OpenSSL: Add 'check_cert_subject' support for TLS server

This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.

This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).

Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>

wpa_supplicant/config.c

@@ -2257,6 +2257,7 @@ static const struct parse_data ssid_fields[] = {
 	{ STR_KEYe(private_key_passwd) },
 	{ STRe(dh_file) },
 	{ STRe(subject_match) },
+	{ STRe(check_cert_subject) },
 	{ STRe(altsubject_match) },
 	{ STRe(domain_suffix_match) },
 	{ STRe(domain_match) },
@@ -2267,6 +2268,7 @@ static const struct parse_data ssid_fields[] = {
 	{ STR_KEYe(private_key2_passwd) },
 	{ STRe(dh_file2) },
 	{ STRe(subject_match2) },
+	{ STRe(check_cert_subject2) },
 	{ STRe(altsubject_match2) },
 	{ STRe(domain_suffix_match2) },
 	{ STRe(domain_match2) },
@@ -2525,6 +2527,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
 	str_clear_free(eap->private_key_passwd);
 	os_free(eap->dh_file);
 	os_free(eap->subject_match);
+	os_free(eap->check_cert_subject);
 	os_free(eap->altsubject_match);
 	os_free(eap->domain_suffix_match);
 	os_free(eap->domain_match);
@@ -2535,6 +2538,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
 	str_clear_free(eap->private_key2_passwd);
 	os_free(eap->dh_file2);
 	os_free(eap->subject_match2);
+	os_free(eap->check_cert_subject2);
 	os_free(eap->altsubject_match2);
 	os_free(eap->domain_suffix_match2);
 	os_free(eap->domain_match2);

wpa_supplicant/config_file.c

@@ -782,6 +782,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	STR(private_key_passwd);
 	STR(dh_file);
 	STR(subject_match);
+	STR(check_cert_subject);
 	STR(altsubject_match);
 	STR(domain_suffix_match);
 	STR(domain_match);
@@ -792,6 +793,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	STR(private_key2_passwd);
 	STR(dh_file2);
 	STR(subject_match2);
+	STR(check_cert_subject2);
 	STR(altsubject_match2);
 	STR(domain_suffix_match2);
 	STR(domain_match2);

wpa_supplicant/config_winreg.c

@@ -896,6 +896,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
 	STR(private_key_passwd);
 	STR(dh_file);
 	STR(subject_match);
+	STR(check_cert_subject);
 	STR(altsubject_match);
 	STR(ca_cert2);
 	STR(ca_path2);
@@ -904,6 +905,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
 	STR(private_key2_passwd);
 	STR(dh_file2);
 	STR(subject_match2);
+	STR(check_cert_subject2);
 	STR(altsubject_match2);
 	STR(phase1);
 	STR(phase2);

wpa_supplicant/wpa_cli.c

@@ -1411,9 +1411,11 @@ static const char *network_fields[] = {
 	"eap", "identity", "anonymous_identity", "password", "ca_cert",
 	"ca_path", "client_cert", "private_key", "private_key_passwd",
 	"dh_file", "subject_match", "altsubject_match",
+	"check_cert_subject",
 	"domain_suffix_match", "domain_match", "ca_cert2", "ca_path2",
 	"client_cert2", "private_key2", "private_key2_passwd",
 	"dh_file2", "subject_match2", "altsubject_match2",
+	"check_cert_subject2",
 	"domain_suffix_match2", "domain_match2", "phase1", "phase2",
 	"pcsc", "pin", "engine_id", "key_id", "cert_id", "ca_cert_id",
 	"pin2", "engine2_id", "key2_id", "cert2_id", "ca_cert2_id",