diff options
| author | Dmitry Shmidt <dimitrysh@google.com> | 2015-04-03 10:03:11 -0700 |
|---|---|---|
| committer | Dmitry Shmidt <dimitrysh@google.com> | 2015-04-03 10:03:11 -0700 |
| commit | af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5 (patch) | |
| tree | eafc749f94d3b6b83947e0379055678943ac5fd4 /hs20 | |
| parent | 912c6ecf72fb2c84fbf17dbd0666492778dbd9fc (diff) | |
| download | android_external_wpa_supplicant_8-af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5.tar.gz android_external_wpa_supplicant_8-af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5.tar.bz2 android_external_wpa_supplicant_8-af9da3180dc20f57df1fc1e1811f3df9fa9e6ab5.zip | |
Cumulative patch from commit 681278246232029c334117bd6dc7e74c6b179f96
6812782 hlr_auc_gw: Allow Milenage RES length to be reduced
4839f7c wpa_cli: Fix a typo in usage text
a20a361 wpa_supplicant: Clear blacklist on connect
0144ecb Android: wpa_ctrl missing include for sys/stat.h
0bb20ef HS 2.0R2: Allow user to specify spp.xsd file location
97c9991 HS 2.0R2: Add more debugging messages to hs20-osu-client
93c2e60 HS 2.0R2 CA: Improve setup.sh and .conf for more flexibility
02e122a Reschedule scan from wpas_stop_pno if it was postponed
80fd9c3 EAP-PEAP server: Add support for negotiating vendor for Phase 2
a867082 EAP peer: Use 32-bit EAP method type for Phase 2 processing
56dfc49 Fix a typo in configuration parameter documentation
c4b45c6 TLS: Fix memory leaks on tls_connection_set_params() error paths
af85191 Make tls_connection_get_keyblock_size() internal to tls_*.c
94f1fe6 Remove master key extraction from tls_connection_get_keys()
fa0e715 Use tls_connection_prf() for all EAP TLS-based key derivation
df8191d Rename HT 20/40 coex variable to be more descriptive
1d0f42a EAP server: Add debug prints to help asleap testing
2c1cf90 Add wpa_snprintf_hex_sep()
5955cfa ms_funcs: Make challenge_hash() non-static
Change-Id: I0f3e5e5170a61e458949a675641946d95598dc5d
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Diffstat (limited to 'hs20')
| -rw-r--r-- | hs20/client/osu_client.c | 35 | ||||
| -rw-r--r-- | hs20/client/spp_client.c | 8 | ||||
| -rwxr-xr-x[-rw-r--r--] | hs20/server/ca/clean.sh | 5 | ||||
| -rw-r--r-- | hs20/server/ca/openssl-root.cnf | 4 | ||||
| -rw-r--r-- | hs20/server/ca/openssl.cnf | 20 | ||||
| -rwxr-xr-x[-rw-r--r--] | hs20/server/ca/setup.sh | 118 | ||||
| -rw-r--r-- | hs20/server/hs20-osu-server.txt | 61 |
7 files changed, 211 insertions, 40 deletions
diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c index 649a884c..5cd823ee 100644 --- a/hs20/client/osu_client.c +++ b/hs20/client/osu_client.c @@ -25,6 +25,8 @@ #include "crypto/sha256.h" #include "osu_client.h" +const char *spp_xsd_fname = "spp.xsd"; + void write_result(struct hs20_osu_client *ctx, const char *fmt, ...) { @@ -547,8 +549,9 @@ int hs20_add_pps_mo(struct hs20_osu_client *ctx, const char *uri, wpa_printf(MSG_INFO, "SP FQDN: %s", fqdn); if (!server_dnsname_suffix_match(ctx, fqdn)) { - wpa_printf(MSG_INFO, "FQDN '%s' for new PPS MO did not have suffix match with server's dNSName values", - fqdn); + wpa_printf(MSG_INFO, + "FQDN '%s' for new PPS MO did not have suffix match with server's dNSName values, count: %d", + fqdn, (int) ctx->server_dnsname_count); write_result(ctx, "FQDN '%s' for new PPS MO did not have suffix match with server's dNSName values", fqdn); free(fqdn); @@ -2094,10 +2097,14 @@ static int osu_connect(struct hs20_osu_client *ctx, const char *bssid, } ctx->no_reconnect = 1; - if (methods & 0x02) + if (methods & 0x02) { + wpa_printf(MSG_DEBUG, "Calling cmd_prov from osu_connect"); res = cmd_prov(ctx, url); - else if (methods & 0x01) + } else if (methods & 0x01) { + wpa_printf(MSG_DEBUG, + "Calling cmd_oma_dm_prov from osu_connect"); res = cmd_oma_dm_prov(ctx, url); + } wpa_printf(MSG_INFO, "Remove OSU network connection"); write_summary(ctx, "Remove OSU network connection"); @@ -2290,12 +2297,19 @@ selected: } if (connect == 2) { - if (last->methods & 0x02) + if (last->methods & 0x02) { + wpa_printf(MSG_DEBUG, + "Calling cmd_prov from cmd_osu_select"); ret = cmd_prov(ctx, last->url); - else if (last->methods & 0x01) + } else if (last->methods & 0x01) { + wpa_printf(MSG_DEBUG, + "Calling cmd_oma_dm_prov from cmd_osu_select"); ret = cmd_oma_dm_prov(ctx, last->url); - else + } else { + wpa_printf(MSG_DEBUG, + "No supported OSU provisioning method"); ret = -1; + } } else if (connect) ret = osu_connect(ctx, last->bssid, last->osu_ssid, last->url, last->methods, @@ -2972,6 +2986,7 @@ static void usage(void) " [-w<wpa_supplicant ctrl_iface dir>] " "[-r<result file>] [-f<debug file>] \\\n" " [-s<summary file>] \\\n" + " [-x<spp.xsd file name>] \\\n" " <command> [arguments..]\n" "commands:\n" "- to_tnds <XML MO> <XML MO in TNDS format> [URN]\n" @@ -3013,7 +3028,7 @@ int main(int argc, char *argv[]) return -1; for (;;) { - c = getopt(argc, argv, "df:hKNO:qr:s:S:tw:"); + c = getopt(argc, argv, "df:hKNO:qr:s:S:tw:x:"); if (c < 0) break; switch (c) { @@ -3051,6 +3066,9 @@ int main(int argc, char *argv[]) case 'w': wpas_ctrl_path = optarg; break; + case 'x': + spp_xsd_fname = optarg; + break; case 'h': default: usage(); @@ -3125,6 +3143,7 @@ int main(int argc, char *argv[]) exit(0); } ctx.ca_fname = argv[optind + 2]; + wpa_printf(MSG_DEBUG, "Calling cmd_prov from main"); cmd_prov(&ctx, argv[optind + 1]); } else if (strcmp(argv[optind], "sim_prov") == 0) { if (argc - optind < 2) { diff --git a/hs20/client/spp_client.c b/hs20/client/spp_client.c index 302a0504..cc1a0bfa 100644 --- a/hs20/client/spp_client.c +++ b/hs20/client/spp_client.c @@ -21,6 +21,8 @@ #include "osu_client.h" +extern const char *spp_xsd_fname; + static int hs20_spp_update_response(struct hs20_osu_client *ctx, const char *session_id, const char *spp_status, @@ -59,7 +61,7 @@ static int hs20_spp_validate(struct hs20_osu_client *ctx, xml_node_t *node, return -1; } - ret = xml_validate(xctx, node, "spp.xsd", &err); + ret = xml_validate(xctx, node, spp_xsd_fname, &err); if (ret < 0) { wpa_printf(MSG_INFO, "XML schema validation error(s)\n%s", err); write_summary(ctx, "SPP XML schema validation failed"); @@ -952,7 +954,9 @@ int cmd_prov(struct hs20_osu_client *ctx, const char *url) return -1; } - wpa_printf(MSG_INFO, "Credential provisioning requested"); + wpa_printf(MSG_INFO, + "Credential provisioning requested - URL: %s ca_fname: %s", + url, ctx->ca_fname ? ctx->ca_fname : "N/A"); os_free(ctx->server_url); ctx->server_url = os_strdup(url); diff --git a/hs20/server/ca/clean.sh b/hs20/server/ca/clean.sh index c69a1f54..c72dcbda 100644..100755 --- a/hs20/server/ca/clean.sh +++ b/hs20/server/ca/clean.sh @@ -5,6 +5,9 @@ for i in server-client server server-revoked user ocsp; do done rm -f openssl.cnf.tmp -rm -r demoCA +if [ -d demoCA ]; then + rm -r demoCA +fi rm -f ca.pem logo.asn1 logo.der server.der ocsp-server-cache.der +rm -f my-openssl.cnf my-openssl-root.cnf #rm -r rootCA diff --git a/hs20/server/ca/openssl-root.cnf b/hs20/server/ca/openssl-root.cnf index 5b220fe8..5bc50be1 100644 --- a/hs20/server/ca/openssl-root.cnf +++ b/hs20/server/ca/openssl-root.cnf @@ -69,8 +69,8 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert -input_password = whatever -output_password = whatever +input_password = @PASSWORD@ +output_password = @PASSWORD@ string_mask = utf8only diff --git a/hs20/server/ca/openssl.cnf b/hs20/server/ca/openssl.cnf index a939f081..61410138 100644 --- a/hs20/server/ca/openssl.cnf +++ b/hs20/server/ca/openssl.cnf @@ -80,8 +80,8 @@ distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert -input_password = whatever -output_password = whatever +input_password = @PASSWORD@ +output_password = @PASSWORD@ string_mask = utf8only @@ -95,7 +95,7 @@ localityName = Locality Name (eg, city) localityName_default = Tuusula 0.organizationName = Organization Name (eg, company) -0.organizationName_default = w1.fi +0.organizationName_default = @DOMAIN@ ##organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = @@ -117,10 +117,10 @@ subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, cRLSign, keyCertSign -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ +authorityInfoAccess = OCSP;URI:@OCSP_URI@ # For SP intermediate CA #subjectAltName=critical,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engExample OSU -#nameConstraints=permitted;DNS:.w1.fi +#nameConstraints=permitted;DNS:.@DOMAIN@ #1.3.6.1.5.5.7.1.12=ASN1:SEQUENCE:LogotypeExtn [ v3_osu_server ] @@ -150,16 +150,16 @@ value1=SEQUENCE:HashAlgAndValueSHA256 #value2=SEQUENCE:HashAlgAndValueSHA1 [HashAlgAndValueSHA256] hashAlg=SEQUENCE:sha256_alg -hashValue=FORMAT:HEX,OCTETSTRING:4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d +hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH256@ [HashAlgAndValueSHA1] hashAlg=SEQUENCE:sha1_alg -hashValue=FORMAT:HEX,OCTETSTRING:5e1d5085676eede6b02da14d31c523ec20ffba0b +hashValue=FORMAT:HEX,OCTETSTRING:@LOGO_HASH1@ [sha256_alg] algorithm=OID:sha256 [sha1_alg] algorithm=OID:sha1 [URI] -uri=IA5STRING:http://osu.w1.fi/w1fi_logo.png +uri=IA5STRING:@LOGO_URI@ [LogotypeImageInfo] # default value color(1), component optional #type=IMP:0,INTEGER:1 @@ -184,7 +184,7 @@ extendedKeyUsage = OCSPSigning basicConstraints=CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ +authorityInfoAccess = OCSP;URI:@OCSP_URI@ #@ALTNAME@ extendedKeyUsage = clientAuth @@ -194,7 +194,7 @@ extendedKeyUsage = clientAuth basicConstraints=critical, CA:FALSE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer -authorityInfoAccess = OCSP;URI:http://osu.w1.fi:8888/ +authorityInfoAccess = OCSP;URI:@OCSP_URI@ #@ALTNAME@ extendedKeyUsage = critical, serverAuth keyUsage = critical, keyEncipherment diff --git a/hs20/server/ca/setup.sh b/hs20/server/ca/setup.sh index f61bf73b..78abcccf 100644..100755 --- a/hs20/server/ca/setup.sh +++ b/hs20/server/ca/setup.sh @@ -5,6 +5,67 @@ if [ -z "$OPENSSL" ]; then fi export OPENSSL_CONF=$PWD/openssl.cnf PASS=whatever +if [ -z "$DOMAIN" ]; then + DOMAIN=w1.fi +fi +COMPANY=w1.fi +OPER_ENG="engw1.fi TESTING USE" +OPER_FI="finw1.fi TESTIKÄYTTÖ" +CNR="Hotspot 2.0 Trust Root CA - 99" +CNO="ocsp.$DOMAIN" +CNV="osu-revoked.$DOMAIN" +CNOC="osu-client.$DOMAIN" +OSU_SERVER_HOSTNAME="osu.$DOMAIN" +DEBUG=0 +OCSP_URI="http://$CNO:8888/" +LOGO_URI="http://osu.w1.fi/w1fi_logo.png" +LOGO_HASH256="4532f7ec36424381617c03c6ce87b55a51d6e7177ffafda243cebf280a68954d" +LOGO_HASH1="5e1d5085676eede6b02da14d31c523ec20ffba0b" + +# Command line overrides +USAGE=$( cat <<EOF +Usage:\n +# -c: Company name, used to generate Subject name CN for Intermediate CA\n +# -C: Subject name CN of the Root CA ($CNR)\n +# -D: Enable debugging (set -x, etc)\n +# -g: Logo sha1 hash ($LOGO_HASH1)\n +# -G: Logo sha256 hash ($LOGO_HASH256)\n +# -h: Show this help message\n +# -l: Logo URI ($LOGO_URI)\n +# -m: Domain ($DOMAIN)\n +# -o: Subject name CN for OSU-Client Server ($CNOC)\n +# -O: Subject name CN for OCSP Server ($CNO)\n +# -p: passphrase for private keys ($PASS)\n +# -r: Operator-english ($OPER_ENG)\n +# -R: Operator-finish ($OPER_FI)\n +# -S: OSU Server name ($OSU_SERVER_HOSTNAME)\n +# -u: OCSP-URI ($OCSP_URI)\n +# -V: Subject name CN for OSU-Revoked Server ($CNV)\n +EOF +) + +while getopts "c:C:Dg:G:l:m:o:O:p:r:R:S:u:V:h" flag + do + case $flag in + c) COMPANY=$OPTARG;; + C) CNR=$OPTARG;; + D) DEBUG=1;; + g) LOGO_HASH1=$OPTARG;; + G) LOGO_HASH256=$OPTARG;; + h) echo -e $USAGE; exit 0;; + l) LOGO_URI=$OPTARG;; + m) DOMAIN=$OPTARG;; + o) CNOC=$OPTARG;; + O) CNO=$OPTARG;; + p) PASS=$OPTARG;; + r) OPER_ENG=$OPTARG;; + R) OPER_FI=$OPTARG;; + S) OSU_SERVER_HOSTNAME=$OPTARG;; + u) OCSP_URI=$OPTARG;; + V) CNV=$OPTARG;; + *) echo "Unknown flag: $flag"; echo -e $USAGE; exit 1;; + esac +done fail() { @@ -16,7 +77,25 @@ echo echo "---[ Root CA ]----------------------------------------------------------" echo -cat openssl-root.cnf | sed "s/#@CN@/commonName_default = Hotspot 2.0 Trust Root CA - 99/" > openssl.cnf.tmp +if [ $DEBUG = 1 ] +then + set -x +fi + +# Set the passphrase and some other common config accordingly. +cat openssl-root.cnf | sed "s/@PASSWORD@/$PASS/" \ + > my-openssl-root.cnf + +cat openssl.cnf | sed "s/@PASSWORD@/$PASS/" | +sed "s,@OCSP_URI@,$OCSP_URI," | +sed "s,@LOGO_URI@,$LOGO_URI," | +sed "s,@LOGO_HASH1@,$LOGO_HASH1," | +sed "s,@LOGO_HASH256@,$LOGO_HASH256," | +sed "s/@DOMAIN@/$DOMAIN/" \ + > my-openssl.cnf + + +cat my-openssl-root.cnf | sed "s/#@CN@/commonName_default = $CNR/" > openssl.cnf.tmp mkdir -p rootCA/certs rootCA/crl rootCA/newcerts rootCA/private touch rootCA/index.txt if [ -e rootCA/private/cakey.pem ]; then @@ -26,6 +105,8 @@ else $OPENSSL req -config openssl.cnf.tmp -batch -new -newkey rsa:4096 -keyout rootCA/private/cakey.pem -out rootCA/careq.pem || fail "Failed to generate Root CA private key" echo " * Sign Root CA certificate" $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out rootCA/cacert.pem -days 10957 -batch -keyfile rootCA/private/cakey.pem -passin pass:$PASS -selfsign -extensions v3_ca -outdir rootCA/newcerts -infiles rootCA/careq.pem || fail "Failed to sign Root CA certificate" + $OPENSSL x509 -in rootCA/cacert.pem -out rootCA/cacert.der -outform DER || fail "Failed to create rootCA DER" + sha256sum rootCA/cacert.der > rootCA/cacert.fingerprint || fail "Failed to create rootCA fingerprint" fi if [ ! -e rootCA/crlnumber ]; then echo 00 > rootCA/crlnumber @@ -35,7 +116,7 @@ echo echo "---[ Intermediate CA ]--------------------------------------------------" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = w1.fi Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $COMPANY Hotspot 2.0 Intermediate CA/" > openssl.cnf.tmp mkdir -p demoCA/certs demoCA/crl demoCA/newcerts demoCA/private touch demoCA/index.txt if [ -e demoCA/private/cakey.pem ]; then @@ -47,6 +128,8 @@ else $OPENSSL ca -config openssl.cnf.tmp -md sha256 -create_serial -out demoCA/cacert.pem -days 3652 -batch -keyfile rootCA/private/cakey.pem -cert rootCA/cacert.pem -passin pass:$PASS -extensions v3_ca -infiles demoCA/careq.pem || fail "Failed to sign Intermediate CA certificate" # horrible from security view point, but for testing purposes since OCSP responder does not seem to support -passin openssl rsa -in demoCA/private/cakey.pem -out demoCA/private/cakey-plain.pem -passin pass:$PASS + $OPENSSL x509 -in demoCA/cacert.pem -out demoCA/cacert.der -outform DER || fail "Failed to create demoCA DER." + sha256sum demoCA/cacert.der > demoCA/cacert.fingerprint || fail "Failed to create demoCA fingerprint" fi if [ ! -e demoCA/crlnumber ]; then echo 00 > demoCA/crlnumber @@ -56,45 +139,46 @@ echo echo "OCSP responder" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = ocsp.w1.fi/" > openssl.cnf.tmp +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNO/" > openssl.cnf.tmp $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out ocsp.csr -keyout ocsp.key -extensions v3_OCSP -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -keyfile demoCA/private/cakey.pem -passin pass:$PASS -in ocsp.csr -out ocsp.pem -days 730 -extensions v3_OCSP || fail "Could not generate ocsp.pem" echo echo "---[ Server - to be revoked ] ------------------------------------------" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-revoked.w1.fi/" > openssl.cnf.tmp +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNV/" > openssl.cnf.tmp $OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-revoked.csr -keyout server-revoked.key $OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-revoked.csr -out server-revoked.pem -key $PASS -days 730 -extensions ext_server $OPENSSL ca -revoke server-revoked.pem -key $PASS echo echo "---[ Server - with client ext key use ] ---------------------------------" +echo "---[ Only used for negative-testing for OSU-client implementation ] -----" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = osu-client.w1.fi/" > openssl.cnf.tmp -$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = $CNOC/" > openssl.cnf.tmp +$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out server-client.csr -keyout server-client.key || fail "Could not create server-client.key" +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in server-client.csr -out server-client.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create server-client.pem" echo echo "---[ User ]-------------------------------------------------------------" echo -cat openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp -$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key -$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client +cat my-openssl.cnf | sed "s/#@CN@/commonName_default = User/" > openssl.cnf.tmp +$OPENSSL req -config $PWD/openssl.cnf.tmp -batch -new -newkey rsa:2048 -nodes -out user.csr -keyout user.key || fail "Could not create user.key" +$OPENSSL ca -config $PWD/openssl.cnf.tmp -batch -md sha256 -in user.csr -out user.pem -key $PASS -days 730 -extensions ext_client || fail "Could not create user.pem" echo echo "---[ Server ]-----------------------------------------------------------" echo -ALT="DNS:osu.w1.fi" -ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:engw1.fi TESTING USE" -ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:finw1.fi TESTIKÄYTTÖ" +ALT="DNS:$OSU_SERVER_HOSTNAME" +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_ENG" +ALT="$ALT,otherName:1.3.6.1.4.1.40808.1.1.1;UTF8String:$OPER_FI" -cat openssl.cnf | - sed "s/#@CN@/commonName_default = osu.w1.fi/" | +cat my-openssl.cnf | + sed "s/#@CN@/commonName_default = $OSU_SERVER_HOSTNAME/" | sed "s/^##organizationalUnitName/organizationalUnitName/" | sed "s/#@OU@/organizationalUnitName_default = Hotspot 2.0 Online Sign Up Server/" | sed "s/#@ALTNAME@/subjectAltName=critical,$ALT/" \ @@ -113,7 +197,7 @@ echo echo "---[ CRL ]---------------------------------------------------------------" echo -$OPENSSL ca -config $PWD/openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS +$OPENSSL ca -config $PWD/my-openssl.cnf -gencrl -md sha256 -out demoCA/crl/crl.pem -passin pass:$PASS echo echo "---[ Verify ]------------------------------------------------------------" diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt index 80985f73..001d6f25 100644 --- a/hs20/server/hs20-osu-server.txt +++ b/hs20/server/hs20-osu-server.txt @@ -100,6 +100,21 @@ sqlite3 /home/user/hs20-server/AS/DB/eap_user.db < sql-example.txt # the examples as-is for initial testing). cp -r www /home/user/hs20-server +# Build local keys and certs +cd ca +# Display help options. +./setup.sh -h + +# Remove old keys, fill in appropriate values, and generate your keys. +# For instance: +./clean.sh +rm -fr rootCA" +old_hostname=myserver.local +./setup.sh -C "Hotspot 2.0 Trust Root CA - CT" -d $old_hostname \ + -I "Hotspot 2.0 Intermediate CA - CT" -o $old_hostname-osu-client \ + -O $old_hostname-oscp -p lanforge -S $old_hostname \ + -V $old_hostname-osu-revoked \ + -m local -u http://$old_hostname:8888/ # Configure subscription policies mkdir -p /home/user/hs20-server/spp/policy @@ -156,6 +171,50 @@ cd /home/user/hs20-server/AS ./hostapd -B as-sql.conf +OSEN RADIUS server configuration notes + +The OSEN RADIUS server config file should have the 'ocsp_stapling_response' +configuration in it. For example: + +# hostapd-radius config for the radius used by the OSEN AP +interface=eth0#0 +driver=none +logger_syslog=-1 +logger_syslog_level=2 +logger_stdout=-1 +logger_stdout_level=2 +ctrl_interface=/var/run/hostapd +ctrl_interface_group=0 +eap_server=1 +eap_user_file=/home/user/hs20-server/AS/hostapd-osen.eap_user +server_id=ben-ota-2-osen +radius_server_auth_port=1811 +radius_server_clients=/home/user/hs20-server/AS/hostap.radius_clients + +ca_cert=/home/user/hs20-server/ca/ca.pem +server_cert=/home/user/hs20-server/ca/server.pem +private_key=/home/user/hs20-server/ca/server.key +private_key_passwd=whatever + +ocsp_stapling_response=/home/user/hs20-server/ca/ocsp-server-cache.der + +The /home/user/hs20-server/AS/hostapd-osen.eap_user file should look +similar to this, and should coorelate with the osu_nai entry in +the non-OSEN VAP config file. For instance: + +# cat hostapd-osen.eap_user +# For OSEN authentication (Hotspot 2.0 Release 2) +"osen@w1.fi" WFA-UNAUTH-TLS + + +# Run OCSP server: +cd /home/user/hs20-server/ca +./ocsp-responder.sh& + +# Update cache (This should be run periodically) +./ocsp-update-cache.sh + + Configure web server -------------------- @@ -172,6 +231,8 @@ Add following block just before "SSL Engine Switch" line": </Directory> Update SSL configuration to use the OSU server certificate/key. +They keys and certs are called 'server.key' and 'server.pem' from +ca/setup.sh. Enable default-ssl site and restart Apache2: sudo a2ensite default-ssl |