3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-11-25 17:59:25 +01:00

anqp: added utility for parsing ANQP responses

Currently these are geared to support the WiFi Alliance Hotspot 2.0
ANQP elements, which all fall under the vendor specific ANQP element.

anqp_iter_next behaves similar to the genl parsers, where the id, length
and data will be returned as out parameters. Currently there is only
vendor support for Hotspot 2.0. anqp_iter_is_hs20 can be used to setup
the subtype, length, and data pointer to parse any Hotspot 2.0 ANQP
elements. From here the subtype can be checked and a vendor specific
parser for that subtype can be used to parse the data, e.g.
hs20_parse_osu_provider_nai.
This commit is contained in:
James Prestwood 2019-06-14 13:12:05 -07:00 committed by Denis Kenzior
parent 77a6b49803
commit 2ce5277f6d
3 changed files with 479 additions and 0 deletions

View File

@ -205,6 +205,7 @@ src_iwd_SOURCES = src/main.c linux/nl80211.h src/iwd.h src/missing.h \
src/fils.h src/fils.c \ src/fils.h src/fils.c \
src/rtnlutil.h src/rtnlutil.c \ src/rtnlutil.h src/rtnlutil.c \
src/auth-proto.h \ src/auth-proto.h \
src/anqp.h src/anqp.c \
$(eap_sources) \ $(eap_sources) \
$(builtin_sources) $(builtin_sources)
src_iwd_LDADD = $(ell_ldadd) -ldl src_iwd_LDADD = $(ell_ldadd) -ldl

361
src/anqp.c Normal file
View File

@ -0,0 +1,361 @@
/*
*
* Wireless daemon for Linux
*
* Copyright (C) 2019 Intel Corporation. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <stdint.h>
#include <ell/ell.h>
#include "src/anqp.h"
#include "src/util.h"
#include "src/eap-private.h"
static const uint8_t wifi_alliance_oui[3] = { 0x50, 0x6f, 0x9a };
void anqp_iter_init(struct anqp_iter *iter, const unsigned char *anqp,
unsigned int len)
{
iter->anqp = anqp;
iter->max = len;
iter->pos = 0;
}
bool anqp_iter_next(struct anqp_iter *iter, uint16_t *id, uint16_t *len,
const void **data)
{
const unsigned char *anqp = iter->anqp + iter->pos;
const unsigned char *end = iter->anqp + iter->max;
if (iter->pos + 4 >= iter->max)
return false;
if (anqp + l_get_le16(anqp + 2) > end)
return false;
*id = l_get_le16(anqp);
anqp += 2;
*len = l_get_le16(anqp);
anqp += 2;
*data = anqp;
iter->id = *id;
iter->len = *len;
iter->data = *data;
iter->pos = anqp + *len - iter->anqp;
return true;
}
bool anqp_hs20_parse_osu_provider_nai(const unsigned char *anqp,
unsigned int len, const char **nai_out)
{
uint8_t nai_len;
static char nai[256] = { 0 };
if (len < 1)
return false;
nai_len = *anqp++;
len--;
if (len < nai_len)
return false;
memcpy(nai, anqp, nai_len);
*nai_out = nai;
return true;
}
bool anqp_iter_is_hs20(const struct anqp_iter *iter, uint8_t *stype,
unsigned int *len, const unsigned char **data)
{
const unsigned char *anqp = iter->data;
unsigned int anqp_len = iter->len;
uint8_t type;
if (iter->len < 6)
return false;
if (memcmp(anqp, wifi_alliance_oui, 3))
return false;
anqp += 3;
anqp_len -= 3;
type = *anqp++;
anqp_len--;
if (type != 0x11)
return false;
*stype = *anqp++;
anqp_len--;
/* reserved byte */
anqp++;
anqp_len--;
*data = anqp;
*len = anqp_len;
return true;
}
static bool parse_eap_params(const unsigned char *anqp, unsigned int len,
uint8_t *method, uint8_t *non_eap_inner,
uint8_t *eap_inner, uint8_t *credential,
uint8_t *tunneled_credential)
{
uint8_t param_count;
if (len < 2)
return false;
*method = *anqp++;
param_count = *anqp++;
len -= 2;
*non_eap_inner = 0;
*eap_inner = 0;
*credential = 0;
*tunneled_credential = 0;
while (param_count--) {
uint8_t ap_id;
uint8_t ap_len;
if (len < 2)
return false;
ap_id = *anqp++;
ap_len = *anqp++;
len -= 2;
if (len < ap_len)
return false;
switch (ap_id) {
case ANQP_AP_NON_INNER_AUTH_EAP:
*non_eap_inner = *anqp;
break;
case ANQP_AP_INNER_AUTH_EAP:
*eap_inner = *anqp;
break;
case ANQP_AP_CREDENTIAL:
*credential = *anqp;
break;
case ANQP_AP_TUNNELED_EAP_CREDENTIAL:
*tunneled_credential = *anqp;
break;
case ANQP_AP_EXPANDED_EAP_METHOD:
case ANQP_AP_EXPANDED_INNER_EAP_METHOD:
case ANQP_AP_VENDOR_SPECIFIC:
break;
}
anqp += ap_len;
len -= ap_len;
}
return true;
}
/*
* Parses an EAP ANQP list.
*/
static bool parse_eap(const unsigned char *anqp, unsigned int len,
const char *nai, bool hs20,
struct anqp_eap_method *method_out)
{
uint8_t eap_count;
if (len < 1)
return false;
eap_count = *anqp++;
len--;
while (eap_count--) {
uint8_t eap_len;
uint8_t method;
uint8_t non_eap_inner;
uint8_t eap_inner;
uint8_t credential;
uint8_t tunneled_credential;
if (len < 1)
return false;
eap_len = *anqp++;
len--;
if (!parse_eap_params(anqp, eap_len,
&method, &non_eap_inner,
&eap_inner, &credential,
&tunneled_credential))
return false;
if (hs20) {
/*
* TODO: Support EAP-SIM/AKA/AKA' with Hotspot
*/
if (method != EAP_TYPE_TTLS) {
l_debug("EAP method %u not supported", method);
goto next;
}
/* MSCHAPv2 */
if (non_eap_inner != 4) {
l_debug("Non-EAP inner %u not supported",
non_eap_inner);
goto next;
}
/* username/password */
if (credential != 7) {
l_debug("credential type %u not supported",
credential);
goto next;
}
} else {
/* can't use methods without user/password */
if (credential != 7 && tunneled_credential != 7)
goto next;
}
method_out->method = method;
/* nai is guarenteed to NULL terminate and be < 256 bytes */
l_strlcpy(method_out->realm, nai,
sizeof(method_out->realm) - 1);
method_out->non_eap_inner = non_eap_inner;
method_out->eap_inner = eap_inner;
method_out->credential = credential;
method_out->tunneled_credential = tunneled_credential;
return true;
next:
if (len < eap_len)
return false;
anqp += eap_len;
len -= eap_len;
}
return false;
}
/*
* Parses NAI Realm ANQP-element. The code here parses the NAI Realm until an
* acceptable EAP method is found. Once a method is found it is returned via
* method_out. The structure of NAI realm is such that it does not allow for a
* convenient static structure (several nested lists). Since we can only handle
* EAP methods with user/password credentials anyways it makes sense to just
* return the first EAP method found that meets our criteria. In addition, this
* is only being used for Hotspot 2.0, which mandates EAP-TLS/TTLS/SIM/AKA,
* meaning TTLS is the only contender for this parsing.
*
* @param hs20 true if this parsing is for a Hotspot 2.0 network. This will
* restrict what EAP method info is chosen as to comply with the
* Hotspot 2.0 spec (i.e. EAP-TTLS w/ MSCHAPv2 or SIM/AKA/AKA').
*/
bool anqp_parse_nai_realm(const unsigned char *anqp, unsigned int len,
bool hs20, struct anqp_eap_method *method_out)
{
uint16_t count;
if (len < 2)
return false;
count = l_get_le16(anqp);
anqp += 2;
len -= 2;
while (count--) {
uint16_t realm_len;
uint8_t encoding;
uint8_t nai_len;
char nai_realm[256] = { 0 };
/*
* The method list is a variable field, so the only way to
* reliably increment anqp is by realm_len at the very end since
* we dont know how many bytes parse_eap advanced (it does
* internal length checking so it should not overflow). We
* cant incrementally advance anqp/len, hence the hardcoded
* length and pointer adjustments.
*/
if (len < 4)
return false;
realm_len = l_get_le16(anqp);
anqp += 2;
len -= 2;
encoding = anqp[0];
nai_len = anqp[1];
if (len - 2 < nai_len)
return false;
memcpy(nai_realm, anqp + 2, nai_len);
/*
* TODO: Verify NAI encoding in accordance with RFC 4282 ?
*
* The encoding in RFC 4282 seems to only limit which characters
* can be used in an NAI. Since these come in from public
* action frames it could have been spoofed, but ultimately if
* its bogus the AP won't allow us to connect.
*/
if (!util_is_bit_set(encoding, 0))
l_warn("Not verifying NAI encoding");
else if (!l_utf8_validate(nai_realm, nai_len, NULL)) {
l_warn("NAI is not UTF-8");
return false;
}
if (parse_eap(anqp + 2 + nai_len, realm_len - 2 - nai_len,
nai_realm, hs20, method_out))
return true;
if (len < realm_len)
return false;
anqp += realm_len;
len -= realm_len;
}
return false;
}

117
src/anqp.h Normal file
View File

@ -0,0 +1,117 @@
/*
*
* Wireless daemon for Linux
*
* Copyright (C) 2019 Intel Corporation. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
#include <stdbool.h>
#include <stddef.h>
#include <unistd.h>
/* IEEE 802.11-2016 Section 9.4.5 ANQP elements */
enum anqp_element {
/* 0-255 reserved */
ANQP_QUERY_LIST = 256,
ANQP_CAPABILITY_LIST = 257,
ANQP_VENUE_NAME = 258,
ANQP_EMERGENCY_CALL_NUMBER = 259,
ANQP_NETWORK_AUTH_TYPE = 260,
ANQP_ROAMING_CONSORTIUM = 261,
ANQP_IP_ADDRESS_TYPE_AVAILABILITY = 262,
ANQP_NAI_REALM = 263,
ANQP_3GPP_CELLULAR_NETWORK = 264,
ANQP_AP_GEOSPATIAL_LOCATION = 265,
ANQP_AP_CIVIC_LOCATION = 266,
ANQP_AP_LOCATION_PUBLIC_ID = 267,
ANQP_DOMAIN_NAME = 268,
ANQP_EMERGENCY_ALERT_ID_URI = 269,
ANQP_TDLS_CAPABILITY = 270,
ANQP_EMERGENCY_NAI = 271,
ANQP_NEIGHBOR_REPORT = 272,
/* 273-276 reserved */
ANQP_VENUE_URI = 277,
ANQP_ADVICE_OF_CHARGE = 278,
ANQP_LOCAL_CONTENT = 279,
ANQP_NETWORK_AUTH_TYPE_WITH_TIMESTAMP = 280,
/* 281-56796 reserved */
ANQP_VENDOR_SPECIFIC = 56797,
/* 56798-65535 reserved */
};
/* WiFi Alliance Hotspot 2.0 Spec - Section 4 Hotspot 2.0 ANQP-elements */
enum anqp_hs20_element {
ANQP_HS20_QUERY_LIST = 1,
ANQP_HS20_CAPABILITY_LIST = 2,
ANQP_HS20_OPERATOR_FRIENDLY_NAME = 3,
ANQP_HS20_WLAN_METRICS = 4,
ANQP_HS20_CONNECTION_CAPABILITY = 5,
ANQP_HS20_NAI_HOME_REALM_QUERY = 6,
ANQP_HS20_OPERATING_CLASS_INDICATION = 7,
ANQP_HS20_OSU_PROVIDERS_LIST = 8,
/* 9 reserved */
ANQP_HS20_ICON_REQUST = 10,
ANQP_HS20_ICON_BINARY_FILE = 11,
ANQP_HS20_OPERATOR_ICON_METADATA = 12,
ANQP_HS20_OSU_PROVIDERS_NAI_LIST = 13,
/* 14 - 255 reserved */
};
/* IEEE 802.11-2016 Table 9-275 Authentication Parameter types */
enum anqp_auth_parameter_type {
ANQP_AP_EXPANDED_EAP_METHOD = 1,
ANQP_AP_NON_INNER_AUTH_EAP = 2,
ANQP_AP_INNER_AUTH_EAP = 3,
ANQP_AP_EXPANDED_INNER_EAP_METHOD = 4,
ANQP_AP_CREDENTIAL = 5,
ANQP_AP_TUNNELED_EAP_CREDENTIAL = 6,
ANQP_AP_VENDOR_SPECIFIC = 221,
};
struct anqp_iter {
unsigned int max;
unsigned int pos;
const unsigned char *anqp;
unsigned int id;
unsigned int len;
const unsigned char *data;
};
/*
* TODO: Support expanded EAP types
*/
struct anqp_eap_method {
char realm[256];
uint8_t method;
uint8_t non_eap_inner;
uint8_t eap_inner;
uint8_t credential;
uint8_t tunneled_credential;
};
void anqp_iter_init(struct anqp_iter *iter, const unsigned char *anqp,
unsigned int len);
bool anqp_iter_next(struct anqp_iter *iter, uint16_t *id, uint16_t *len,
const void **data);
bool anqp_iter_is_hs20(const struct anqp_iter *iter, uint8_t *stype,
unsigned int *len, const unsigned char **data);
bool anqp_hs20_parse_osu_provider_nai(const unsigned char *anqp,
unsigned int len, const char **nai_out);
bool anqp_parse_nai_realm(const unsigned char *anqp, unsigned int len,
bool hs20, struct anqp_eap_method *method);