[PATCH 1/3] HS 2.0: crypto engine support for creds.
Damien Dejean
damiendejean at google.com
Thu Sep 16 01:43:57 PDT 2021
Adds the support of engine, engine_id, ca_cert_id, cert_id and key_id to
credential blocks for Hotspot 2.0.
Signed-off-by: Damien Dejean <damiendejean at google.com>
---
wpa_supplicant/config.c | 33 +++++++++++++++++++++++++++++++++
wpa_supplicant/config.h | 25 +++++++++++++++++++++++++
wpa_supplicant/interworking.c | 30 ++++++++++++++++++++++++++----
wpa_supplicant/wpa_cli.c | 1 +
4 files changed, 85 insertions(+), 4 deletions(-)
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index e8e9fd432..4f1fe9692 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2855,6 +2855,10 @@ void wpa_config_free_cred(struct wpa_cred *cred)
os_free(cred->client_cert);
os_free(cred->private_key);
str_clear_free(cred->private_key_passwd);
+ os_free(cred->engine_id);
+ os_free(cred->ca_cert_id);
+ os_free(cred->cert_id);
+ os_free(cred->key_id);
os_free(cred->imsi);
str_clear_free(cred->milenage);
for (i = 0; i < cred->num_domain; i++)
@@ -3616,6 +3620,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
return 0;
}
+ if (os_strcmp(var, "engine") == 0) {
+ cred->engine = atoi(value);
+ return 0;
+ }
+
val = wpa_config_parse_string(value, &len);
if (val == NULL ||
(os_strcmp(var, "excluded_ssid") != 0 &&
@@ -3671,6 +3680,30 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
return 0;
}
+ if (os_strcmp(var, "engine_id") == 0) {
+ os_free(cred->engine_id);
+ cred->engine_id = val;
+ return 0;
+ }
+
+ if (os_strcmp(var, "ca_cert_id") == 0) {
+ os_free(cred->ca_cert_id);
+ cred->ca_cert_id = val;
+ return 0;
+ }
+
+ if (os_strcmp(var, "cert_id") == 0) {
+ os_free(cred->cert_id);
+ cred->cert_id = val;
+ return 0;
+ }
+
+ if (os_strcmp(var, "key_id") == 0) {
+ os_free(cred->key_id);
+ cred->key_id = val;
+ return 0;
+ }
+
if (os_strcmp(var, "imsi") == 0) {
os_free(cred->imsi);
cred->imsi = val;
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 68679c6e3..4e8b7c889 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -179,6 +179,31 @@ struct wpa_cred {
*/
char *milenage;
+ /**
+ * engine - Use an engine for private key operations.
+ */
+ int engine;
+
+ /**
+ * engine_id - String identifying the engine to use.
+ */
+ char *engine_id;
+
+ /**
+ * ca_cert_id - The CA certificate identifier when using an engine.
+ */
+ char *ca_cert_id;
+
+ /**
+ * cert_id - The certificate identifier when using an engine.
+ */
+ char *cert_id;
+
+ /**
+ * key_id - The private key identifier when using an engine.
+ */
+ char *key_id;
+
/**
* domain_suffix_match - Constraint for server domain name
*
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index 1c82d2117..066e344a0 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -702,12 +702,15 @@ static struct nai_realm_eap * nai_realm_find_eap(struct wpa_supplicant *wpa_s,
((cred->password == NULL ||
cred->password[0] == '\0') &&
(cred->private_key == NULL ||
- cred->private_key[0] == '\0'))) {
+ cred->private_key[0] == '\0') &&
+ (cred->key_id == NULL ||
+ cred->key_id[0] == '\0'))) {
wpa_msg(wpa_s, MSG_DEBUG,
- "nai-realm-find-eap: incomplete cred info: username: %s password: %s private_key: %s",
+ "nai-realm-find-eap: incomplete cred info: username: %s password: %s private_key: %s key_id: %s",
cred->username ? cred->username : "NULL",
cred->password ? cred->password : "NULL",
- cred->private_key ? cred->private_key : "NULL");
+ cred->private_key ? cred->private_key : "NULL",
+ cred->key_id ? cred->private_key : "NULL");
return NULL;
}
@@ -716,7 +719,8 @@ static struct nai_realm_eap * nai_realm_find_eap(struct wpa_supplicant *wpa_s,
if (cred->password && cred->password[0] &&
nai_realm_cred_username(wpa_s, eap))
return eap;
- if (cred->private_key && cred->private_key[0] &&
+ if (((cred->private_key && cred->private_key[0]) ||
+ (cred->key_id && cred->key_id[0])) &&
nai_realm_cred_cert(wpa_s, eap))
return eap;
}
@@ -1539,6 +1543,24 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
cred->private_key_passwd) < 0)
return -1;
+ if (cred->ca_cert_id && cred->ca_cert_id[0] &&
+ wpa_config_set_quoted(ssid, "ca_cert_id", cred->ca_cert_id) < 0)
+ return -1;
+
+ if (cred->cert_id && cred->cert_id[0] &&
+ wpa_config_set_quoted(ssid, "cert_id", cred->cert_id) < 0)
+ return -1;
+
+ if (cred->key_id && cred->key_id[0] &&
+ wpa_config_set_quoted(ssid, "key_id", cred->key_id) < 0)
+ return -1;
+
+ if (cred->engine_id && cred->engine_id[0] &&
+ wpa_config_set_quoted(ssid, "engine_id", cred->engine_id) < 0)
+ return -1;
+
+ ssid->eap.cert.engine = cred->engine;
+
if (cred->phase1) {
os_free(ssid->eap.phase1);
ssid->eap.phase1 = os_strdup(cred->phase1);
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index fea7b85e0..2e8552adc 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1590,6 +1590,7 @@ static const char * const cred_fields[] = {
"min_dl_bandwidth_roaming", "min_ul_bandwidth_roaming", "max_bss_load",
"req_conn_capab", "ocsp", "sim_num", "realm", "username", "password",
"ca_cert", "client_cert", "private_key", "private_key_passwd", "imsi",
+ "ca_cert_id", "cert_id", "key_id", "engine_id", "engine",
"milenage", "domain_suffix_match", "domain", "phase1", "phase2",
"roaming_consortium", "required_roaming_consortium", "excluded_ssid",
"roaming_partner", "provisioning_sp"
--
2.33.0.309.g3052b89438-goog
More information about the Hostap
mailing list