Add AAA server domain name suffix matching constraint
The new domain_suffix_match (and domain_suffix_match2 for Phase 2 EAP-TLS) can now be used to specify an additional constraint for the server certificate domain name. If set, one of the dNSName values (or if no dNSName is present, one of the commonName values) in the certificate must have a suffix match with the specified value. Suffix match is done based on full domain name labels, i.e., "example.com" matches "test.example.com" but not "test-example.com". Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
be7963b3c2
commit
01f809c7db
6 changed files with 154 additions and 5 deletions
|
|
@ -207,6 +207,24 @@ struct eap_peer_config {
|
|||
*/
|
||||
u8 *altsubject_match;
|
||||
|
||||
/**
|
||||
* domain_suffix_match - Constraint for server domain name
|
||||
*
|
||||
* If set, this FQDN is used as a suffix match requirement for the
|
||||
* server certificate in SubjectAltName dNSName element(s). If a
|
||||
* matching dNSName is found, this constraint is met. If no dNSName
|
||||
* values are present, this constraint is matched against SubjetName CN
|
||||
* using same suffix match comparison. Suffix match here means that the
|
||||
* host/domain name is compared one label at a time starting from the
|
||||
* top-level domain and all the labels in domain_suffix_match shall be
|
||||
* included in the certificate. The certificate may include additional
|
||||
* sub-level labels in addition to the required labels.
|
||||
*
|
||||
* For example, domain_suffix_match=example.com would match
|
||||
* test.example.com but would not match test-example.com.
|
||||
*/
|
||||
char *domain_suffix_match;
|
||||
|
||||
/**
|
||||
* ca_cert2 - File path to CA certificate file (PEM/DER) (Phase 2)
|
||||
*
|
||||
|
|
@ -302,6 +320,14 @@ struct eap_peer_config {
|
|||
*/
|
||||
u8 *altsubject_match2;
|
||||
|
||||
/**
|
||||
* domain_suffix_match2 - Constraint for server domain name
|
||||
*
|
||||
* This field is like domain_suffix_match, but used for phase 2 (inside
|
||||
* EAP-TTLS/PEAP/FAST tunnel) authentication.
|
||||
*/
|
||||
char *domain_suffix_match2;
|
||||
|
||||
/**
|
||||
* eap_methods - Allowed EAP methods
|
||||
*
|
||||
|
|
|
|||
|
|
@ -78,6 +78,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
|
|||
params->dh_file = (char *) config->dh_file;
|
||||
params->subject_match = (char *) config->subject_match;
|
||||
params->altsubject_match = (char *) config->altsubject_match;
|
||||
params->suffix_match = config->domain_suffix_match;
|
||||
params->engine = config->engine;
|
||||
params->engine_id = config->engine_id;
|
||||
params->pin = config->pin;
|
||||
|
|
@ -99,6 +100,7 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
|
|||
params->dh_file = (char *) config->dh_file2;
|
||||
params->subject_match = (char *) config->subject_match2;
|
||||
params->altsubject_match = (char *) config->altsubject_match2;
|
||||
params->suffix_match = config->domain_suffix_match2;
|
||||
params->engine = config->engine2;
|
||||
params->engine_id = config->engine2_id;
|
||||
params->pin = config->pin2;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue