hostapd/src/common
Jouni Malinen 3c108b7573 EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
..
common_module_tests.c tests: Additional ieee802_11_parse_elems() module test coverage 2015-06-14 16:47:29 +03:00
defs.h EAP peer: External server certificate chain validation 2015-12-12 18:24:27 +02:00
eapol_common.h MACsec: Add common IEEE 802.1X definitions 2014-05-09 20:05:28 +03:00
gas.c Add generic GAS request mechanism 2012-08-27 18:13:10 +03:00
gas.h Add generic GAS request mechanism 2012-08-27 18:13:10 +03:00
hw_features_common.c hw_features: Merge similar return case in check_40mhz_2g4() 2015-06-29 23:23:56 +03:00
hw_features_common.h Make check_20mhz_bss() static 2015-06-20 16:05:54 +03:00
ieee802_1x_defs.h MACsec: Add common IEEE 802.1X definitions 2014-05-09 20:05:28 +03:00
ieee802_11_common.c Add frequency to operating class determination for 5 GHz 100..140 2015-10-30 11:45:50 +02:00
ieee802_11_common.h Share freq-to-channel conversion function 2015-08-03 23:55:46 +03:00
ieee802_11_defs.h Interworking: Define new ANQP-element Info IDs 2015-10-07 17:07:21 +03:00
Makefile tests: Add p2p-fuzzer 2015-04-22 11:44:19 +03:00
privsep_commands.h wpa_priv: Add authentication command and event 2015-09-05 13:21:17 +03:00
qca-vendor-attr.h Make qca-vendor.h independent of other header files 2014-04-25 11:41:36 +03:00
qca-vendor.h Assign QCA vendor command and attribute for Tx power reduction in dB 2015-11-19 11:34:31 +02:00
sae.c SAE: Avoid undefined behavior in pointer arithmetic 2015-10-25 15:34:59 +02:00
sae.h SAE: Verify that own/peer commit-scalar and COMMIT-ELEMENT are different 2015-06-23 23:10:36 +03:00
tnc.h tests: TNC testing 2014-05-17 20:05:55 +03:00
version.h Add "git describe" based version string postfix 2015-10-16 22:20:55 +03:00
wpa_common.c FT: Fix FTIE generation for 4-way handshake after FT protocol run 2015-12-10 00:14:35 +02:00
wpa_common.h FT: Fix FTIE generation for 4-way handshake after FT protocol run 2015-12-10 00:14:35 +02:00
wpa_ctrl.c Android: Set ctrl_iface client socket group (AID_WIFI) separately 2015-09-24 13:15:57 +03:00
wpa_ctrl.h Add QCA vendor attribute and event to indicate subnet change status 2015-11-20 11:03:06 +02:00
wpa_helpers.c Use "STATUS-NO_EVENTS" instead of "STATUS" in get_wpa_status function 2015-11-01 21:05:10 +02:00
wpa_helpers.h Add wpa_ctrl helper functions for upper level functionality 2014-03-12 01:09:21 +02:00