Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-12-02 12:18:24 -05:00
Code Issues Projects Releases Wiki Activity
ca27ee0998
fragattacks/src
History
Jouni Malinen 3c108b7573 EAP peer: External server certificate chain validation 
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
..
ap FT: Fix FTIE generation for EAPOL-Key msg 3/4 2015-12-10 00:14:36 +02:00
common EAP peer: External server certificate chain validation 2015-12-12 18:24:27 +02:00
crypto EAP peer: External server certificate chain validation 2015-12-12 18:24:27 +02:00
drivers nl80211: Cancel all pending TX frame cookies 2015-12-02 12:37:10 +02:00
eap_common EAP-FAST: Check T-PRF result in MSK/EMSK derivation 2015-12-12 11:20:05 +02:00
eap_peer EAP peer: External server certificate chain validation 2015-12-12 18:24:27 +02:00
eap_server EAP-FAST: Check T-PRF result in MSK/EMSK derivation 2015-12-12 11:20:05 +02:00
eapol_auth Remove unreachable PMKSA cache entry addition on Access-Accept 2015-10-14 18:43:26 +03:00
eapol_supp Fix EAPOL reauth after FT protocol or offloaded PMKSA cache use 2015-11-19 21:16:18 +02:00
fst FST: Make FST peer connection check more permissive in hostapd 2015-11-25 17:30:59 +02:00
l2_packet l2_packet: Add build option to disable Linux packet socket workaround 2015-10-25 19:56:53 +02:00
p2p P2P: Add support for VHT 80+80 MHz and 160 MHz 2015-11-25 19:01:20 +02:00
pae MACsec: Update protect frames and replay on reauthentication 2014-12-09 16:56:10 +02:00
radius RADIUS: Avoid undefined behavior in pointer arithmetic 2015-10-25 15:34:59 +02:00
rsn_supp FT: Fix FTIE generation for 4-way handshake after FT protocol run 2015-12-10 00:14:35 +02:00
tls TLS: Add support for PKCS #5 v2.0 PBES2 2015-12-05 20:23:12 +02:00
utils HTTP (curl): OCSP with BoringSSL 2015-12-04 20:08:31 +02:00
wps WPS: Support parallel UPnP WPS protocol runs 2015-11-30 16:57:11 +02:00
lib.rules Add QUIET=1 option for make 2014-12-29 15:49:05 +02:00
Makefile FST: Add the Fast Session Transfer (FST) module 2015-07-16 18:26:15 +03:00