|
 |
1dabd5 |
Backport of:
|
|
|
1dabd5 |
|
|
|
1dabd5 |
commit cebee30f3170b5104a41bd27ac5f98615ed57656
|
|
|
1dabd5 |
Author: Jouni Malinen <j@w1.fi>
|
|
|
1dabd5 |
Date: Wed Jan 14 15:31:28 2015 +0200
|
|
|
1dabd5 |
|
|
|
1dabd5 |
Add domain_match network profile parameter
|
|
|
1dabd5 |
|
|
|
1dabd5 |
This is similar with domain_suffix_match, but required a full match of
|
|
|
1dabd5 |
the domain name rather than allowing suffix match (subdomains) or
|
|
|
1dabd5 |
wildcard certificates.
|
|
|
1dabd5 |
|
|
|
1dabd5 |
Signed-off-by: Jouni Malinen <j@w1.fi>
|
|
|
1dabd5 |
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/crypto/tls_gnutls.c.domain-match wpa_supplicant-2.0/src/crypto/tls_gnutls.c
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/crypto/tls.h.domain-match wpa_supplicant-2.0/src/crypto/tls.h
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/src/crypto/tls.h.domain-match 2015-01-14 16:06:28.356980648 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/src/crypto/tls.h 2015-01-14 16:14:57.885622906 -0500
|
|
|
1dabd5 |
@@ -40,7 +40,8 @@ enum tls_fail_reason {
|
|
|
1dabd5 |
TLS_FAIL_SUBJECT_MISMATCH = 5,
|
|
|
1dabd5 |
TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
|
|
|
1dabd5 |
TLS_FAIL_BAD_CERTIFICATE = 7,
|
|
|
1dabd5 |
- TLS_FAIL_SERVER_CHAIN_PROBE = 8
|
|
|
1dabd5 |
+ TLS_FAIL_SERVER_CHAIN_PROBE = 8,
|
|
|
1dabd5 |
+ TLS_FAIL_DOMAIN_MISMATCH = 10,
|
|
|
1dabd5 |
};
|
|
|
1dabd5 |
|
|
|
1dabd5 |
union tls_event_data {
|
|
|
1dabd5 |
@@ -94,6 +95,9 @@ struct tls_config {
|
|
|
1dabd5 |
* %NULL to allow all subjects
|
|
|
1dabd5 |
* @altsubject_match: String to match in the alternative subject of the peer
|
|
|
1dabd5 |
* certificate or %NULL to allow all alternative subjects
|
|
|
1dabd5 |
+ * @domain_match: String to match in the dNSName or CN of the peer
|
|
|
1dabd5 |
+ * certificate or %NULL to allow all domain names. This requires a full,
|
|
|
1dabd5 |
+ * case-insensitive match.
|
|
|
1dabd5 |
* @client_cert: File or reference name for client X.509 certificate in PEM or
|
|
|
1dabd5 |
* DER format
|
|
|
1dabd5 |
* @client_cert_blob: client_cert as inlined data or %NULL if not used
|
|
|
1dabd5 |
@@ -133,6 +137,7 @@ struct tls_connection_params {
|
|
|
1dabd5 |
const char *ca_path;
|
|
|
1dabd5 |
const char *subject_match;
|
|
|
1dabd5 |
const char *altsubject_match;
|
|
|
1dabd5 |
+ const char *domain_match;
|
|
|
1dabd5 |
const char *client_cert;
|
|
|
1dabd5 |
const u8 *client_cert_blob;
|
|
|
1dabd5 |
size_t client_cert_blob_len;
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/crypto/tls_internal.c.domain-match wpa_supplicant-2.0/src/crypto/tls_internal.c
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/src/crypto/tls_internal.c.domain-match 2015-01-14 16:06:28.356980648 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/src/crypto/tls_internal.c 2015-01-14 16:17:48.900845371 -0500
|
|
|
1dabd5 |
@@ -166,6 +166,11 @@ int tls_connection_set_params(void *tls_
|
|
|
1dabd5 |
if (cred == NULL)
|
|
|
1dabd5 |
return -1;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
+ if (params->domain_match) {
|
|
|
1dabd5 |
+ wpa_printf(MSG_INFO, "TLS: domain_match not supported");
|
|
|
1dabd5 |
+ return -1;
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
if (tlsv1_set_ca_cert(cred, params->ca_cert,
|
|
|
1dabd5 |
params->ca_cert_blob, params->ca_cert_blob_len,
|
|
|
1dabd5 |
params->ca_path)) {
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/crypto/tls_openssl.c.domain-match wpa_supplicant-2.0/src/crypto/tls_openssl.c
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/src/crypto/tls_openssl.c.domain-match 2015-01-14 16:06:28.344980563 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/src/crypto/tls_openssl.c 2015-01-14 16:22:17.100768147 -0500
|
|
|
1dabd5 |
@@ -66,7 +66,7 @@ struct tls_connection {
|
|
|
1dabd5 |
ENGINE *engine; /* functional reference to the engine */
|
|
|
1dabd5 |
EVP_PKEY *private_key; /* the private key if using engine */
|
|
|
1dabd5 |
#endif /* OPENSSL_NO_ENGINE */
|
|
|
1dabd5 |
- char *subject_match, *altsubject_match;
|
|
|
1dabd5 |
+ char *subject_match, *altsubject_match, *domain_match;
|
|
|
1dabd5 |
int read_alerts, write_alerts, failed;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
tls_session_ticket_cb session_ticket_cb;
|
|
|
1dabd5 |
@@ -973,6 +973,7 @@ void tls_connection_deinit(void *ssl_ctx
|
|
|
1dabd5 |
tls_engine_deinit(conn);
|
|
|
1dabd5 |
os_free(conn->subject_match);
|
|
|
1dabd5 |
os_free(conn->altsubject_match);
|
|
|
1dabd5 |
+ os_free(conn->domain_match);
|
|
|
1dabd5 |
os_free(conn->session_ticket);
|
|
|
1dabd5 |
os_free(conn);
|
|
|
1dabd5 |
}
|
|
|
1dabd5 |
@@ -1063,6 +1064,112 @@ static int tls_match_altsubject(X509 *ce
|
|
|
1dabd5 |
}
|
|
|
1dabd5 |
|
|
|
1dabd5 |
|
|
|
1dabd5 |
+#ifndef CONFIG_NATIVE_WINDOWS
|
|
|
1dabd5 |
+static int domain_suffix_match(const u8 *val, size_t len, const char *match,
|
|
|
1dabd5 |
+ int full)
|
|
|
1dabd5 |
+{
|
|
|
1dabd5 |
+ size_t i, match_len;
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ /* Check for embedded nuls that could mess up suffix matching */
|
|
|
1dabd5 |
+ for (i = 0; i < len; i++) {
|
|
|
1dabd5 |
+ if (val[i] == '\0') {
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: Embedded null in a string - reject");
|
|
|
1dabd5 |
+ return 0;
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ match_len = os_strlen(match);
|
|
|
1dabd5 |
+ if (match_len > len || (full && match_len != len))
|
|
|
1dabd5 |
+ return 0;
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ if (os_strncasecmp((const char *) val + len - match_len, match,
|
|
|
1dabd5 |
+ match_len) != 0)
|
|
|
1dabd5 |
+ return 0; /* no match */
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ if (match_len == len)
|
|
|
1dabd5 |
+ return 1; /* exact match */
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ if (val[len - match_len - 1] == '.')
|
|
|
1dabd5 |
+ return 1; /* full label match completes suffix match */
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: Reject due to incomplete label match");
|
|
|
1dabd5 |
+ return 0;
|
|
|
1dabd5 |
+}
|
|
|
1dabd5 |
+#endif /* CONFIG_NATIVE_WINDOWS */
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+static int tls_match_suffix(X509 *cert, const char *match, int full)
|
|
|
1dabd5 |
+{
|
|
|
1dabd5 |
+#ifdef CONFIG_NATIVE_WINDOWS
|
|
|
1dabd5 |
+ /* wincrypt.h has conflicting X509_NAME definition */
|
|
|
1dabd5 |
+ return -1;
|
|
|
1dabd5 |
+#else /* CONFIG_NATIVE_WINDOWS */
|
|
|
1dabd5 |
+ GENERAL_NAME *gen;
|
|
|
1dabd5 |
+ void *ext;
|
|
|
1dabd5 |
+ int i;
|
|
|
1dabd5 |
+ int j;
|
|
|
1dabd5 |
+ int dns_name = 0;
|
|
|
1dabd5 |
+ X509_NAME *name;
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: Match domain against %s%s",
|
|
|
1dabd5 |
+ full ? "": "suffix ", match);
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ for (j = 0; ext && j < sk_GENERAL_NAME_num(ext); j++) {
|
|
|
1dabd5 |
+ gen = sk_GENERAL_NAME_value(ext, j);
|
|
|
1dabd5 |
+ if (gen->type != GEN_DNS)
|
|
|
1dabd5 |
+ continue;
|
|
|
1dabd5 |
+ dns_name++;
|
|
|
1dabd5 |
+ wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate dNSName",
|
|
|
1dabd5 |
+ gen->d.dNSName->data,
|
|
|
1dabd5 |
+ gen->d.dNSName->length);
|
|
|
1dabd5 |
+ if (domain_suffix_match(gen->d.dNSName->data,
|
|
|
1dabd5 |
+ gen->d.dNSName->length, match, full) ==
|
|
|
1dabd5 |
+ 1) {
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: %s in dNSName found",
|
|
|
1dabd5 |
+ full ? "Match" : "Suffix match");
|
|
|
1dabd5 |
+ return 1;
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ if (dns_name) {
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: None of the dNSName(s) matched");
|
|
|
1dabd5 |
+ return 0;
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ name = X509_get_subject_name(cert);
|
|
|
1dabd5 |
+ i = -1;
|
|
|
1dabd5 |
+ for (;;) {
|
|
|
1dabd5 |
+ X509_NAME_ENTRY *e;
|
|
|
1dabd5 |
+ ASN1_STRING *cn;
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ i = X509_NAME_get_index_by_NID(name, NID_commonName, i);
|
|
|
1dabd5 |
+ if (i == -1)
|
|
|
1dabd5 |
+ break;
|
|
|
1dabd5 |
+ e = X509_NAME_get_entry(name, i);
|
|
|
1dabd5 |
+ if (e == NULL)
|
|
|
1dabd5 |
+ continue;
|
|
|
1dabd5 |
+ cn = X509_NAME_ENTRY_get_data(e);
|
|
|
1dabd5 |
+ if (cn == NULL)
|
|
|
1dabd5 |
+ continue;
|
|
|
1dabd5 |
+ wpa_hexdump_ascii(MSG_DEBUG, "TLS: Certificate commonName",
|
|
|
1dabd5 |
+ cn->data, cn->length);
|
|
|
1dabd5 |
+ if (domain_suffix_match(cn->data, cn->length, match, full) == 1)
|
|
|
1dabd5 |
+ {
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: %s in commonName found",
|
|
|
1dabd5 |
+ full ? "Match" : "Suffix match");
|
|
|
1dabd5 |
+ return 1;
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ wpa_printf(MSG_DEBUG, "TLS: No CommonName %smatch found",
|
|
|
1dabd5 |
+ full ? "": "suffix ");
|
|
|
1dabd5 |
+ return 0;
|
|
|
1dabd5 |
+#endif /* CONFIG_NATIVE_WINDOWS */
|
|
|
1dabd5 |
+}
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
static enum tls_fail_reason openssl_tls_fail_reason(int err)
|
|
|
1dabd5 |
{
|
|
|
1dabd5 |
switch (err) {
|
|
|
1dabd5 |
@@ -1188,7 +1295,7 @@ static int tls_verify_cb(int preverify_o
|
|
|
1dabd5 |
int err, depth;
|
|
|
1dabd5 |
SSL *ssl;
|
|
|
1dabd5 |
struct tls_connection *conn;
|
|
|
1dabd5 |
- char *match, *altmatch;
|
|
|
1dabd5 |
+ char *match, *altmatch, *domain_match;
|
|
|
1dabd5 |
const char *err_str;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
err_cert = X509_STORE_CTX_get_current_cert(x509_ctx);
|
|
|
1dabd5 |
@@ -1203,6 +1310,7 @@ static int tls_verify_cb(int preverify_o
|
|
|
1dabd5 |
return 0;
|
|
|
1dabd5 |
match = conn->subject_match;
|
|
|
1dabd5 |
altmatch = conn->altsubject_match;
|
|
|
1dabd5 |
+ domain_match = conn->domain_match;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
if (!preverify_ok && !conn->ca_cert_verify)
|
|
|
1dabd5 |
preverify_ok = 1;
|
|
|
1dabd5 |
@@ -1271,6 +1379,14 @@ static int tls_verify_cb(int preverify_o
|
|
|
1dabd5 |
openssl_tls_fail_event(conn, err_cert, err, depth, buf,
|
|
|
1dabd5 |
"AltSubject mismatch",
|
|
|
1dabd5 |
TLS_FAIL_ALTSUBJECT_MISMATCH);
|
|
|
1dabd5 |
+ } else if (depth == 0 && domain_match &&
|
|
|
1dabd5 |
+ !tls_match_suffix(err_cert, domain_match, 1)) {
|
|
|
1dabd5 |
+ wpa_printf(MSG_WARNING, "TLS: Domain match '%s' not found",
|
|
|
1dabd5 |
+ domain_match);
|
|
|
1dabd5 |
+ preverify_ok = 0;
|
|
|
1dabd5 |
+ openssl_tls_fail_event(conn, err_cert, err, depth, buf,
|
|
|
1dabd5 |
+ "Domain mismatch",
|
|
|
1dabd5 |
+ TLS_FAIL_DOMAIN_MISMATCH);
|
|
|
1dabd5 |
} else
|
|
|
1dabd5 |
openssl_tls_cert_event(conn, err_cert, depth, buf);
|
|
|
1dabd5 |
|
|
|
1dabd5 |
@@ -1546,7 +1662,8 @@ int tls_global_set_verify(void *ssl_ctx,
|
|
|
1dabd5 |
|
|
|
1dabd5 |
static int tls_connection_set_subject_match(struct tls_connection *conn,
|
|
|
1dabd5 |
const char *subject_match,
|
|
|
1dabd5 |
- const char *altsubject_match)
|
|
|
1dabd5 |
+ const char *altsubject_match,
|
|
|
1dabd5 |
+ const char *domain_match)
|
|
|
1dabd5 |
{
|
|
|
1dabd5 |
os_free(conn->subject_match);
|
|
|
1dabd5 |
conn->subject_match = NULL;
|
|
|
1dabd5 |
@@ -1564,6 +1681,14 @@ static int tls_connection_set_subject_ma
|
|
|
1dabd5 |
return -1;
|
|
|
1dabd5 |
}
|
|
|
1dabd5 |
|
|
|
1dabd5 |
+ os_free(conn->domain_match);
|
|
|
1dabd5 |
+ conn->domain_match = NULL;
|
|
|
1dabd5 |
+ if (domain_match) {
|
|
|
1dabd5 |
+ conn->domain_match = os_strdup(domain_match);
|
|
|
1dabd5 |
+ if (conn->domain_match == NULL)
|
|
|
1dabd5 |
+ return -1;
|
|
|
1dabd5 |
+ }
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
return 0;
|
|
|
1dabd5 |
}
|
|
|
1dabd5 |
|
|
|
1dabd5 |
@@ -2738,7 +2863,8 @@ int tls_connection_set_params(void *tls_
|
|
|
1dabd5 |
}
|
|
|
1dabd5 |
if (tls_connection_set_subject_match(conn,
|
|
|
1dabd5 |
params->subject_match,
|
|
|
1dabd5 |
- params->altsubject_match))
|
|
|
1dabd5 |
+ params->altsubject_match,
|
|
|
1dabd5 |
+ params->domain_match))
|
|
|
1dabd5 |
return -1;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
if (params->engine && params->ca_cert_id) {
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/crypto/tls_schannel.c.domain-match wpa_supplicant-2.0/src/crypto/tls_schannel.c
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/eap_peer/eap_config.h.domain-match wpa_supplicant-2.0/src/eap_peer/eap_config.h
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/src/eap_peer/eap_config.h.domain-match 2015-01-14 16:06:28.358980663 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/src/eap_peer/eap_config.h 2015-01-14 16:23:34.579325474 -0500
|
|
|
1dabd5 |
@@ -208,6 +208,21 @@ struct eap_peer_config {
|
|
|
1dabd5 |
u8 *altsubject_match;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
/**
|
|
|
1dabd5 |
+ * domain_match - Constraint for server domain name
|
|
|
1dabd5 |
+ *
|
|
|
1dabd5 |
+ * If set, this FQDN is used as a full match requirement for the
|
|
|
1dabd5 |
+ * server certificate in SubjectAltName dNSName element(s). If a
|
|
|
1dabd5 |
+ * matching dNSName is found, this constraint is met. If no dNSName
|
|
|
1dabd5 |
+ * values are present, this constraint is matched against SubjectName CN
|
|
|
1dabd5 |
+ * using same full match comparison. This behavior is similar to
|
|
|
1dabd5 |
+ * domain_suffix_match, but has the requirement of a full match, i.e.,
|
|
|
1dabd5 |
+ * no subdomains or wildcard matches are allowed. Case-insensitive
|
|
|
1dabd5 |
+ * comparison is used, so "Example.com" matches "example.com", but would
|
|
|
1dabd5 |
+ * not match "test.Example.com".
|
|
|
1dabd5 |
+ */
|
|
|
1dabd5 |
+ char *domain_match;
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ /**
|
|
|
1dabd5 |
* ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
|
|
|
1dabd5 |
*
|
|
|
1dabd5 |
* This file can have one or more trusted CA certificates. If ca_cert2
|
|
|
1dabd5 |
@@ -303,6 +318,14 @@ struct eap_peer_config {
|
|
|
1dabd5 |
u8 *altsubject_match2;
|
|
|
1dabd5 |
|
|
|
1dabd5 |
/**
|
|
|
1dabd5 |
+ * domain_match2 - Constraint for server domain name
|
|
|
1dabd5 |
+ *
|
|
|
1dabd5 |
+ * This field is like domain_match, but used for phase 2 (inside
|
|
|
1dabd5 |
+ * EAP-TTLS/PEAP/FAST tunnel) authentication.
|
|
|
1dabd5 |
+ */
|
|
|
1dabd5 |
+ char *domain_match2;
|
|
|
1dabd5 |
+
|
|
|
1dabd5 |
+ /**
|
|
|
1dabd5 |
* eap_methods - Allowed EAP methods
|
|
|
1dabd5 |
*
|
|
|
1dabd5 |
* (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/src/eap_peer/eap_tls_common.c.domain-match wpa_supplicant-2.0/src/eap_peer/eap_tls_common.c
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/src/eap_peer/eap_tls_common.c.domain-match 2015-01-14 16:06:28.358980663 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/src/eap_peer/eap_tls_common.c 2015-01-14 16:24:01.587519753 -0500
|
|
|
1dabd5 |
@@ -78,6 +78,7 @@ static void eap_tls_params_from_conf1(st
|
|
|
1dabd5 |
params->dh_file = (char *) config->dh_file;
|
|
|
1dabd5 |
params->subject_match = (char *) config->subject_match;
|
|
|
1dabd5 |
params->altsubject_match = (char *) config->altsubject_match;
|
|
|
1dabd5 |
+ params->domain_match = (char *) config->domain_match;
|
|
|
1dabd5 |
params->engine = config->engine;
|
|
|
1dabd5 |
params->engine_id = config->engine_id;
|
|
|
1dabd5 |
params->pin = config->pin;
|
|
|
1dabd5 |
@@ -99,6 +100,7 @@ static void eap_tls_params_from_conf2(st
|
|
|
1dabd5 |
params->dh_file = (char *) config->dh_file2;
|
|
|
1dabd5 |
params->subject_match = (char *) config->subject_match2;
|
|
|
1dabd5 |
params->altsubject_match = (char *) config->altsubject_match2;
|
|
|
1dabd5 |
+ params->domain_match = (char *) config->domain_match2;
|
|
|
1dabd5 |
params->engine = config->engine2;
|
|
|
1dabd5 |
params->engine_id = config->engine2_id;
|
|
|
1dabd5 |
params->pin = config->pin2;
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/wpa_supplicant/config.c.domain-match wpa_supplicant-2.0/wpa_supplicant/config.c
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/wpa_supplicant/config.c.domain-match 2015-01-14 16:06:28.359980670 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/wpa_supplicant/config.c 2015-01-14 16:25:33.263179205 -0500
|
|
|
1dabd5 |
@@ -1582,6 +1582,7 @@ static const struct parse_data ssid_fiel
|
|
|
1dabd5 |
{ STRe(dh_file) },
|
|
|
1dabd5 |
{ STRe(subject_match) },
|
|
|
1dabd5 |
{ STRe(altsubject_match) },
|
|
|
1dabd5 |
+ { STRe(domain_match) },
|
|
|
1dabd5 |
{ STRe(ca_cert2) },
|
|
|
1dabd5 |
{ STRe(ca_path2) },
|
|
|
1dabd5 |
{ STRe(client_cert2) },
|
|
|
1dabd5 |
@@ -1590,6 +1591,7 @@ static const struct parse_data ssid_fiel
|
|
|
1dabd5 |
{ STRe(dh_file2) },
|
|
|
1dabd5 |
{ STRe(subject_match2) },
|
|
|
1dabd5 |
{ STRe(altsubject_match2) },
|
|
|
1dabd5 |
+ { STRe(domain_match2) },
|
|
|
1dabd5 |
{ STRe(phase1) },
|
|
|
1dabd5 |
{ STRe(phase2) },
|
|
|
1dabd5 |
{ STRe(pcsc) },
|
|
|
1dabd5 |
@@ -1765,6 +1767,7 @@ static void eap_peer_config_free(struct
|
|
|
1dabd5 |
os_free(eap->dh_file);
|
|
|
1dabd5 |
os_free(eap->subject_match);
|
|
|
1dabd5 |
os_free(eap->altsubject_match);
|
|
|
1dabd5 |
+ os_free(eap->domain_match);
|
|
|
1dabd5 |
os_free(eap->ca_cert2);
|
|
|
1dabd5 |
os_free(eap->ca_path2);
|
|
|
1dabd5 |
os_free(eap->client_cert2);
|
|
|
1dabd5 |
@@ -1773,6 +1776,7 @@ static void eap_peer_config_free(struct
|
|
|
1dabd5 |
os_free(eap->dh_file2);
|
|
|
1dabd5 |
os_free(eap->subject_match2);
|
|
|
1dabd5 |
os_free(eap->altsubject_match2);
|
|
|
1dabd5 |
+ os_free(eap->domain_match2);
|
|
|
1dabd5 |
os_free(eap->phase1);
|
|
|
1dabd5 |
os_free(eap->phase2);
|
|
|
1dabd5 |
os_free(eap->pcsc);
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/wpa_supplicant/config_file.c.domain-match wpa_supplicant-2.0/wpa_supplicant/config_file.c
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/wpa_supplicant/config_file.c.domain-match 2015-01-14 16:06:28.360980677 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/wpa_supplicant/config_file.c 2015-01-14 16:25:54.957335258 -0500
|
|
|
1dabd5 |
@@ -643,6 +643,7 @@ static void wpa_config_write_network(FIL
|
|
|
1dabd5 |
STR(dh_file);
|
|
|
1dabd5 |
STR(subject_match);
|
|
|
1dabd5 |
STR(altsubject_match);
|
|
|
1dabd5 |
+ STR(domain_match);
|
|
|
1dabd5 |
STR(ca_cert2);
|
|
|
1dabd5 |
STR(ca_path2);
|
|
|
1dabd5 |
STR(client_cert2);
|
|
|
1dabd5 |
@@ -651,6 +652,7 @@ static void wpa_config_write_network(FIL
|
|
|
1dabd5 |
STR(dh_file2);
|
|
|
1dabd5 |
STR(subject_match2);
|
|
|
1dabd5 |
STR(altsubject_match2);
|
|
|
1dabd5 |
+ STR(domain_match2);
|
|
|
1dabd5 |
STR(phase1);
|
|
|
1dabd5 |
STR(phase2);
|
|
|
1dabd5 |
STR(pcsc);
|
|
|
1dabd5 |
diff -up wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf.domain-match wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf
|
|
|
1dabd5 |
--- wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf.domain-match 2015-01-14 16:06:28.360980677 -0500
|
|
|
1dabd5 |
+++ wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf 2015-01-14 16:28:01.548245866 -0500
|
|
|
1dabd5 |
@@ -697,6 +697,10 @@ fast_reauth=1
|
|
|
1dabd5 |
# sertificate is only accepted if it contains this string in the subject.
|
|
|
1dabd5 |
# The subject string is in following format:
|
|
|
1dabd5 |
# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
|
|
|
1dabd5 |
+# Note: Since this is a substring match, this cannot be used securily to
|
|
|
1dabd5 |
+# do a suffix match against a possible domain name in the CN entry. For
|
|
|
1dabd5 |
+# such a use case, domain_match should be used instead.
|
|
|
1dabd5 |
+# instead.
|
|
|
1dabd5 |
# altsubject_match: Semicolon separated string of entries to be matched against
|
|
|
1dabd5 |
# the alternative subject name of the authentication server certificate.
|
|
|
1dabd5 |
# If this string is set, the server sertificate is only accepted if it
|
|
|
1dabd5 |
@@ -705,6 +709,14 @@ fast_reauth=1
|
|
|
1dabd5 |
# Example: EMAIL:server@example.com
|
|
|
1dabd5 |
# Example: DNS:server.example.com;DNS:server2.example.com
|
|
|
1dabd5 |
# Following types are supported: EMAIL, DNS, URI
|
|
|
1dabd5 |
+# domain_match: Constraint for server domain name
|
|
|
1dabd5 |
+# If set, this FQDN is used as a full match requirement for the
|
|
|
1dabd5 |
+# server certificate in SubjectAltName dNSName element(s). If a
|
|
|
1dabd5 |
+# matching dNSName is found, this constraint is met. If no dNSName
|
|
|
1dabd5 |
+# values are present, this constraint is matched against SubjectName CN
|
|
|
1dabd5 |
+# using same full match comparison. No subdomains or wildcard matches
|
|
|
1dabd5 |
+# are allowed. Case-insensitive comparison is used, so "Example.com"
|
|
|
1dabd5 |
+# matches "example.com", but would not match "test.Example.com".
|
|
|
1dabd5 |
# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
|
|
|
1dabd5 |
# (string with field-value pairs, e.g., "peapver=0" or
|
|
|
1dabd5 |
# "peapver=1 peaplabel=1")
|