OpenSSL: Add 'check_cert_subject' support for TLS server

This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.

This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).

Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jared Bents 2019-02-28 13:39:50 -06:00 committed by Jouni Malinen
parent 0173423f41
commit 841205a1ce
16 changed files with 356 additions and 2 deletions

View file

@ -196,6 +196,48 @@ struct eap_peer_config {
*/
char *subject_match;
/**
* check_cert_subject - Constraint for server certificate subject fields
*
* If check_cert_subject is set, the value of every field will be
* checked against the DN of the subject in the authentication server
* certificate. If the values do not match, the certificate verification
* will fail, rejecting the server. This option allows wpa_supplicant to
* match every individual field in the right order against the DN of the
* subject in the server certificate.
*
* For example, check_cert_subject=C=US/O=XX/OU=ABC/OU=XYZ/CN=1234 will
* check every individual DN field of the subject in the server
* certificate. If OU=XYZ comes first in terms of the order in the
* server certificate (DN field of server certificate
* C=US/O=XX/OU=XYZ/OU=ABC/CN=1234), wpa_supplicant will reject the
* server because the order of 'OU' is not matching the specified string
* in check_cert_subject.
*
* This option also allows '*' as a wildcard. This option has some
* limitation.
* It can only be used as per the following example.
*
* For example, check_cert_subject=C=US/O=XX/OU=Production* and we have
* two servers and DN of the subject in the first server certificate is
* (C=US/O=XX/OU=Production Unit) and DN of the subject in the second
* server is (C=US/O=XX/OU=Production Factory). In this case,
* wpa_supplicant will allow both servers because the value of 'OU'
* field in both server certificates matches 'OU' value in
* 'check_cert_subject' up to 'wildcard'.
*
* (Allow all servers, e.g., check_cert_subject=*)
*/
char *check_cert_subject;
/**
* check_cert_subject2 - Constraint for server certificate subject fields
*
* This field is like check_cert_subject, but used for phase 2 (inside
* EAP-TTLS/PEAP/FAST tunnel) authentication.
*/
char *check_cert_subject2;
/**
* altsubject_match - Constraint for server certificate alt. subject
*

View file

@ -116,6 +116,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
params->dh_file = config->dh_file;
params->subject_match = config->subject_match;
params->altsubject_match = config->altsubject_match;
params->check_cert_subject = config->check_cert_subject;
params->suffix_match = config->domain_suffix_match;
params->domain_match = config->domain_match;
params->engine = config->engine;
@ -139,6 +140,7 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
params->dh_file = config->dh_file2;
params->subject_match = config->subject_match2;
params->altsubject_match = config->altsubject_match2;
params->check_cert_subject = config->check_cert_subject2;
params->suffix_match = config->domain_suffix_match2;
params->domain_match = config->domain_match2;
params->engine = config->engine2;