu_client *ctx, const char *pps_fname,
412 const char *ca_fname)
414 xml_node_t *pps, *node, *aaa;
417 pps = node_from_file(ctx->xml, pps_fname);
419 wpa_printf(MSG_INFO, "Could not read or parse '%s'", pps_fname);
423 node = get_child_node(ctx->xml, pps,
424 "AAAServerTrustRoot");
426 wpa_printf(MSG_INFO, "No AAAServerTrustRoot/CertURL found from PPS");
427 xml_node_free(ctx->xml, pps);
431 aaa = xml_node_first_child(ctx->xml, node);
433 wpa_printf(MSG_INFO, "No AAAServerTrustRoot/CertURL found from PPS");
434 xml_node_free(ctx->xml, pps);
438 ret = download_cert(ctx, aaa, ca_fname);
439 xml_node_free(ctx->xml, pps);
445 static int download_trust_roots(struct hs20_osu_client *ctx,
446 const char *pps_fname)
452 dir = os_strdup(pps_fname);
455 pos = os_strrchr(dir, '/');
462 snprintf(fname, sizeof(fname), "%s/ca.pem", dir);
463 ret = cmd_dl_osu_ca(ctx, pps_fname, fname);
464 snprintf(fname, sizeof(fname), "%s/polupd-ca.pem", dir);
465 cmd_dl_polupd_ca(ctx, pps_fname, fname);
466 snprintf(fname, sizeof(fname), "%s/aaa-ca.pem", dir);
467 cmd_dl_aaa_ca(ctx, pps_fname, fname);
475 static int server_dnsname_suffix_match(struct hs20_osu_client *ctx,
478 size_t match_len, len, i;
481 match_len = os_strlen(fqdn);
483 for (i = 0; i < ctx->server_dnsname_count; i++) {
485 "Checking suffix match against server dNSName %s",
486 ctx->server_dnsname[i]);
487 val = ctx->server_dnsname[i];
488 len = os_strlen(val);
493 if (os_strncasecmp(val + len - match_len, fqdn, match_len) != 0)
494 continue; /* no match */
496 if (match_len == len)
497 return 1; /* exact match */
499 if (val[len - match_len - 1] == '.')
500 return 1; /* full label match completes suffix match */
502 /* Reject due to incomplete label match */
505 /* None of the dNSName(s) matched */
510 int hs20_add_pps_mo(struct hs20_osu_client *ctx, const char *uri,
511 xml_node_t *add_mo, char *fname, size_t fname_len)
515 xml_node_t *tnds, *mo, *cert;
519 if (strncmp(uri, "./Wi-Fi/", 8) != 0) {
520 wpa_printf(MSG_INFO, "Unsupported location for addMO to add PPS MO: '%s'",
522 write_result(ctx, "Unsupported location for addMO to add PPS MO: '%s'",
527 fqdn = strdup(uri + 8);
530 pos = strchr(fqdn, '/');
532 if (os_strcasecmp(pos, "/PerProviderSubscription") != 0) {
533 wpa_printf(MSG_INFO, "Unsupported location for addMO to add PPS MO (extra directory): '%s'",
535 write_result(ctx, "Unsupported location for addMO to "
536 "add PPS MO (extra directory): '%s'", uri);
539 *pos = '\0'; /* remove trailing slash and PPS node name */
541 wpa_printf(MSG_INFO, "SP FQDN: %s", fqdn);
543 if (!server_dnsname_suffix_match(ctx, fqdn)) {
544 wpa_printf(MSG_INFO, "FQDN '%s' for new PPS MO did not have suffix match with server's dNSName values",
546 write_result(ctx, "FQDN '%s' for new PPS MO did not have suffix match with server's dNSName values",
552 if (!valid_fqdn(fqdn)) {
553 wpa_printf(MSG_INFO, "Invalid FQDN '%s'", fqdn);
554 write_result(ctx, "Invalid FQDN '%s'", fqdn);
559 mkdir("SP", S_IRWXU);
560 snprintf(fname, fname_len, "SP/%s", fqdn);
561 if (mkdir(fname, S_IRWXU) < 0) {
562 if (errno != EEXIST) {
564 wpa_printf(MSG_INFO, "mkdir(%s) failed: %s",
565 fname, strerror(err));
571 snprintf(fname, fname_len, "SP/%s/pps.xml", fqdn);
573 if (os_file_exists(fname)) {
574 wpa_printf(MSG_INFO, "PPS file '%s' exists - reject addMO",
576 write_result(ctx, "PPS file '%s' exists - reject addMO",
581 wpa_printf(MSG_INFO, "Using PPS file: %s", fname);
583 str = xml_node_get_text(ctx->xml, add_mo);
585 wpa_printf(MSG_INFO, "Could not extract MO text");
589 wpa_printf(MSG_DEBUG, "[hs20] addMO text: '%s'", str);
591 tnds = xml_node_from_buf(ctx->xml, str);
592 xml_node_get_text_free(ctx->xml, str);
594 wpa_printf(MSG_INFO, "[hs20] Could not parse addMO text");
599 mo = tnds_to_mo(ctx->xml, tnds);
601 wpa_printf(MSG_INFO, "[hs20] Could not parse addMO TNDS text");
606 debug_dump_node(ctx, "Parsed TNDS", mo);
608 name = xml_node_get_localname(ctx->xml, mo);
609 if (os_strcasecmp(name, "PerProviderSubscription") != 0) {
610 wpa_printf(MSG_INFO, "[hs20] Unexpected PPS MO root node name '%s'",
616 cert = get_child_node(ctx->xml, mo,
617 "Credential/DigitalCertificate/"
618 "CertSHA256Fingerprint");
619 if (cert && process_est_cert(ctx, cert, fqdn) < 0) {
620 xml_node_free(ctx->xml, mo);
626 if (node_to_file(ctx->xml, fname, mo) < 0) {
627 wpa_printf(MSG_INFO, "Could not write MO to file");
628 xml_node_free(ctx->xml, mo);
631 xml_node_free(ctx->xml, mo);
633 wpa_printf(MSG_INFO, "A new PPS MO added as '%s'", fname);
634 write_summary(ctx, "A new PPS MO added as '%s'", fname);
636 ret = download_trust_roots(ctx, fname);
638 wpa_printf(MSG_INFO, "Remove invalid PPS MO file");
639 write_summary(ctx, "Remove invalid PPS MO file");
647 int update_pps_file(struct hs20_osu_client *ctx, const char *pps_fname,
654 if (ctx->client_cert_present) {
656 cert = get_child_node(ctx->xml, pps,
657 "Credential/DigitalCertificate/"
658 "CertSHA256Fingerprint");
659 if (cert && os_file_exists("Cert/est_cert.der") &&
660 process_est_cert(ctx, cert, ctx->fqdn) < 0) {
661 wpa_printf(MSG_INFO, "EST certificate update processing failed on PPS MO update");
666 wpa_printf(MSG_INFO, "Updating PPS MO %s", pps_fname);
668 str = xml_node_to_str(ctx->xml, pps);
669 wpa_printf(MSG_MSGDUMP, "[hs20] Updated PPS: '%s'", str);
671 snprintf(backup, sizeof(backup), "%s.bak", pps_fname);
672 rename(pps_fname, backup);
673 f = fopen(pps_fname, "w");
675 wpa_printf(MSG_INFO, "Could not write PPS");
676 rename(backup, pps_fname);
680 fprintf(f, "%s\n", str);
689 void get_user_pw(struct hs20_osu_client *ctx, xml_node_t *pps,
690 const char *alt_loc, char **user, char **pw)
694 node = get_child_node(ctx->xml, pps,
695 "Credential/UsernamePassword/Username");
697 *user = xml_node_get_text(ctx->xml, node);
699 node = get_child_node(ctx->xml, pps,
700 "Credential/UsernamePassword/Password");
702 *pw = xml_node_get_base64_text(ctx->xml, node, NULL);
704 node = get_child_node(ctx->xml, pps, alt_loc);
707 a = get_node(ctx->xml, node, "Username");
709 xml_node_get_text_free(ctx->xml, *user);
710 *user = xml_node_get_text(ctx->xml, a);
711 wpa_printf(MSG_INFO, "Use OSU username '%s'", *user);
714 a = get_node(ctx->xml, node, "Password");
717 *pw = xml_node_get_base64_text(ctx->xml, a, NULL);
718 wpa_printf(MSG_INFO, "Use OSU password");
724 /* Remove old credentials based on HomeSP/FQDN */
725 static void remove_sp_creds(struct hs20_osu_client *ctx, const char *fqdn)
728 os_snprintf(cmd, sizeof(cmd), "REMOVE_CRED provisioning_sp=%s", fqdn);
729 if (wpa_command(ctx->ifname, cmd) < 0)
730 wpa_printf(MSG_INFO, "Failed to remove old credential(s)");
734 static void set_pps_cred_policy_spe(struct hs20_osu_client *ctx, int id,
740 ssid = get_node(ctx->xml, spe, "SSID");
743 txt = xml_node_get_text(ctx->xml, ssid);
746 wpa_printf(MSG_DEBUG, "- Policy/SPExclusionList/<X+>/SSID = %s", txt);
747 if (set_cred_quoted(ctx->ifname, id, "excluded_ssid", txt) < 0)
748 wpa_printf(MSG_INFO, "Failed to set cred excluded_ssid");
749 xml_node_get_text_free(ctx->xml, txt);
753 static void set_pps_cred_policy_spel(struct hs20_osu_client *ctx, int id,
758 xml_node_for_each_child(ctx->xml, child, spel) {
759 xml_node_for_each_check(ctx->xml, child);
760 set_pps_cred_policy_spe(ctx, id, child);
765 static void set_pps_cred_policy_prp(struct hs20_osu_client *ctx, int id,
769 char *txt = NULL, *pos;
770 char *prio, *country_buf = NULL;
775 node = get_node(ctx->xml, prp, "Priority");
778 prio = xml_node_get_text(ctx->xml, node);
781 wpa_printf(MSG_INFO, "- Policy/PreferredRoamingPartnerList/<X+>/Priority = %s",
783 priority = atoi(prio);
784 xml_node_get_text_free(ctx->xml, prio);
786 node = get_node(ctx->xml, prp, "Country");
788 country_buf = xml_node_get_text(ctx->xml, node);
789 if (country_buf == NULL)
791 country = country_buf;
792 wpa_printf(MSG_INFO, "- Policy/PreferredRoamingPartnerList/<X+>/Country = %s",
798 node = get_node(ctx->xml, prp, "FQDN_Match");
801 txt = xml_node_get_text(ctx->xml, node);
804 wpa_printf(MSG_INFO, "- Policy/PreferredRoamingPartnerList/<X+>/FQDN_Match = %s",
806 pos = strrchr(txt, ',');
811 snprintf(val, sizeof(val), "%s,%d,%d,%s", txt,
812 strcmp(pos, "includeSubdomains") != 0, priority, country);
813 if (set_cred_quoted(ctx->ifname, id, "roaming_partner", val) < 0)
814 wpa_printf(MSG_INFO, "Failed to set cred roaming_partner");
816 xml_node_get_text_free(ctx->xml, country_buf);
817 xml_node_get_text_free(ctx->xml, txt);
821 static void set_pps_cred_policy_prpl(struct hs20_osu_client *ctx, int id,
826 xml_node_for_each_child(ctx->xml, child, prpl) {
827 xml_node_for_each_check(ctx->xml, child);
828 set_pps_cred_policy_prp(ctx, id, child);
833 static void set_pps_cred_policy_min_backhaul(struct hs20_osu_client *ctx, int id,
834 xml_node_t *min_backhaul)
837 char *type, *dl = NULL, *ul = NULL;
840 node = get_node(ctx->xml, min_backhaul, "NetworkType");
842 wpa_printf(MSG_INFO, "Ignore MinBackhaulThreshold without mandatory NetworkType node");
846 type = xml_node_get_text(ctx->xml, node);
849 wpa_printf(MSG_INFO, "- Policy/MinBackhaulThreshold/<X+>/NetworkType = %s",
851 if (os_strcasecmp(type, "home") == 0)
853 else if (os_strcasecmp(type, "roaming") == 0)
856 wpa_printf(MSG_INFO, "Ignore MinBackhaulThreshold with invalid NetworkType");
857 xml_node_get_text_free(ctx->xml, type);
860 xml_node_get_text_free(ctx->xml, type);
862 node = get_node(ctx->xml, min_backhaul, "DLBandwidth");
864 dl = xml_node_get_text(ctx->xml, node);
866 node = get_node(ctx->xml, min_backhaul, "ULBandwidth");
868 ul = xml_node_get_text(ctx->xml, node);
870 if (dl == NULL && ul == NULL) {
871 wpa_printf(MSG_INFO, "Ignore MinBackhaulThreshold without either DLBandwidth or ULBandwidth nodes");
876 wpa_printf(MSG_INFO, "- Policy/MinBackhaulThreshold/<X+>/DLBandwidth = %s",
879 wpa_printf(MSG_INFO, "- Policy/MinBackhaulThreshold/<X+>/ULBandwidth = %s",
884 set_cred(ctx->ifname, id, "min_dl_bandwidth_home", dl) < 0)
885 wpa_printf(MSG_INFO, "Failed to set cred bandwidth limit");
887 set_cred(ctx->ifname, id, "min_ul_bandwidth_home", ul) < 0)
888 wpa_printf(MSG_INFO, "Failed to set cred bandwidth limit");
891 set_cred(ctx->ifname, id, "min_dl_bandwidth_roaming", dl) <
893 wpa_printf(MSG_INFO, "Failed to set cred bandwidth limit");
895 set_cred(ctx->ifname, id, "min_ul_bandwidth_roaming", ul) <
897 wpa_printf(MSG_INFO, "Failed to set cred bandwidth limit");
900 xml_node_get_text_free(ctx->xml, dl);
901 xml_node_get_text_free(ctx->xml, ul);
905 static void set_pps_cred_policy_min_backhaul_list(struct hs20_osu_client *ctx,
906 int id, xml_node_t *node)
910 wpa_printf(MSG_INFO, "- Policy/MinBackhaulThreshold");
912 xml_node_for_each_child(ctx->xml, child, node) {
913 xml_node_for_each_check(ctx->xml, child);
914 set_pps_cred_policy_min_backhaul(ctx, id, child);
919 static void set_pps_cred_policy_update(struct hs20_osu_client *ctx, int id,
922 wpa_printf(MSG_INFO, "- Policy/PolicyUpdate");
923 /* Not used in wpa_supplicant */
927 static void set_pps_cred_policy_required_proto_port(struct hs20_osu_client *ctx,
928 int id, xml_node_t *tuple)
935 node = get_node(ctx->xml, tuple, "IPProtocol");
937 wpa_printf(MSG_INFO, "Ignore RequiredProtoPortTuple without mandatory IPProtocol node");
941 proto = xml_node_get_text(ctx->xml, node);
945 wpa_printf(MSG_INFO, "- Policy/RequiredProtoPortTuple/<X+>/IPProtocol = %s",
948 node = get_node(ctx->xml, tuple, "PortNumber");
949 port = node ? xml_node_get_text(ctx->xml, node) : NULL;
951 wpa_printf(MSG_INFO, "- Policy/RequiredProtoPortTuple/<X+>/PortNumber = %s",
953 buflen = os_strlen(proto) + os_strlen(port) + 10;
954 buf = os_malloc(buflen);
956 os_snprintf(buf, buflen, "%s:%s", proto, port);
957 xml_node_get_text_free(ctx->xml, port);
959 buflen = os_strlen(proto) + 10;
960 buf = os_malloc(buflen);
962 os_snprintf(buf, buflen, "%s", proto);
965 xml_node_get_text_free(ctx->xml, proto);
970 if (set_cred(ctx->ifname, id, "req_conn_capab", buf) < 0)
971 wpa_printf(MSG_INFO, "Could not set req_conn_capab");
977 static void set_pps_cred_policy_required_proto_ports(struct hs20_osu_client *ctx,
978 int id, xml_node_t *node)
982 wpa_printf(MSG_INFO, "- Policy/RequiredProtoPortTuple");
984 xml_node_for_each_child(ctx->xml, child, node) {
985 xml_node_for_each_check(ctx->xml, child);
986 set_pps_cred_policy_required_proto_port(ctx, id, child);
991 static void set_pps_cred_policy_max_bss_load(struct hs20_osu_client *ctx, int id,
994 char *str = xml_node_get_text(ctx->xml, node);
997 wpa_printf(MSG_INFO, "- Policy/MaximumBSSLoadValue - %s", str);
998 if (set_cred(ctx->ifname, id, "max_bss_load", str) < 0)
999 wpa_printf(MSG_INFO, "Failed to set cred max_bss_load limit");
1000 xml_node_get_text_free(ctx->xml, str);
1004 static void set_pps_cred_policy(struct hs20_osu_client *ctx, int id,
1010 wpa_printf(MSG_INFO, "- Policy");
1012 xml_node_for_each_child(ctx->xml, child, node) {
1013 xml_node_for_each_check(ctx->xml, child);
1014 name = xml_node_get_localname(ctx->xml, child);
1015 if (os_strcasecmp(name, "PreferredRoamingPartnerList") == 0)
1016 set_pps_cred_policy_prpl(ctx, id, child);
1017 else if (os_strcasecmp(name, "MinBackhaulThreshold") == 0)
1018 set_pps_cred_policy_min_backhaul_list(ctx, id, child);
1019 else if (os_strcasecmp(name, "PolicyUpdate") == 0)
1020 set_pps_cred_policy_update(ctx, id, child);
1021 else if (os_strcasecmp(name, "SPExclusionList") == 0)
1022 set_pps_cred_policy_spel(ctx, id, child);
1023 else if (os_strcasecmp(name, "RequiredProtoPortTuple") == 0)
1024 set_pps_cred_policy_required_proto_ports(ctx, id, child);
1025 else if (os_strcasecmp(name, "MaximumBSSLoadValue") == 0)
1026 set_pps_cred_policy_max_bss_load(ctx, id, child);
1028 wpa_printf(MSG_INFO, "Unknown Policy node '%s'", name);
1033 static void set_pps_cred_priority(struct hs20_osu_client *ctx, int id,
1036 char *str = xml_node_get_text(ctx->xml, node);
1039 wpa_printf(MSG_INFO, "- CredentialPriority = %s", str);
1040 if (set_cred(ctx->ifname, id, "sp_priority", str) < 0)
1041 wpa_printf(MSG_INFO, "Failed to set cred sp_priority");
1042 xml_node_get_text_free(ctx->xml, str);
1046 static void set_pps_cred_aaa_server_trust_root(struct hs20_osu_client *ctx,
1047 int id, xml_node_t *node)
1049 wpa_printf(MSG_INFO, "- AAAServerTrustRoot - TODO");
1053 static void set_pps_cred_sub_update(struct hs20_osu_client *ctx, int id,
1056 wpa_printf(MSG_INFO, "- SubscriptionUpdate");
1057 /* not used within wpa_supplicant */
1061 static void set_pps_cred_home_sp_network_id(struct hs20_osu_client *ctx,
1062 int id, xml_node_t *node)
1064 xml_node_t *ssid_node, *hessid_node;
1065 char *ssid, *hessid;
1067 ssid_node = get_node(ctx->xml, node, "SSID");
1068 if (ssid_node == NULL) {
1069 wpa_printf(MSG_INFO, "Ignore HomeSP/NetworkID without mandatory SSID node");
1073 hessid_node = get_node(ctx->xml, node, "HESSID");
1075 ssid = xml_node_get_text(ctx->xml, ssid_node);
1078 hessid = hessid_node ? xml_node_get_text(ctx->xml, hessid_node) : NULL;
1080 wpa_printf(MSG_INFO, "- HomeSP/NetworkID/<X+>/SSID = %s", ssid);
1082 wpa_printf(MSG_INFO, "- HomeSP/NetworkID/<X+>/HESSID = %s",
1085 /* TODO: Configure to wpa_supplicant */
1087 xml_node_get_text_free(ctx->xml, ssid);
1088 xml_node_get_text_free(ctx->xml, hessid);
1092 static void set_pps_cred_home_sp_network_ids(struct hs20_osu_client *ctx,
1093 int id, xml_node_t *node)
1097 wpa_printf(MSG_INFO, "- HomeSP/NetworkID");
1099 xml_node_for_each_child(ctx->xml, child, node) {
1100 xml_node_for_each_check(ctx->xml, child);
1101 set_pps_cred_home_sp_network_id(ctx, id, child);
1106 static void set_pps_cred_home_sp_friendly_name(struct hs20_osu_client *ctx,
1107 int id, xml_node_t *node)
1109 char *str = xml_node_get_text(ctx->xml, node);
1112 wpa_printf(MSG_INFO, "- HomeSP/FriendlyName = %s", str);
1113 /* not used within wpa_supplicant(?) */
1114 xml_node_get_text_free(ctx->xml, str);
1118 static void set_pps_cred_home_sp_icon_url(struct hs20_osu_client *ctx,
1119 int id, xml_node_t *node)
1121 char *str = xml_node_get_text(ctx->xml, node);
1124 wpa_printf(MSG_INFO, "- HomeSP/IconURL = %s", str);
1125 /* not used within wpa_supplicant */
1126 xml_node_get_text_free(ctx->xml, str);
1130 static void set_pps_cred_home_sp_fqdn(struct hs20_osu_client *ctx, int id,
1133 char *str = xml_node_get_text(ctx->xml, node);
1136 wpa_printf(MSG_INFO, "- HomeSP/FQDN = %s", str);
1137 if (set_cred_quoted(ctx->ifname, id, "domain", str) < 0)
1138 wpa_printf(MSG_INFO, "Failed to set cred domain");
1139 if (set_cred_quoted(ctx->ifname, id, "domain_suffix_match", str) < 0)
1140 wpa_printf(MSG_INFO, "Failed to set cred domain_suffix_match");
1141 xml_node_get_text_free(ctx->xml, str);
1145 static void set_pps_cred_home_sp_oi(struct hs20_osu_client *ctx, int id,
1150 char *homeoi = NULL;
1154 xml_node_for_each_child(ctx->xml, child, node) {
1155 xml_node_for_each_check(ctx->xml, child);
1156 name = xml_node_get_localname(ctx->xml, child);
1157 if (strcasecmp(name, "HomeOI") == 0 && !homeoi) {
1158 homeoi = xml_node_get_text(ctx->xml, child);
1159 wpa_printf(MSG_INFO, "- HomeSP/HomeOIList/<X+>/HomeOI = %s",
1161 } else if (strcasecmp(name, "HomeOIRequired") == 0) {
1162 str = xml_node_get_text(ctx->xml, child);
1163 wpa_printf(MSG_INFO, "- HomeSP/HomeOIList/<X+>/HomeOIRequired = '%s'",
1167 required = strcasecmp(str, "true") == 0;
1168 xml_node_get_text_free(ctx->xml, str);
1170 wpa_printf(MSG_INFO, "Unknown HomeOIList node '%s'",
1174 if (homeoi == NULL) {
1175 wpa_printf(MSG_INFO, "- HomeSP/HomeOIList/<X+> without HomeOI ignored");
1179 wpa_printf(MSG_INFO, "- HomeSP/HomeOIList/<X+> '%s' required=%d",
1183 if (set_cred(ctx->ifname, id, "required_roaming_consortium",
1185 wpa_printf(MSG_INFO, "Failed to set cred required_roaming_consortium");
1187 if (set_cred_quoted(ctx->ifname, id, "roaming_consortium",
1189 wpa_printf(MSG_INFO, "Failed to set cred roaming_consortium");
1192 xml_node_get_text_free(ctx->xml, homeoi);
1196 static void set_pps_cred_home_sp_oi_list(struct hs20_osu_client *ctx, int id,
1201 wpa_printf(MSG_INFO, "- HomeSP/HomeOIList");
1203 xml_node_for_each_child(ctx->xml, child, node) {
1204 xml_node_for_each_check(ctx->xml, child);
1205 set_pps_cred_home_sp_oi(ctx, id, child);
1210 static void set_pps_cred_home_sp_other_partner(struct hs20_osu_client *ctx,
1211 int id, xml_node_t *node)
1217 xml_node_for_each_child(ctx->xml, child, node) {
1218 xml_node_for_each_check(ctx->xml, child);
1219 name = xml_node_get_localname(ctx->xml, child);
1220 if (os_strcasecmp(name, "FQDN") == 0 && !fqdn) {
1221 fqdn = xml_node_get_text(ctx->xml, child);
1222 wpa_printf(MSG_INFO, "- HomeSP/OtherHomePartners/<X+>/FQDN = %s",
1225 wpa_printf(MSG_INFO, "Unknown OtherHomePartners node '%s'",
1230 wpa_printf(MSG_INFO, "- HomeSP/OtherHomePartners/<X+> without FQDN ignored");
1234 if (set_cred_quoted(ctx->ifname, id, "domain", fqdn) < 0)
1235 wpa_printf(MSG_INFO, "Failed to set cred domain for OtherHomePartners node");
1237 xml_node_get_text_free(ctx->xml, fqdn);
1241 static void set_pps_cred_home_sp_other_partners(struct hs20_osu_client *ctx,
1247 wpa_printf(MSG_INFO, "- HomeSP/OtherHomePartners");
1249 xml_node_for_each_child(ctx->xml, child, node) {
1250 xml_node_for_each_check(ctx->xml, child);
1251 set_pps_cred_home_sp_other_partner(ctx, id, child);
1256 static void set_pps_cred_home_sp_roaming_consortium_oi(
1257 struct hs20_osu_client *ctx, int id, xml_node_t *node)
1259 char *str = xml_node_get_text(ctx->xml, node);
1262 wpa_printf(MSG_INFO, "- HomeSP/RoamingConsortiumOI = %s", str);
1263 /* TODO: Set to wpa_supplicant */
1264 xml_node_get_text_free(ctx->xml, str);
1268 static void set_pps_cred_home_sp(struct hs20_osu_client *ctx, int id,
1274 wpa_printf(MSG_INFO, "- HomeSP");
1276 xml_node_for_each_child(ctx->xml, child, node) {
1277 xml_node_for_each_check(ctx->xml, child);
1278 name = xml_node_get_localname(ctx->xml, child);
1279 if (os_strcasecmp(name, "NetworkID") == 0)
1280 set_pps_cred_home_sp_network_ids(ctx, id, child);
1281 else if (os_strcasecmp(name, "FriendlyName") == 0)
1282 set_pps_cred_home_sp_friendly_name(ctx, id, child);
1283 else if (os_strcasecmp(name, "IconURL") == 0)
1284 set_pps_cred_home_sp_icon_url(ctx, id, child);
1285 else if (os_strcasecmp(name, "FQDN") == 0)
1286 set_pps_cred_home_sp_fqdn(ctx, id, child);
1287 else if (os_strcasecmp(name, "HomeOIList") == 0)
1288 set_pps_cred_home_sp_oi_list(ctx, id, child);
1289 else if (os_strcasecmp(name, "OtherHomePartners") == 0)
1290 set_pps_cred_home_sp_other_partners(ctx, id, child);
1291 else if (os_strcasecmp(name, "RoamingConsortiumOI") == 0)
1292 set_pps_cred_home_sp_roaming_consortium_oi(ctx, id,
1295 wpa_printf(MSG_INFO, "Unknown HomeSP node '%s'", name);
1300 static void set_pps_cred_sub_params(struct hs20_osu_client *ctx, int id,
1303 wpa_printf(MSG_INFO, "- SubscriptionParameters");
1304 /* not used within wpa_supplicant */
1308 static void set_pps_cred_creation_date(struct hs20_osu_client *ctx, int id,
1311 char *str = xml_node_get_text(ctx->xml, node);
1314 wpa_printf(MSG_INFO, "- Credential/CreationDate = %s", str);
1315 /* not used within wpa_supplicant */
1316 xml_node_get_text_free(ctx->xml, str);
1320 static void set_pps_cred_expiration_date(struct hs20_osu_client *ctx, int id,
1323 char *str = xml_node_get_text(ctx->xml, node);
1326 wpa_printf(MSG_INFO, "- Credential/ExpirationDate = %s", str);
1327 /* not used within wpa_supplicant */
1328 xml_node_get_text_free(ctx->xml, str);
1332 static void set_pps_cred_username(struct hs20_osu_client *ctx, int id,
1335 char *str = xml_node_get_text(ctx->xml, node);
1338 wpa_printf(MSG_INFO, "- Credential/UsernamePassword/Username = %s",
1340 if (set_cred_quoted(ctx->ifname, id, "username", str) < 0)
1341 wpa_printf(MSG_INFO, "Failed to set cred username");
1342 xml_node_get_text_free(ctx->xml, str);
1346 static void set_pps_cred_password(struct hs20_osu_client *ctx, int id,
1350 char *pw, *hex, *pos, *end;
1352 pw = xml_node_get_base64_text(ctx->xml, node, &len);
1356 wpa_printf(MSG_INFO, "- Credential/UsernamePassword/Password = %s", pw);
1358 hex = malloc(len * 2 + 1);
1363 end = hex + len * 2 + 1;
1365 for (i = 0; i < len; i++) {
1366 snprintf(pos, end - pos, "%02x", pw[i]);
1371 if (set_cred(ctx->ifname, id, "password", hex) < 0)
1372 wpa_printf(MSG_INFO, "Failed to set cred password");
1377 static void set_pps_cred_machine_managed(struct hs20_osu_client *ctx, int id,
1380 char *str = xml_node_get_text(ctx->xml, node);
1383 wpa_printf(MSG_INFO, "- Credential/UsernamePassword/MachineManaged = %s",
1385 /* not used within wpa_supplicant */
1386 xml_node_get_text_free(ctx->xml, str);
1390 static void set_pps_cred_soft_token_app(struct hs20_osu_client *ctx, int id,
1393 char *str = xml_node_get_text(ctx->xml, node);
1396 wpa_printf(MSG_INFO, "- Credential/UsernamePassword/SoftTokenApp = %s",
1398 /* not used within wpa_supplicant */
1399 xml_node_get_text_free(ctx->xml, str);
1403 static void set_pps_cred_able_to_share(struct hs20_osu_client *ctx, int id,
1406 char *str = xml_node_get_text(ctx->xml, node);
1409 wpa_printf(MSG_INFO, "- Credential/UsernamePassword/AbleToShare = %s",
1411 /* not used within wpa_supplicant */
1412 xml_node_get_text_free(ctx->xml, str);
1416 static void set_pps_cred_eap_method(struct hs20_osu_client *ctx, int id,
1419 wpa_printf(MSG_INFO, "- Credential/UsernamePassword/EAPMethod - TODO");
1423 static void set_pps_cred_username_password(struct hs20_osu_client *ctx, int id,
1429 wpa_printf(MSG_INFO, "- Credential/UsernamePassword");
1431 xml_node_for_each_child(ctx->xml, child, node) {
1432 xml_node_for_each_check(ctx->xml, child);
1433 name = xml_node_get_localname(ctx->xml, child);
1434 if (os_strcasecmp(name, "Username") == 0)
1435 set_pps_cred_username(ctx, id, child);
1436 else if (os_strcasecmp(name, "Password") == 0)
1437 set_pps_cred_password(ctx, id, child);
1438 else if (os_strcasecmp(name, "MachineManaged") == 0)
1439 set_pps_cred_machine_managed(ctx, id, child);
1440 else if (os_strcasecmp(name, "SoftTokenApp") == 0)
1441 set_pps_cred_soft_token_app(ctx, id, child);
1442 else if (os_strcasecmp(name, "AbleToShare") == 0)
1443 set_pps_cred_able_to_share(ctx, id, child);
1444 else if (os_strcasecmp(name, "EAPMethod") == 0)
1445 set_pps_cred_eap_method(ctx, id, child);
1447 wpa_printf(MSG_INFO, "Unknown Credential/UsernamePassword node '%s'",
1453 static void set_pps_cred_digital_cert(struct hs20_osu_client *ctx, int id,
1454 xml_node_t *node, const char *fqdn)
1456 char buf[200], dir[200];
1458 wpa_printf(MSG_INFO, "- Credential/DigitalCertificate");
1460 if (getcwd(dir, sizeof(dir)) == NULL)
1463 /* TODO: could build username from Subject of Subject AltName */
1464 if (set_cred_quoted(ctx->ifname, id, "username", "cert") < 0) {
1465 wpa_printf(MSG_INFO, "Failed to set username");
1468 snprintf(buf, sizeof(buf), "%s/SP/%s/client-cert.pem", dir, fqdn);
1469 if (os_file_exists(buf)) {
1470 if (set_cred_quoted(ctx->ifname, id, "client_cert", buf) < 0) {
1471 wpa_printf(MSG_INFO, "Failed to set client_cert");
1475 snprintf(buf, sizeof(buf), "%s/SP/%s/client-key.pem", dir, fqdn);
1476 if (os_file_exists(buf)) {
1477 if (set_cred_quoted(ctx->ifname, id, "private_key", buf) < 0) {
1478 wpa_printf(MSG_INFO, "Failed to set private_key");
1484 static void set_pps_cred_realm(struct hs20_osu_client *ctx, int id,
1485 xml_node_t *node, const char *fqdn, int sim)
1487 char *str = xml_node_get_text(ctx->xml, node);
1488 char buf[200], dir[200];
1493 wpa_printf(MSG_INFO, "- Credential/Realm = %s", str);
1494 if (set_cred_quoted(ctx->ifname, id, "realm", str) < 0)
1495 wpa_printf(MSG_INFO, "Failed to set cred realm");
1496 xml_node_get_text_free(ctx->xml, str);
1501 if (getcwd(dir, sizeof(dir)) == NULL)
1503 snprintf(buf, sizeof(buf), "%s/SP/%s/aaa-ca.pem", dir, fqdn);
1504 if (os_file_exists(buf)) {
1505 if (set_cred_quoted(ctx->ifname, id, "ca_cert", buf) < 0) {
1506 wpa_printf(MSG_INFO, "Failed to set CA cert");
1512 static void set_pps_cred_check_aaa_cert_status(struct hs20_osu_client *ctx,
1513 int id, xml_node_t *node)
1515 char *str = xml_node_get_text(ctx->xml, node);
1520 wpa_printf(MSG_INFO, "- Credential/CheckAAAServerCertStatus = %s", str);
1521 if (os_strcasecmp(str, "true") == 0 &&
1522 set_cred(ctx->ifname, id, "ocsp", "2") < 0)
1523 wpa_printf(MSG_INFO, "Failed to set cred ocsp");
1524 xml_node_get_text_free(ctx->xml, str);
1528 static void set_pps_cred_sim(struct hs20_osu_client *ctx, int id,
1529 xml_node_t *sim, xml_node_t *realm)
1532 char *imsi, *eaptype, *str, buf[20];
1537 node = get_node(ctx->xml, sim, "EAPType");
1539 wpa_printf(MSG_INFO, "No SIM/EAPType node in credential");
1542 eaptype = xml_node_get_text(ctx->xml, node);
1543 if (eaptype == NULL) {
1544 wpa_printf(MSG_INFO, "Could not extract SIM/EAPType");
1547 wpa_printf(MSG_INFO, " - Credential/SIM/EAPType = %s", eaptype);
1548 type = atoi(eaptype);
1549 xml_node_get_text_free(ctx->xml, eaptype);
1553 if (set_cred(ctx->ifname, id, "eap", "SIM") < 0)
1554 wpa_printf(MSG_INFO, "Could not set eap=SIM");
1557 if (set_cred(ctx->ifname, id, "eap", "AKA") < 0)
1558 wpa_printf(MSG_INFO, "Could not set eap=SIM");
1560 case EAP_TYPE_AKA_PRIME:
1561 if (set_cred(ctx->ifname, id, "eap", "AKA'") < 0)
1562 wpa_printf(MSG_INFO, "Could not set eap=SIM");
1565 wpa_printf(MSG_INFO, "Unsupported SIM/EAPType %d", type);
1569 node = get_node(ctx->xml, sim, "IMSI");
1571 wpa_printf(MSG_INFO, "No SIM/IMSI node in credential");
1574 imsi = xml_node_get_text(ctx->xml, node);
1576 wpa_printf(MSG_INFO, "Could not extract SIM/IMSI");
1579 wpa_printf(MSG_INFO, " - Credential/SIM/IMSI = %s", imsi);
1580 imsi_len = os_strlen(imsi);
1581 if (imsi_len < 7 || imsi_len + 2 > sizeof(buf)) {
1582 wpa_printf(MSG_INFO, "Invalid IMSI length");
1583 xml_node_get_text_free(ctx->xml, imsi);
1587 str = xml_node_get_text(ctx->xml, node);
1590 pos = os_strstr(str, "mnc");
1591 if (pos && os_strlen(pos) >= 6) {
1592 if (os_strncmp(imsi + 3, pos + 3, 3) == 0)
1594 else if (os_strncmp(imsi + 3, pos + 4, 2) == 0)
1597 xml_node_get_text_free(ctx->xml, str);
1600 os_memcpy(buf, imsi, 3 + mnc_len);
1601 buf[3 + mnc_len] = '-';
1602 os_strlcpy(buf + 3 + mnc_len + 1, imsi + 3 + mnc_len,
1603 sizeof(buf) - 3 - mnc_len - 1);
1605 xml_node_get_text_free(ctx->xml, imsi);
1607 if (set_cred_quoted(ctx->ifname, id, "imsi", buf) < 0)
1608 wpa_printf(MSG_INFO, "Could not set IMSI");
1610 if (set_cred_quoted(ctx->ifname, id, "milenage",
1611 "90dca4eda45b53cf0f12d7c9c3bc6a89:"
1612 "cb9cccc4b9258e6dca4760379fb82581:000000000123") <
1614 wpa_printf(MSG_INFO, "Could not set Milenage parameters");
1618 static void set_pps_cred_credential(struct hs20_osu_client *ctx, int id,
1619 xml_node_t *node, const char *fqdn)
1621 xml_node_t *child, *sim, *realm;
1624 wpa_printf(MSG_INFO, "- Credential");
1626 sim = get_node(ctx->xml, node, "SIM");
1627 realm = get_node(ctx->xml, node, "Realm");
1629 xml_node_for_each_child(ctx->xml, child, node) {
1630 xml_node_for_each_check(ctx->xml, child);
1631 name = xml_node_get_localname(ctx->xml, child);
1632 if (os_strcasecmp(name, "CreationDate") == 0)
1633 set_pps_cred_creation_date(ctx, id, child);
1634 else if (os_strcasecmp(name, "ExpirationDate") == 0)
1635 set_pps_cred_expiration_date(ctx, id, child);
1636 else if (os_strcasecmp(name, "UsernamePassword") == 0)
1637 set_pps_cred_username_password(ctx, id, child);
1638 else if (os_strcasecmp(name, "DigitalCertificate") == 0)
1639 set_pps_cred_digital_cert(ctx, id, child, fqdn);
1640 else if (os_strcasecmp(name, "Realm") == 0)
1641 set_pps_cred_realm(ctx, id, child, fqdn, sim != NULL);
1642 else if (os_strcasecmp(name, "CheckAAAServerCertStatus") == 0)
1643 set_pps_cred_check_aaa_cert_status(ctx, id, child);
1644 else if (os_strcasecmp(name, "SIM") == 0)
1645 set_pps_cred_sim(ctx, id, child, realm);
1647 wpa_printf(MSG_INFO, "Unknown Credential node '%s'",
1653 static void set_pps_credential(struct hs20_osu_client *ctx, int id,
1654 xml_node_t *cred, const char *fqdn)
1659 xml_node_for_each_child(ctx->xml, child, cred) {
1660 xml_node_for_each_check(ctx->xml, child);
1661 name = xml_node_get_localname(ctx->xml, child);
1662 if (os_strcasecmp(name, "Policy") == 0)
1663 set_pps_cred_policy(ctx, id, child);
1664 else if (os_strcasecmp(name, "CredentialPriority") == 0)
1665 set_pps_cred_priority(ctx, id, child);
1666 else if (os_strcasecmp(name, "AAAServerTrustRoot") == 0)
1667 set_pps_cred_aaa_server_trust_root(ctx, id, child);
1668 else if (os_strcasecmp(name, "SubscriptionUpdate") == 0)
1669 set_pps_cred_sub_update(ctx, id, child);
1670 else if (os_strcasecmp(name, "HomeSP") == 0)
1671 set_pps_cred_home_sp(ctx, id, child);
1672 else if (os_strcasecmp(name, "SubscriptionParameters") == 0)
1673 set_pps_cred_sub_params(ctx, id, child);
1674 else if (os_strcasecmp(name, "Credential") == 0)
1675 set_pps_cred_credential(ctx, id, child, fqdn);
1677 wpa_printf(MSG_INFO, "Unknown credential node '%s'",
1683 static void set_pps(struct hs20_osu_client *ctx, xml_node_t *pps,
1689 char *update_identifier = NULL;
1692 * TODO: Could consider more complex mechanism that would remove
1693 * credentials only if there are changes in the information sent to
1696 remove_sp_creds(ctx, fqdn);
1698 xml_node_for_each_child(ctx->xml, child, pps) {
1699 xml_node_for_each_check(ctx->xml, child);
1700 name = xml_node_get_localname(ctx->xml, child);
1701 if (os_strcasecmp(name, "UpdateIdentifier") == 0) {
1702 update_identifier = xml_node_get_text(ctx->xml, child);
1703 if (update_identifier) {
1704 wpa_printf(MSG_INFO, "- UpdateIdentifier = %s",
1711 xml_node_for_each_child(ctx->xml, child, pps) {
1712 xml_node_for_each_check(ctx->xml, child);
1713 name = xml_node_get_localname(ctx->xml, child);
1714 if (os_strcasecmp(name, "UpdateIdentifier") == 0)
1716 id = add_cred(ctx->ifname);
1718 wpa_printf(MSG_INFO, "Failed to add credential to wpa_supplicant");
1719 write_summary(ctx, "Failed to add credential to wpa_supplicant");
1722 write_summary(ctx, "Add a credential to wpa_supplicant");
1723 if (update_identifier &&
1724 set_cred(ctx->ifname, id, "update_identifier",
1725 update_identifier) < 0)
1726 wpa_printf(MSG_INFO, "Failed to set update_identifier");
1727 if (set_cred_quoted(ctx->ifname, id, "provisioning_sp", fqdn) <
1729 wpa_printf(MSG_INFO, "Failed to set provisioning_sp");
1730 wpa_printf(MSG_INFO, "credential localname: '%s'", name);
1731 set_pps_credential(ctx, id, child, fqdn);
1732 ctx->pps_cred_set = 1;
1735 xml_node_get_text_free(ctx->xml, update_identifier);
1739 void cmd_set_pps(struct hs20_osu_client *ctx, const char *pps_fname)
1743 char *fqdn_buf = NULL, *pos;
1745 pps = node_from_file(ctx->xml, pps_fname);
1747 wpa_printf(MSG_INFO, "Could not read or parse '%s'", pps_fname);
1751 fqdn = os_strstr(pps_fname, "SP/");
1753 fqdn_buf = os_strdup(fqdn + 3);
1754 if (fqdn_buf == NULL)
1756 pos = os_strchr(fqdn_buf, '/');
1763 wpa_printf(MSG_INFO, "Set PPS MO info to wpa_supplicant - SP FQDN %s",
1765 set_pps(ctx, pps, fqdn);
1768 xml_node_free(ctx->xml, pps);
1772 static int cmd_get_fqdn(struct hs20_osu_client *ctx, const char *pps_fname)
1774 xml_node_t *pps, *node;
1777 pps = node_from_file(ctx->xml, pps_fname);
1779 wpa_printf(MSG_INFO, "Could not read or parse '%s'", pps_fname);
1783 node = get_child_node(ctx->xml, pps, "HomeSP/FQDN");
1785 fqdn = xml_node_get_text(ctx->xml, node);
1787 xml_node_free(ctx->xml, pps);
1790 FILE *f = fopen("pps-fqdn", "w");
1792 fprintf(f, "%s", fqdn);
1795 xml_node_get_text_free(ctx->xml, fqdn);
1799 xml_node_get_text_free(ctx->xml, fqdn);
1804 static void cmd_to_tnds(struct hs20_osu_client *ctx, const char *in_fname,
1805 const char *out_fname, const char *urn, int use_path)
1807 xml_node_t *mo, *node;
1809 mo = node_from_file(ctx->xml, in_fname);
1811 wpa_printf(MSG_INFO, "Could not read or parse '%s'", in_fname);
1815 node = mo_to_tnds(ctx->xml, mo, use_path, urn, NULL);
1817 node_to_file(ctx->xml, out_fname, node);
1818 xml_node_free(ctx->xml, node);
1821 xml_node_free(ctx->xml, mo);
1825 static void cmd_from_tnds(struct hs20_osu_client *ctx, const char *in_fname,
1826 const char *out_fname)
1828 xml_node_t *tnds, *mo;
1830 tnds = node_from_file(ctx->xml, in_fname);
1832 wpa_printf(MSG_INFO, "Could not read or parse '%s'", in_fname);
1836 mo = tnds_to_mo(ctx->xml, tnds);
1838 node_to_file(ctx->xml, out_fname, mo);
1839 xml_node_free(ctx->xml, mo);
1842 xml_node_free(ctx->xml, tnds);
1849 char mime_type[256];
1856 unsigned int methods;
1859 struct osu_lang_text friendly_name[MAX_OSU_VALS];
1860 size_t friendly_name_count;
1861 struct osu_lang_text serv_desc[MAX_OSU_VALS];
1862 size_t serv_desc_count;
1863 struct osu_icon icon[MAX_OSU_VALS];
1868 static struct osu_data * parse_osu_providers(const char *fname, size_t *count)
1872 struct osu_data *osu = NULL, *last = NULL;
1873 size_t osu_count = 0;
1876 f = fopen(fname, "r");
1878 wpa_printf(MSG_ERROR, "Could not open %s", fname);
1882 while (fgets(buf, sizeof(buf), f)) {
1883 pos = strchr(buf, '\n');
1887 if (strncmp(buf, "OSU-PROVIDER ", 13) == 0) {
1888 last = realloc(osu, (osu_count + 1) * sizeof(*osu));
1892 last = &osu[osu_count++];
1893 memset(last, 0, sizeof(*last));
1894 snprintf(last->bssid, sizeof(last->bssid), "%s",
1901 if (strncmp(buf, "uri=", 4) == 0) {
1902 snprintf(last->url, sizeof(last->url), "%s", buf + 4);
1906 if (strncmp(buf, "methods=", 8) == 0) {
1907 last->methods = strtol(buf + 8, NULL, 16);
1911 if (strncmp(buf, "osu_ssid=", 9) == 0) {
1912 snprintf(last->osu_ssid, sizeof(last->osu_ssid),
1917 if (os_strncmp(buf, "osu_nai=", 8) == 0) {
1918 os_snprintf(last->osu_nai, sizeof(last->osu_nai),
1923 if (strncmp(buf, "friendly_name=", 14) == 0) {
1924 struct osu_lang_text *txt;
1925 if (last->friendly_name_count == MAX_OSU_VALS)
1927 pos = strchr(buf + 14, ':');
1931 txt = &last->friendly_name[last->friendly_name_count++];
1932 snprintf(txt->lang, sizeof(txt->lang), "%s", buf + 14);
1933 snprintf(txt->text, sizeof(txt->text), "%s", pos);
1936 if (strncmp(buf, "desc=", 5) == 0) {
1937 struct osu_lang_text *txt;
1938 if (last->serv_desc_count == MAX_OSU_VALS)
1940 pos = strchr(buf + 5, ':');
1944 txt = &last->serv_desc[last->serv_desc_count++];
1945 snprintf(txt->lang, sizeof(txt->lang), "%s", buf + 5);
1946 snprintf(txt->text, sizeof(txt->text), "%s", pos);
1949 if (strncmp(buf, "icon=", 5) == 0) {
1950 struct osu_icon *icon;
1951 if (last->icon_count == MAX_OSU_VALS)
1953 icon = &last->icon[last->icon_count++];
1954 icon->id = atoi(buf + 5);
1955 pos = strchr(buf, ':');
1958 pos = strchr(pos + 1, ':');
1961 pos = strchr(pos + 1, ':');
1965 end = strchr(pos, ':');
1969 snprintf(icon->lang, sizeof(icon->lang), "%s", pos);
1972 end = strchr(pos, ':');
1975 snprintf(icon->mime_type, sizeof(icon->mime_type),
1981 end = strchr(pos, ':');
1984 snprintf(icon->filename, sizeof(icon->filename),
1997 static int osu_connect(struct hs20_osu_client *ctx, const char *bssid,
1998 const char *ssid, const char *url,
1999 unsigned int methods, int no_prod_assoc,
2000 const char *osu_nai)
2003 const char *ifname = ctx->ifname;
2005 struct wpa_ctrl *mon;
2008 id = add_network(ifname);
2011 if (set_network_quoted(ifname, id, "ssid", ssid) < 0)
2013 if (osu_nai && os_strlen(osu_nai) > 0) {
2014 char dir[255], fname[300];
2015 if (getcwd(dir, sizeof(dir)) == NULL)
2017 os_snprintf(fname, sizeof(fname), "%s/osu-ca.pem", dir);
2019 if (set_network(ifname, id, "proto", "OSEN") < 0 ||
2020 set_network(ifname, id, "key_mgmt", "OSEN") < 0 ||
2021 set_network(ifname, id, "pairwise", "CCMP") < 0 ||
2022 set_network(ifname, id, "group", "GTK_NOT_USED") < 0 ||
2023 set_network(ifname, id, "eap", "WFA-UNAUTH-TLS") < 0 ||
2024 set_network(ifname, id, "ocsp", "2") < 0 ||
2025 set_network_quoted(ifname, id, "identity", osu_nai) < 0 ||
2026 set_network_quoted(ifname, id, "ca_cert", fname) < 0)
2029 if (set_network(ifname, id, "key_mgmt", "NONE") < 0)
2033 mon = open_wpa_mon(ifname);
2037 wpa_printf(MSG_INFO, "Associate with OSU SSID");
2038 write_summary(ctx, "Associate with OSU SSID");
2039 snprintf(buf, sizeof(buf), "SELECT_NETWORK %d", id);
2040 if (wpa_command(ifname, buf) < 0)
2043 res = get_wpa_cli_event(mon, "CTRL-EVENT-CONNECTED",
2046 wpa_ctrl_detach(mon);
2047 wpa_ctrl_close(mon);
2050 wpa_printf(MSG_INFO, "Could not connect");
2051 write_summary(ctx, "Could not connect to OSU network");
2052 wpa_printf(MSG_INFO, "Remove OSU network connection");
2053 snprintf(buf, sizeof(buf), "REMOVE_NETWORK %d", id);
2054 wpa_command(ifname, buf);
2058 write_summary(ctx, "Waiting for IP address for subscription registration");
2059 if (wait_ip_addr(ifname, 15) < 0) {
2060 wpa_printf(MSG_INFO, "Could not get IP address for WLAN - try connection anyway");
2063 if (no_prod_assoc) {
2066 wpa_printf(MSG_INFO, "No production connection used for testing purposes");
2067 write_summary(ctx, "No production connection used for testing purposes");
2071 ctx->no_reconnect = 1;
2073 res = cmd_prov(ctx, url);
2074 else if (methods & 0x01)
2075 res = cmd_oma_dm_prov(ctx, url);
2077 wpa_printf(MSG_INFO, "Remove OSU network connection");
2078 write_summary(ctx, "Remove OSU network connection");
2079 snprintf(buf, sizeof(buf), "REMOVE_NETWORK %d", id);
2080 wpa_command(ifname, buf);
2085 wpa_printf(MSG_INFO, "Requesting reconnection with updated configuration");
2086 write_summary(ctx, "Requesting reconnection with updated configuration");
2087 if (wpa_command(ctx->ifname, "INTERWORKING_SELECT auto") < 0) {
2088 wpa_printf(MSG_INFO, "Failed to request wpa_supplicant to reconnect");
2089 write_summary(ctx, "Failed to request wpa_supplicant to reconnect");
2097 static int cmd_osu_select(struct hs20_osu_client *ctx, const char *dir,
2098 int connect, int no_prod_assoc,
2099 const char *friendly_name)
2103 struct osu_data *osu = NULL, *last = NULL;
2104 size_t osu_count, i, j;
2107 write_summary(ctx, "OSU provider selection");
2110 wpa_printf(MSG_INFO, "Missing dir parameter to osu_select");
2114 snprintf(fname, sizeof(fname), "%s/osu-providers.txt", dir);
2115 osu = parse_osu_providers(fname, &osu_count);
2117 wpa_printf(MSG_INFO, "Could not any OSU providers from %s",
2119 write_result(ctx, "No OSU providers available");
2123 if (friendly_name) {
2124 for (i = 0; i < osu_count; i++) {
2126 for (j = 0; j < last->friendly_name_count; j++) {
2127 if (os_strcmp(last->friendly_name[j].text,
2128 friendly_name) == 0)
2131 if (j < last->friendly_name_count)
2134 if (i == osu_count) {
2135 wpa_printf(MSG_INFO, "Requested operator friendly name '%s' not found in the list of available providers",
2137 write_summary(ctx, "Requested operator friendly name '%s' not found in the list of available providers",
2143 wpa_printf(MSG_INFO, "OSU Provider selected based on requested operator friendly name '%s'",
2145 write_summary(ctx, "OSU Provider selected based on requested operator friendly name '%s'",
2151 snprintf(fname, sizeof(fname), "%s/osu-providers.html", dir);
2152 f = fopen(fname, "w");
2154 wpa_printf(MSG_INFO, "Could not open %s", fname);
2159 fprintf(f, "<html><head>"
2160 "<meta http-equiv=\"Content-type\" content=\"text/html; "
2161 "charset=utf-8\"<title>Select service operator</title>"
2162 "</head><body><h1>Select service operator</h1>\n");
2165 fprintf(f, "No online signup available\n");
2167 for (i = 0; i < osu_count; i++) {
2171 "<a href=\"http://localhost:12345/osu/%d\">"
2172 "<table><tr><td>", (int) i + 1);
2175 "<a href=\"osu://%d\">"
2176 "<table><tr><td>", (int) i + 1);
2177 #endif /* ANDROID */
2178 for (j = 0; j < last->icon_count; j++) {
2179 fprintf(f, "<img src=\"osu-icon-%d.%s\">\n",
2181 strcasecmp(last->icon[j].mime_type,
2182 "image/png") == 0 ? "png" : "icon");
2185 for (j = 0; j < last->friendly_name_count; j++) {
2186 fprintf(f, "<small>[%s]</small> %s<br>\n",
2187 last->friendly_name[j].lang,
2188 last->friendly_name[j].text);
2190 fprintf(f, "<tr><td colspan=2>");
2191 for (j = 0; j < last->serv_desc_count; j++) {
2192 fprintf(f, "<small>[%s]</small> %s<br>\n",
2193 last->serv_desc[j].lang,
2194 last->serv_desc[j].text);
2196 fprintf(f, "</table></a><br><small>BSSID: %s<br>\n"
2198 last->bssid, last->osu_ssid);
2200 fprintf(f, "NAI: %s<br>\n", last->osu_nai);
2201 fprintf(f, "URL: %s<br>\n"
2202 "methods:%s%s<br>\n"
2205 last->methods & 0x01 ? " OMA-DM" : "",
2206 last->methods & 0x02 ? " SOAP-XML-SPP" : "");
2209 fprintf(f, "</body></html>\n");
2213 snprintf(fname, sizeof(fname), "file://%s/osu-providers.html", dir);
2214 write_summary(ctx, "Start web browser with OSU provider selection page");
2215 ret = hs20_web_browser(fname);
2218 if (ret > 0 && (size_t) ret <= osu_count) {
2222 wpa_printf(MSG_INFO, "Selected OSU id=%d", ret);
2223 last = &osu[ret - 1];
2225 wpa_printf(MSG_INFO, "BSSID: %s", last->bssid);
2226 wpa_printf(MSG_INFO, "SSID: %s", last->osu_ssid);
2227 wpa_printf(MSG_INFO, "URL: %s", last->url);
2228 write_summary(ctx, "Selected OSU provider id=%d BSSID=%s SSID=%s URL=%s",
2229 ret, last->bssid, last->osu_ssid, last->url);
2231 ctx->friendly_name_count = last->friendly_name_count;
2232 for (j = 0; j < last->friendly_name_count; j++) {
2233 wpa_printf(MSG_INFO, "FRIENDLY_NAME: [%s]%s",
2234 last->friendly_name[j].lang,
2235 last->friendly_name[j].text);
2236 os_strlcpy(ctx->friendly_name[j].lang,
2237 last->friendly_name[j].lang,
2238 sizeof(ctx->friendly_name[j].lang));
2239 os_strlcpy(ctx->friendly_name[j].text,
2240 last->friendly_name[j].text,
2241 sizeof(ctx->friendly_name[j].text));
2244 ctx->icon_count = last->icon_count;
2245 for (j = 0; j < last->icon_count; j++) {
2248 os_snprintf(fname, sizeof(fname), "%s/osu-icon-%d.%s",
2249 dir, last->icon[j].id,
2250 strcasecmp(last->icon[j].mime_type,
2253 wpa_printf(MSG_INFO, "ICON: %s (%s)",
2254 fname, last->icon[j].filename);
2255 os_strlcpy(ctx->icon_filename[j],
2256 last->icon[j].filename,
2257 sizeof(ctx->icon_filename[j]));
2259 data = os_readfile(fname, &data_len);
2261 sha256_vector(1, (const u8 **) &data, &data_len,
2268 if (last->methods & 0x02)
2269 ret = cmd_prov(ctx, last->url);
2270 else if (last->methods & 0x01)
2271 ret = cmd_oma_dm_prov(ctx, last->url);
2275 ret = osu_connect(ctx, last->bssid, last->osu_ssid,
2276 last->url, last->methods,
2277 no_prod_assoc, last->osu_nai);
2287 static int cmd_signup(struct hs20_osu_client *ctx, int no_prod_assoc,
2288 const char *friendly_name)
2291 char fname[300], buf[400];
2292 struct wpa_ctrl *mon;
2296 ifname = ctx->ifname;
2298 if (getcwd(dir, sizeof(dir)) == NULL)
2301 snprintf(fname, sizeof(fname), "%s/osu-info", dir);
2302 if (mkdir(fname, S_IRWXU | S_IRWXG) < 0 && errno != EEXIST) {
2303 wpa_printf(MSG_INFO, "mkdir(%s) failed: %s",
2304 fname, strerror(errno));
2308 snprintf(buf, sizeof(buf), "SET osu_dir %s", fname);
2309 if (wpa_command(ifname, buf) < 0) {
2310 wpa_printf(MSG_INFO, "Failed to configure osu_dir to wpa_supplicant");
2314 mon = open_wpa_mon(ifname);
2318 wpa_printf(MSG_INFO, "Starting OSU fetch");
2319 write_summary(ctx, "Starting OSU provider information fetch");
2320 if (wpa_command(ifname, "FETCH_OSU") < 0) {
2321 wpa_printf(MSG_INFO, "Could not start OSU fetch");
2322 wpa_ctrl_detach(mon);
2323 wpa_ctrl_close(mon);
2326 res = get_wpa_cli_event(mon, "OSU provider fetch completed",
2329 wpa_ctrl_detach(mon);
2330 wpa_ctrl_close(mon);
2333 wpa_printf(MSG_INFO, "OSU fetch did not complete");
2334 write_summary(ctx, "OSU fetch did not complete");
2337 wpa_printf(MSG_INFO, "OSU provider fetch completed");
2339 return cmd_osu_select(ctx, fname, 1, no_prod_assoc, friendly_name);
2343 static void cmd_sub_rem(struct hs20_osu_client *ctx, const char *address,
2344 const char *pps_fname, const char *ca_fname)
2346 xml_node_t *pps, *node;
2347 char pps_fname_buf[300];
2348 char ca_fname_buf[200];
2349 char *cred_username = NULL;
2350 char *cred_password = NULL;
2351 char *sub_rem_uri = NULL;
2352 char client_cert_buf[200];
2353 char *client_cert = NULL;
2354 char client_key_buf[200];
2355 char *client_key = NULL;
2358 wpa_printf(MSG_INFO, "Subscription remediation requested with Server URL: %s",
2363 wpa_printf(MSG_INFO, "Determining PPS file based on Home SP information");
2364 if (os_strncmp(address, "fqdn=", 5) == 0) {
2365 wpa_printf(MSG_INFO, "Use requested FQDN from command line");
2366 os_snprintf(buf, sizeof(buf), "%s", address + 5);
2368 } else if (get_wpa_status(ctx->ifname, "provisioning_sp", buf,
2370 wpa_printf(MSG_INFO, "Could not get provisioning Home SP FQDN from wpa_supplicant");
2374 ctx->fqdn = os_strdup(buf);
2375 if (ctx->fqdn == NULL)
2377 wpa_printf(MSG_INFO, "Home SP FQDN for current credential: %s",
2379 os_snprintf(pps_fname_buf, sizeof(pps_fname_buf),
2380 "SP/%s/pps.xml", ctx->fqdn);
2381 pps_fname = pps_fname_buf;
2383 os_snprintf(ca_fname_buf, sizeof(ca_fname_buf), "SP/%s/ca.pem",
2385 ca_fname = ca_fname_buf;
2388 if (!os_file_exists(pps_fname)) {
2389 wpa_printf(MSG_INFO, "PPS file '%s' does not exist or is not accessible",
2393 wpa_printf(MSG_INFO, "Using PPS file: %s", pps_fname);
2395 if (ca_fname && !os_file_exists(ca_fname)) {
2396 wpa_printf(MSG_INFO, "CA file '%s' does not exist or is not accessible",
2400 wpa_printf(MSG_INFO, "Using server trust root: %s", ca_fname);
2401 ctx->ca_fname = ca_fname;
2403 pps = node_from_file(ctx->xml, pps_fname);
2405 wpa_printf(MSG_INFO, "Could not read PPS MO");
2411 node = get_child_node(ctx->xml, pps, "HomeSP/FQDN");
2413 wpa_printf(MSG_INFO, "No HomeSP/FQDN found from PPS");
2416 tmp = xml_node_get_text(ctx->xml, node);
2418 wpa_printf(MSG_INFO, "No HomeSP/FQDN text found from PPS");
2421 ctx->fqdn = os_strdup(tmp);
2422 xml_node_get_text_free(ctx->xml, tmp);
2424 wpa_printf(MSG_INFO, "No FQDN known");
2429 node = get_child_node(ctx->xml, pps,
2430 "SubscriptionUpdate/UpdateMethod");
2433 tmp = xml_node_get_text(ctx->xml, node);
2434 if (tmp && os_strcasecmp(tmp, "OMA-DM-ClientInitiated") == 0)
2439 wpa_printf(MSG_INFO, "No UpdateMethod specified - assume SPP");
2443 get_user_pw(ctx, pps, "SubscriptionUpdate/UsernamePassword",
2444 &cred_username, &cred_password);
2446 wpa_printf(MSG_INFO, "Using username: %s", cred_username);
2448 wpa_printf(MSG_DEBUG, "Using password: %s", cred_password);
2450 if (cred_username == NULL && cred_password == NULL &&
2451 get_child_node(ctx->xml, pps, "Credential/DigitalCertificate")) {
2452 wpa_printf(MSG_INFO, "Using client certificate");
2453 os_snprintf(client_cert_buf, sizeof(client_cert_buf),
2454 "SP/%s/client-cert.pem", ctx->fqdn);
2455 client_cert = client_cert_buf;
2456 os_snprintf(client_key_buf, sizeof(client_key_buf),
2457 "SP/%s/client-key.pem", ctx->fqdn);
2458 client_key = client_key_buf;
2459 ctx->client_cert_present = 1;
2462 node = get_child_node(ctx->xml, pps, "SubscriptionUpdate/URI");
2464 sub_rem_uri = xml_node_get_text(ctx->xml, node);
2466 (!address || os_strcmp(address, sub_rem_uri) != 0)) {
2467 wpa_printf(MSG_INFO, "Override sub rem URI based on PPS: %s",
2469 address = sub_rem_uri;
2473 wpa_printf(MSG_INFO, "Server URL not known");
2477 write_summary(ctx, "Wait for IP address for subscriptiom remediation");
2478 wpa_printf(MSG_INFO, "Wait for IP address before starting subscription remediation");
2480 if (wait_ip_addr(ctx->ifname, 15) < 0) {
2481 wpa_printf(MSG_INFO, "Could not get IP address for WLAN - try connection anyway");
2485 spp_sub_rem(ctx, address, pps_fname,
2486 client_cert, client_key,
2487 cred_username, cred_password, pps);
2489 oma_dm_sub_rem(ctx, address, pps_fname,
2490 client_cert, client_key,
2491 cred_username, cred_password, pps);
2493 xml_node_get_text_free(ctx->xml, sub_rem_uri);
2494 xml_node_get_text_free(ctx->xml, cred_username);
2495 os_free(cred_password);
2496 xml_node_free(ctx->xml, pps);
2500 static int cmd_pol_upd(struct hs20_osu_client *ctx, const char *address,
2501 const char *pps_fname, const char *ca_fname)
2505 char pps_fname_buf[300];
2506 char ca_fname_buf[200];
2508 char *cred_username = NULL;
2509 char *cred_password = NULL;
2510 char client_cert_buf[200];
2511 char *client_cert = NULL;
2512 char client_key_buf[200];
2513 char *client_key = NULL;
2516 wpa_printf(MSG_INFO, "Policy update requested");
2520 wpa_printf(MSG_INFO, "Determining PPS file based on Home SP information");
2521 if (os_strncmp(address, "fqdn=", 5) == 0) {
2522 wpa_printf(MSG_INFO, "Use requested FQDN from command line");
2523 os_snprintf(buf, sizeof(buf), "%s", address + 5);
2525 } else if (get_wpa_status(ctx->ifname, "provisioning_sp", buf,
2527 wpa_printf(MSG_INFO, "Could not get provisioning Home SP FQDN from wpa_supplicant");
2531 ctx->fqdn = os_strdup(buf);
2532 if (ctx->fqdn == NULL)
2534 wpa_printf(MSG_INFO, "Home SP FQDN for current credential: %s",
2536 os_snprintf(pps_fname_buf, sizeof(pps_fname_buf),
2537 "SP/%s/pps.xml", ctx->fqdn);
2538 pps_fname = pps_fname_buf;
2540 os_snprintf(ca_fname_buf, sizeof(ca_fname_buf), "SP/%s/ca.pem",
2542 ca_fname = ca_fname_buf;
2545 if (!os_file_exists(pps_fname)) {
2546 wpa_printf(MSG_INFO, "PPS file '%s' does not exist or is not accessible",
2550 wpa_printf(MSG_INFO, "Using PPS file: %s", pps_fname);
2552 if (ca_fname && !os_file_exists(ca_fname)) {
2553 wpa_printf(MSG_INFO, "CA file '%s' does not exist or is not accessible",
2557 wpa_printf(MSG_INFO, "Using server trust root: %s", ca_fname);
2558 ctx->ca_fname = ca_fname;
2560 pps = node_from_file(ctx->xml, pps_fname);
2562 wpa_printf(MSG_INFO, "Could not read PPS MO");
2568 node = get_child_node(ctx->xml, pps, "HomeSP/FQDN");
2570 wpa_printf(MSG_INFO, "No HomeSP/FQDN found from PPS");
2573 tmp = xml_node_get_text(ctx->xml, node);
2575 wpa_printf(MSG_INFO, "No HomeSP/FQDN text found from PPS");
2578 ctx->fqdn = os_strdup(tmp);
2579 xml_node_get_text_free(ctx->xml, tmp);
2581 wpa_printf(MSG_INFO, "No FQDN known");
2586 node = get_child_node(ctx->xml, pps,
2587 "Policy/PolicyUpdate/UpdateMethod");
2590 tmp = xml_node_get_text(ctx->xml, node);
2591 if (tmp && os_strcasecmp(tmp, "OMA-DM-ClientInitiated") == 0)
2596 wpa_printf(MSG_INFO, "No UpdateMethod specified - assume SPP");
2600 get_user_pw(ctx, pps, "Policy/PolicyUpdate/UsernamePassword",
2601 &cred_username, &cred_password);
2603 wpa_printf(MSG_INFO, "Using username: %s", cred_username);
2605 wpa_printf(MSG_DEBUG, "Using password: %s", cred_password);
2607 if (cred_username == NULL && cred_password == NULL &&
2608 get_child_node(ctx->xml, pps, "Credential/DigitalCertificate")) {
2609 wpa_printf(MSG_INFO, "Using client certificate");
2610 os_snprintf(client_cert_buf, sizeof(client_cert_buf),
2611 "SP/%s/client-cert.pem", ctx->fqdn);
2612 client_cert = client_cert_buf;
2613 os_snprintf(client_key_buf, sizeof(client_key_buf),
2614 "SP/%s/client-key.pem", ctx->fqdn);
2615 client_key = client_key_buf;
2619 node = get_child_node(ctx->xml, pps, "Policy/PolicyUpdate/URI");
2621 uri = xml_node_get_text(ctx->xml, node);
2622 wpa_printf(MSG_INFO, "URI based on PPS: %s", uri);
2627 wpa_printf(MSG_INFO, "Server URL not known");
2632 spp_pol_upd(ctx, address, pps_fname,
2633 client_cert, client_key,
2634 cred_username, cred_password, pps);
2636 oma_dm_pol_upd(ctx, address, pps_fname,
2637 client_cert, client_key,
2638 cred_username, cred_password, pps);
2640 xml_node_get_text_free(ctx->xml, uri);
2641 xml_node_get_text_free(ctx->xml, cred_username);
2642 os_free(cred_password);
2643 xml_node_free(ctx->xml, pps);
2649 static char * get_hostname(const char *url)
2651 const char *pos, *end, *end2;
2657 pos = os_strchr(url, '/');
2665 end = os_strchr(pos, '/');
2666 end2 = os_strchr(pos, ':');
2667 if (end && end2 && end2 < end)
2679 ret = os_malloc(end - pos + 2);
2683 os_memcpy(ret, pos, end - pos + 1);
2684 ret[end - pos + 1] = '\0';
2690 static int osu_cert_cb(void *_ctx, struct http_cert *cert)
2692 struct hs20_osu_client *ctx = _ctx;
2697 wpa_printf(MSG_INFO, "osu_cert_cb(osu_cert_validation=%d)",
2698 !ctx->no_osu_cert_validation);
2700 host = get_hostname(ctx->server_url);
2702 for (i = 0; i < ctx->server_dnsname_count; i++)
2703 os_free(ctx->server_dnsname[i]);
2704 os_free(ctx->server_dnsname);
2705 ctx->server_dnsname = os_calloc(cert->num_dnsname, sizeof(char *));
2706 ctx->server_dnsname_count = 0;
2709 for (i = 0; i < cert->num_dnsname; i++) {
2710 if (ctx->server_dnsname) {
2711 ctx->server_dnsname[ctx->server_dnsname_count] =
2712 os_strdup(cert->dnsname[i]);
2713 if (ctx->server_dnsname[ctx->server_dnsname_count])
2714 ctx->server_dnsname_count++;
2716 if (host && os_strcasecmp(host, cert->dnsname[i]) == 0)
2718 wpa_printf(MSG_INFO, "dNSName '%s'", cert->dnsname[i]);
2721 if (host && !found) {
2722 wpa_printf(MSG_INFO, "Server name from URL (%s) did not match any dNSName - abort connection",
2724 write_result(ctx, "Server name from URL (%s) did not match any dNSName - abort connection",
2732 for (i = 0; i < cert->num_othername; i++) {
2733 if (os_strcmp(cert->othername[i].oid,
2734 "1.3.6.1.4.1.40808.1.1.1") == 0) {
2735 wpa_hexdump_ascii(MSG_INFO,
2736 "id-wfa-hotspot-friendlyName",
2737 cert->othername[i].data,
2738 cert->othername[i].len);
2742 for (j = 0; !ctx->no_osu_cert_validation &&
2743 j < ctx->friendly_name_count; j++) {
2745 for (i = 0; i < cert->num_othername; i++) {
2746 if (os_strcmp(cert->othername[i].oid,
2747 "1.3.6.1.4.1.40808.1.1.1") != 0)
2749 if (cert->othername[i].len < 3)
2751 if (os_strncasecmp((char *) cert->othername[i].data,
2752 ctx->friendly_name[j].lang, 3) != 0)
2754 if (os_strncmp((char *) cert->othername[i].data + 3,
2755 ctx->friendly_name[j].text,
2756 cert->othername[i].len - 3) == 0) {
2763 wpa_printf(MSG_INFO, "No friendly name match found for '[%s]%s'",
2764 ctx->friendly_name[j].lang,
2765 ctx->friendly_name[j].text);
2766 write_result(ctx, "No friendly name match found for '[%s]%s'",
2767 ctx->friendly_name[j].lang,
2768 ctx->friendly_name[j].text);
2773 for (i = 0; i < cert->num_logo; i++) {
2774 struct http_logo *logo = &cert->logo[i];
2776 wpa_printf(MSG_INFO, "logo hash alg %s uri '%s'",
2777 logo->alg_oid, logo->uri);
2778 wpa_hexdump_ascii(MSG_INFO, "hashValue",
2779 logo->hash, logo->hash_len);
2782 for (j = 0; !ctx->no_osu_cert_validation && j < ctx->icon_count; j++) {
2784 char *name = ctx->icon_filename[j];
2785 size_t name_len = os_strlen(name);
2787 wpa_printf(MSG_INFO, "Looking for icon file name '%s' match",
2789 for (i = 0; i < cert->num_logo; i++) {
2790 struct http_logo *logo = &cert->logo[i];
2791 size_t uri_len = os_strlen(logo->uri);
2794 wpa_printf(MSG_INFO, "Comparing to '%s' uri_len=%d name_len=%d",
2795 logo->uri, (int) uri_len, (int) name_len);
2796 if (uri_len < 1 + name_len)
2798 pos = &logo->uri[uri_len - name_len - 1];
2802 if (os_strcmp(pos, name) == 0) {
2809 wpa_printf(MSG_INFO, "No icon filename match found for '%s'",
2812 "No icon filename match found for '%s'",
2818 for (j = 0; !ctx->no_osu_cert_validation && j < ctx->icon_count; j++) {
2821 for (i = 0; i < cert->num_logo; i++) {
2822 struct http_logo *logo = &cert->logo[i];
2824 if (logo->hash_len != 32)
2826 if (os_memcmp(logo->hash, ctx->icon_hash[j], 32) == 0) {
2833 wpa_printf(MSG_INFO, "No icon hash match found");
2834 write_result(ctx, "No icon hash match found");
2843 static int init_ctx(struct hs20_osu_client *ctx)
2845 xml_node_t *devinfo, *devid;
2847 os_memset(ctx, 0, sizeof(*ctx));
2848 ctx->ifname = "wlan0";
2849 ctx->xml = xml_node_init_ctx(ctx, NULL);
2850 if (ctx->xml == NULL)
2853 devinfo = node_from_file(ctx->xml, "devinfo.xml");
2855 wpa_printf(MSG_ERROR, "devinfo.xml not found");
2859 devid = get_node(ctx->xml, devinfo, "DevId");
2861 char *tmp = xml_node_get_text(ctx->xml, devid);
2863 ctx->devid = os_strdup(tmp);
2864 xml_node_get_text_free(ctx->xml, tmp);
2867 xml_node_free(ctx->xml, devinfo);
2869 if (ctx->devid == NULL) {
2870 wpa_printf(MSG_ERROR, "Could not fetch DevId from devinfo.xml");
2874 ctx->http = http_init_ctx(ctx, ctx->xml);
2875 if (ctx->http == NULL) {
2876 xml_node_deinit_ctx(ctx->xml);
2879 http_ocsp_set(ctx->http, 2);
2880 http_set_cert_cb(ctx->http, osu_cert_cb, ctx);
2886 static void deinit_ctx(struct hs20_osu_client *ctx)
2890 http_deinit_ctx(ctx->http);
2891 xml_node_deinit_ctx(ctx->xml);
2893 os_free(ctx->server_url);
2894 os_free(ctx->devid);
2896 for (i = 0; i < ctx->server_dnsname_count; i++)
2897 os_free(ctx->server_dnsname[i]);
2898 os_free(ctx->server_dnsname);
2902 static void check_workarounds(struct hs20_osu_client *ctx)
2906 unsigned long int val = 0;
2908 f = fopen("hs20-osu-client.workarounds", "r");
2912 if (fgets(buf, sizeof(buf), f))
2913 val = strtoul(buf, NULL, 16);
2918 wpa_printf(MSG_INFO, "Workarounds enabled: 0x%lx", val);
2919 ctx->workarounds = val;
2920 if (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL)
2921 http_ocsp_set(ctx->http, 1);
2926 static void usage(void)
2928 printf("usage: hs20-osu-client [-dddqqKt] [-S<station ifname>] \\\n"
2929 " [-w<wpa_supplicant ctrl_iface dir>] "
2930 "[-r<result file>] [-f<debug file>] \\\n"
2931 " [-s<summary file>] \\\n"
2932 " <command> [arguments..]\n"
2934 "- to_tnds <XML MO> <XML MO in TNDS format> [URN]\n"
2935 "- to_tnds2 <XML MO> <XML MO in TNDS format (Path) "
2937 "- from_tnds <XML MO in TNDS format> <XML MO>\n"
2938 "- set_pps <PerProviderSubscription XML file name>\n"
2939 "- get_fqdn <PerProviderSubscription XML file name>\n"
2940 "- pol_upd [Server URL] [PPS] [CA cert]\n"
2941 "- sub_rem <Server URL> [PPS] [CA cert]\n"
2942 "- prov <Server URL> [CA cert]\n"
2943 "- oma_dm_prov <Server URL> [CA cert]\n"
2944 "- sim_prov <Server URL> [CA cert]\n"
2945 "- oma_dm_sim_prov <Server URL> [CA cert]\n"
2946 "- signup [CA cert]\n"
2947 "- dl_osu_ca <PPS> <CA file>\n"
2948 "- dl_polupd_ca <PPS> <CA file>\n"
2949 "- dl_aaa_ca <PPS> <CA file>\n"
2951 "- parse_cert <X.509 certificate (DER)>\n"
2952 "- osu_select <OSU info directory> [CA cert]\n");
2956 int main(int argc, char *argv[])
2958 struct hs20_osu_client ctx;
2961 int no_prod_assoc = 0;
2962 const char *friendly_name = NULL;
2963 const char *wpa_debug_file_path = NULL;
2964 extern char *wpas_ctrl_path;
2965 extern int wpa_debug_level;
2966 extern int wpa_debug_show_keys;
2967 extern int wpa_debug_timestamp;
2969 if (init_ctx(&ctx) < 0)
2973 c = getopt(argc, argv, "df:hi:KNO:qr:s:S:tw:");
2978 if (wpa_debug_level > 0)
2982 wpa_debug_file_path = optarg;
2985 wpa_debug_show_keys++;
2991 friendly_name = optarg;
2997 ctx.result_file = optarg;
3000 ctx.summary_file = optarg;
3003 ctx.ifname = optarg;
3006 wpa_debug_timestamp++;
3009 wpas_ctrl_path = optarg;
3019 if (argc - optind < 1) {
3024 wpa_debug_open_file(wpa_debug_file_path);
3028 #endif /* __linux__ */
3030 if (ctx.result_file)
3031 unlink(ctx.result_file);
3032 wpa_printf(MSG_DEBUG, "===[hs20-osu-client START - command: %s ]======"
3033 "================", argv[optind]);
3034 check_workarounds(&ctx);
3036 if (strcmp(argv[optind], "to_tnds") == 0) {
3037 if (argc - optind < 2) {
3041 cmd_to_tnds(&ctx, argv[optind + 1], argv[optind + 2],
3042 argc > optind + 3 ? argv[optind + 3] : NULL,
3044 } else if (strcmp(argv[optind], "to_tnds2") == 0) {
3045 if (argc - optind < 2) {
3049 cmd_to_tnds(&ctx, argv[optind + 1], argv[optind + 2],
3050 argc > optind + 3 ? argv[optind + 3] : NULL,
3052 } else if (strcmp(argv[optind], "from_tnds") == 0) {
3053 if (argc - optind < 2) {
3057 cmd_from_tnds(&ctx, argv[optind + 1], argv[optind + 2]);
3058 } else if (strcmp(argv[optind], "sub_rem") == 0) {
3059 if (argc - optind < 2) {
3063 if (argc - optind < 2)
3064 wpa_printf(MSG_ERROR, "Server URL missing from command line");
3066 cmd_sub_rem(&ctx, argv[optind + 1],
3067 argc > optind + 2 ? argv[optind + 2] : NULL,
3068 argc > optind + 3 ? argv[optind + 3] :
3070 } else if (strcmp(argv[optind], "pol_upd") == 0) {
3071 if (argc - optind < 2) {
3075 ret = cmd_pol_upd(&ctx, argc > 2 ? argv[optind + 1] : NULL,
3076 argc > optind + 2 ? argv[optind + 2] : NULL,
3077 argc > optind + 3 ? argv[optind + 3] : NULL);
3078 } else if (strcmp(argv[optind], "prov") == 0) {
3079 if (argc - optind < 2) {
3083 ctx.ca_fname = argv[optind + 2];
3084 cmd_prov(&ctx, argv[optind + 1]);
3085 } else if (strcmp(argv[optind], "sim_prov") == 0) {
3086 if (argc - optind < 2) {
3090 ctx.ca_fname = argv[optind + 2];
3091 cmd_sim_prov(&ctx, argv[optind + 1]);
3092 } else if (strcmp(argv[optind], "dl_osu_ca") == 0) {
3093 if (argc - optind < 2) {
3097 cmd_dl_osu_ca(&ctx, argv[optind + 1], argv[optind + 2]);
3098 } else if (strcmp(argv[optind], "dl_polupd_ca") == 0) {
3099 if (argc - optind < 2) {
3103 cmd_dl_polupd_ca(&ctx, argv[optind + 1], argv[optind + 2]);
3104 } else if (strcmp(argv[optind], "dl_aaa_ca") == 0) {
3105 if (argc - optind < 2) {
3109 cmd_dl_aaa_ca(&ctx, argv[optind + 1], argv[optind + 2]);
3110 } else if (strcmp(argv[optind], "osu_select") == 0) {
3111 if (argc - optind < 2) {
3115 ctx.ca_fname = argc > optind + 2 ? argv[optind + 2] : NULL;
3116 cmd_osu_select(&ctx, argv[optind + 1], 2, 1, NULL);
3117 } else if (strcmp(argv[optind], "signup") == 0) {
3118 ctx.ca_fname = argc > optind + 1 ? argv[optind + 1] : NULL;
3119 ret = cmd_signup(&ctx, no_prod_assoc, friendly_name);
3120 } else if (strcmp(argv[optind], "set_pps") == 0) {
3121 if (argc - optind < 2) {
3125 cmd_set_pps(&ctx, argv[optind + 1]);
3126 } else if (strcmp(argv[optind], "get_fqdn") == 0) {
3127 if (argc - optind < 1) {
3131 ret = cmd_get_fqdn(&ctx, argv[optind + 1]);
3132 } else if (strcmp(argv[optind], "oma_dm_prov") == 0) {
3133 if (argc - optind < 2) {
3137 ctx.ca_fname = argv[optind + 2];
3138 cmd_oma_dm_prov(&ctx, argv[optind + 1]);
3139 } else if (strcmp(argv[optind], "oma_dm_sim_prov") == 0) {
3140 if (argc - optind < 2) {
3144 ctx.ca_fname = argv[optind + 2];
3145 if (cmd_oma_dm_sim_prov(&ctx, argv[optind + 1]) < 0) {
3146 write_summary(&ctx, "Failed to complete OMA DM SIM provisioning");
3149 } else if (strcmp(argv[optind], "oma_dm_add") == 0) {
3150 if (argc - optind < 2) {
3154 cmd_oma_dm_add(&ctx, argv[optind + 1], argv[optind + 2]);
3155 } else if (strcmp(argv[optind], "oma_dm_replace") == 0) {
3156 if (argc - optind < 2) {
3160 cmd_oma_dm_replace(&ctx, argv[optind + 1], argv[optind + 2]);
3161 } else if (strcmp(argv[optind], "est_csr") == 0) {
3162 if (argc - optind < 2) {
3166 mkdir("Cert", S_IRWXU);
3167 est_build_csr(&ctx, argv[optind + 1]);
3168 } else if (strcmp(argv[optind], "browser") == 0) {
3171 if (argc - optind < 2) {
3176 wpa_printf(MSG_INFO, "Launch web browser to URL %s",
3178 ret = hs20_web_browser(argv[optind + 1]);
3179 wpa_printf(MSG_INFO, "Web browser result: %d", ret);
3180 } else if (strcmp(argv[optind], "parse_cert") == 0) {
3181 if (argc - optind < 2) {
3186 wpa_debug_level = MSG_MSGDUMP;
3187 http_parse_x509_certificate(ctx.http, argv[optind + 1]);
3188 wpa_debug_level = MSG_INFO;
3190 wpa_printf(MSG_INFO, "Unknown command '%s'", argv[optind]);
3193 wpa_printf(MSG_DEBUG,
3194 "===[hs20-osu-client END ]======================");
3196 wpa_debug_close_file();