mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 00:38:24 -05:00
Interworking: Add domain_suffix_match for credentials
This allow domain_suffix_match to be specified for a cred block and then get this copied for the network blocks generated from this credential as part of Interworking network selection. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
463c8ffbd5
commit
ac1bc54948
@ -166,6 +166,20 @@ Credentials can be pre-configured for automatic network selection:
|
||||
# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
|
||||
# format
|
||||
#
|
||||
# domain_suffix_match: Constraint for server domain name
|
||||
# If set, this FQDN is used as a suffix match requirement for the AAA
|
||||
# server certificate in SubjectAltName dNSName element(s). If a
|
||||
# matching dNSName is found, this constraint is met. If no dNSName
|
||||
# values are present, this constraint is matched against SubjetName CN
|
||||
# using same suffix match comparison. Suffix match here means that the
|
||||
# host/domain name is compared one label at a time starting from the
|
||||
# top-level domain and all the labels in @domain_suffix_match shall be
|
||||
# included in the certificate. The certificate may include additional
|
||||
# sub-level labels in addition to the required labels.
|
||||
#
|
||||
# For example, domain_suffix_match=example.com would match
|
||||
# test.example.com but would not match test-example.com.
|
||||
#
|
||||
# domain: Home service provider FQDN(s)
|
||||
# This is used to compare against the Domain Name List to figure out
|
||||
# whether the AP is operated by the Home SP. Multiple domain entries can
|
||||
@ -205,6 +219,7 @@ Credentials can be pre-configured for automatic network selection:
|
||||
# password="password"
|
||||
# ca_cert="/etc/wpa_supplicant/ca.pem"
|
||||
# domain="example.com"
|
||||
# domain_suffix_match="example.com"
|
||||
#}
|
||||
#
|
||||
#cred={
|
||||
|
@ -1869,6 +1869,7 @@ void wpa_config_free_cred(struct wpa_cred *cred)
|
||||
for (i = 0; i < cred->num_domain; i++)
|
||||
os_free(cred->domain[i]);
|
||||
os_free(cred->domain);
|
||||
os_free(cred->domain_suffix_match);
|
||||
os_free(cred->eap_method);
|
||||
os_free(cred->phase1);
|
||||
os_free(cred->phase2);
|
||||
@ -2440,6 +2441,12 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (os_strcmp(var, "domain_suffix_match") == 0) {
|
||||
os_free(cred->domain_suffix_match);
|
||||
cred->domain_suffix_match = val;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (os_strcmp(var, "domain") == 0) {
|
||||
char **new_domain;
|
||||
new_domain = os_realloc_array(cred->domain,
|
||||
|
@ -149,6 +149,24 @@ struct wpa_cred {
|
||||
*/
|
||||
char *milenage;
|
||||
|
||||
/**
|
||||
* domain_suffix_match - Constraint for server domain name
|
||||
*
|
||||
* If set, this FQDN is used as a suffix match requirement for the AAA
|
||||
* server certificate in SubjectAltName dNSName element(s). If a
|
||||
* matching dNSName is found, this constraint is met. If no dNSName
|
||||
* values are present, this constraint is matched against SubjetName CN
|
||||
* using same suffix match comparison. Suffix match here means that the
|
||||
* host/domain name is compared one label at a time starting from the
|
||||
* top-level domain and all the labels in @domain_suffix_match shall be
|
||||
* included in the certificate. The certificate may include additional
|
||||
* sub-level labels in addition to the required labels.
|
||||
*
|
||||
* For example, domain_suffix_match=example.com would match
|
||||
* test.example.com but would not match test-example.com.
|
||||
*/
|
||||
char *domain_suffix_match;
|
||||
|
||||
/**
|
||||
* domain - Home service provider FQDN(s)
|
||||
*
|
||||
|
@ -757,6 +757,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
|
||||
fprintf(f, "\tmilenage=\"%s\"\n", cred->milenage);
|
||||
for (i = 0; i < cred->num_domain; i++)
|
||||
fprintf(f, "\tdomain=\"%s\"\n", cred->domain[i]);
|
||||
if (cred->domain_suffix_match)
|
||||
fprintf(f, "\tdomain_suffix_match=\"%s\"",
|
||||
cred->domain_suffix_match);
|
||||
if (cred->roaming_consortium_len) {
|
||||
fprintf(f, "\troaming_consortium=");
|
||||
for (i = 0; i < cred->roaming_consortium_len; i++)
|
||||
|
@ -1100,6 +1100,11 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
|
||||
wpa_config_set_quoted(ssid, "ca_cert", cred->ca_cert) < 0)
|
||||
return -1;
|
||||
|
||||
if (cred->domain_suffix_match && cred->domain_suffix_match[0] &&
|
||||
wpa_config_set_quoted(ssid, "domain_suffix_match",
|
||||
cred->domain_suffix_match) < 0)
|
||||
return -1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user