mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-12 07:53:07 +00:00
hostapd: add support for system cert bundle validation
Currently, it is very cumbersome for a user to connect to a WPA-Enterprise based network securely because the RADIUS server's CA certificate must first be extracted from the EAPOL handshake using tcpdump or other methods before it can be pinned using the ca_cert(2) fields. To make this process easier and more secure (combined with changes in openwrt/openwrt#2654), this commit adds support for validating against the built-in CA bundle when the ca-bundle package is installed. Related LuCI changes in openwrt/luci#3513. Signed-off-by: David Lam <david@thedavid.net> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
parent
702c70264b
commit
a5f3648a1c
@ -7,7 +7,7 @@
|
|||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=hostapd
|
PKG_NAME:=hostapd
|
||||||
PKG_RELEASE:=5
|
PKG_RELEASE:=6
|
||||||
|
|
||||||
PKG_SOURCE_URL:=http://w1.fi/hostap.git
|
PKG_SOURCE_URL:=http://w1.fi/hostap.git
|
||||||
PKG_SOURCE_PROTO:=git
|
PKG_SOURCE_PROTO:=git
|
||||||
|
@ -212,6 +212,7 @@ hostapd_common_add_bss_config() {
|
|||||||
config_add_string radius_client_addr
|
config_add_string radius_client_addr
|
||||||
config_add_string iapp_interface
|
config_add_string iapp_interface
|
||||||
config_add_string eap_type ca_cert client_cert identity anonymous_identity auth priv_key priv_key_pwd
|
config_add_string eap_type ca_cert client_cert identity anonymous_identity auth priv_key priv_key_pwd
|
||||||
|
config_add_boolean ca_cert_usesystem ca_cert2_usesystem
|
||||||
config_add_string subject_match subject_match2
|
config_add_string subject_match subject_match2
|
||||||
config_add_array altsubject_match altsubject_match2
|
config_add_array altsubject_match altsubject_match2
|
||||||
config_add_array domain_match domain_match2 domain_suffix_match domain_suffix_match2
|
config_add_array domain_match domain_match2 domain_suffix_match domain_suffix_match2
|
||||||
@ -872,8 +873,13 @@ wpa_supplicant_add_network() {
|
|||||||
hostapd_append_wpa_key_mgmt
|
hostapd_append_wpa_key_mgmt
|
||||||
key_mgmt="$wpa_key_mgmt"
|
key_mgmt="$wpa_key_mgmt"
|
||||||
|
|
||||||
json_get_vars eap_type identity anonymous_identity ca_cert
|
json_get_vars eap_type identity anonymous_identity ca_cert ca_cert_usesystem
|
||||||
|
|
||||||
|
if [ "$ca_cert_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
|
||||||
|
append network_data "ca_cert=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
|
||||||
|
else
|
||||||
[ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
|
[ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
|
||||||
|
fi
|
||||||
[ -n "$identity" ] && append network_data "identity=\"$identity\"" "$N$T"
|
[ -n "$identity" ] && append network_data "identity=\"$identity\"" "$N$T"
|
||||||
[ -n "$anonymous_identity" ] && append network_data "anonymous_identity=\"$anonymous_identity\"" "$N$T"
|
[ -n "$anonymous_identity" ] && append network_data "anonymous_identity=\"$anonymous_identity\"" "$N$T"
|
||||||
case "$eap_type" in
|
case "$eap_type" in
|
||||||
@ -914,12 +920,15 @@ wpa_supplicant_add_network() {
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
fast|peap|ttls)
|
fast|peap|ttls)
|
||||||
json_get_vars auth password ca_cert2 client_cert2 priv_key2 priv_key2_pwd
|
json_get_vars auth password ca_cert2 ca_cert2_usesystem client_cert2 priv_key2 priv_key2_pwd
|
||||||
set_default auth MSCHAPV2
|
set_default auth MSCHAPV2
|
||||||
|
|
||||||
if [ "$auth" = "EAP-TLS" ]; then
|
if [ "$auth" = "EAP-TLS" ]; then
|
||||||
[ -n "$ca_cert2" ] &&
|
if [ "$ca_cert2_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
|
||||||
append network_data "ca_cert2=\"$ca_cert2\"" "$N$T"
|
append network_data "ca_cert2=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
|
||||||
|
else
|
||||||
|
[ -n "$ca_cert2" ] && append network_data "ca_cert2=\"$ca_cert2\"" "$N$T"
|
||||||
|
fi
|
||||||
append network_data "client_cert2=\"$client_cert2\"" "$N$T"
|
append network_data "client_cert2=\"$client_cert2\"" "$N$T"
|
||||||
append network_data "private_key2=\"$priv_key2\"" "$N$T"
|
append network_data "private_key2=\"$priv_key2\"" "$N$T"
|
||||||
append network_data "private_key2_passwd=\"$priv_key2_pwd\"" "$N$T"
|
append network_data "private_key2_passwd=\"$priv_key2_pwd\"" "$N$T"
|
||||||
|
Loading…
Reference in New Issue
Block a user