DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
hostapd/src/common
History
Jouni Malinen 00468b4650 Add TLS client events, server probing, and srv cert matching 
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
..
defs.h Standardize on a single definition of auth_alg bitfield values 2010-01-03 21:14:40 +02:00
eapol_common.h Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00
ieee802_11_common.c Mark ieee802_11_parse_elems() input and parsed elems const 2009-12-13 23:11:11 +02:00
ieee802_11_common.h Mark ieee802_11_parse_elems() input and parsed elems const 2009-12-13 23:11:11 +02:00
ieee802_11_defs.h Move vendor-specific IE type defines away from driver.h 2009-12-10 12:27:46 +02:00
Makefile Improved 'make install' (use BINDIR/LIBDIR, install shared objects) 2009-02-15 14:22:50 +02:00
privsep_commands.h Replace wpa_supplicant_sta_rx() call with driver event 2010-01-03 11:50:26 +02:00
version.h Preparations for v0.7.1 release 2010-01-16 19:04:38 +02:00
wpa_common.c Remove src/crypto from default include path 2009-11-29 23:04:43 +02:00
wpa_common.h Add AP mode WPA status into ctrl_iface 2009-10-16 18:35:45 +03:00
wpa_ctrl.c Remove orphaned wpa_cli control socket on EADDRINUSE 2009-01-31 22:22:09 +02:00
wpa_ctrl.h Add TLS client events, server probing, and srv cert matching 2010-02-13 11:14:23 +02:00