jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Interworking: Add domain_suffix_match for credentials

Browse source 
This allow domain_suffix_match to be specified for a cred block and then
get this copied for the network blocks generated from this credential as
part of Interworking network selection.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2013-10-06 18:14:51 -07:00 committed by Jouni Malinen
parent 463c8ffbd5
commit ac1bc54948
5 changed files with 48 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
wpa_supplicant/README-HS20
View file

@ -166,6 +166,20 @@ Credentials can be pre-configured for automatic network selection:
# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
# format # format
# #
# domain_suffix_match: Constraint for server domain name
# If set, this FQDN is used as a suffix match requirement for the AAA
# server certificate in SubjectAltName dNSName element(s). If a
# matching dNSName is found, this constraint is met. If no dNSName
# values are present, this constraint is matched against SubjetName CN
# using same suffix match comparison. Suffix match here means that the
# host/domain name is compared one label at a time starting from the
# top-level domain and all the labels in @domain_suffix_match shall be
# included in the certificate. The certificate may include additional
# sub-level labels in addition to the required labels.
#
# For example, domain_suffix_match=example.com would match
# test.example.com but would not match test-example.com.
#
# domain: Home service provider FQDN(s) # domain: Home service provider FQDN(s)
# This is used to compare against the Domain Name List to figure out # This is used to compare against the Domain Name List to figure out
# whether the AP is operated by the Home SP. Multiple domain entries can # whether the AP is operated by the Home SP. Multiple domain entries can
@ -205,6 +219,7 @@ Credentials can be pre-configured for automatic network selection:
# password="password" # password="password"
# ca_cert="/etc/wpa_supplicant/ca.pem" # ca_cert="/etc/wpa_supplicant/ca.pem"
# domain="example.com" # domain="example.com"
# domain_suffix_match="example.com"
#} #}
# #
#cred={ #cred={

7
wpa_supplicant/config.c
View file

@ -1869,6 +1869,7 @@ void wpa_config_free_cred(struct wpa_cred *cred)
for (i = 0; i < cred->num_domain; i++) for (i = 0; i < cred->num_domain; i++)
os_free(cred->domain[i]); os_free(cred->domain[i]);
os_free(cred->domain); os_free(cred->domain);
os_free(cred->domain_suffix_match);
os_free(cred->eap_method); os_free(cred->eap_method);
os_free(cred->phase1); os_free(cred->phase1);
os_free(cred->phase2); os_free(cred->phase2);
@ -2440,6 +2441,12 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
return 0; return 0;
} }
if (os_strcmp(var, "domain_suffix_match") == 0) {
os_free(cred->domain_suffix_match);
cred->domain_suffix_match = val;
return 0;
}
if (os_strcmp(var, "domain") == 0) { if (os_strcmp(var, "domain") == 0) {
char **new_domain; char **new_domain;
new_domain = os_realloc_array(cred->domain, new_domain = os_realloc_array(cred->domain,

18
wpa_supplicant/config.h
View file

@ -149,6 +149,24 @@ struct wpa_cred {
*/ */
char *milenage; char *milenage;
/**
* domain_suffix_match - Constraint for server domain name
*
* If set, this FQDN is used as a suffix match requirement for the AAA
* server certificate in SubjectAltName dNSName element(s). If a
* matching dNSName is found, this constraint is met. If no dNSName
* values are present, this constraint is matched against SubjetName CN
* using same suffix match comparison. Suffix match here means that the
* host/domain name is compared one label at a time starting from the
* top-level domain and all the labels in @domain_suffix_match shall be
* included in the certificate. The certificate may include additional
* sub-level labels in addition to the required labels.
*
* For example, domain_suffix_match=example.com would match
* test.example.com but would not match test-example.com.
*/
char *domain_suffix_match;
/** /**
* domain - Home service provider FQDN(s) * domain - Home service provider FQDN(s)
* *

3
wpa_supplicant/config_file.c
View file

@ -757,6 +757,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
fprintf(f, "\tmilenage=\"%s\"\n", cred->milenage); fprintf(f, "\tmilenage=\"%s\"\n", cred->milenage);
for (i = 0; i < cred->num_domain; i++) for (i = 0; i < cred->num_domain; i++)
fprintf(f, "\tdomain=\"%s\"\n", cred->domain[i]); fprintf(f, "\tdomain=\"%s\"\n", cred->domain[i]);
if (cred->domain_suffix_match)
fprintf(f, "\tdomain_suffix_match=\"%s\"",
cred->domain_suffix_match);
if (cred->roaming_consortium_len) { if (cred->roaming_consortium_len) {
fprintf(f, "\troaming_consortium="); fprintf(f, "\troaming_consortium=");
for (i = 0; i < cred->roaming_consortium_len; i++) for (i = 0; i < cred->roaming_consortium_len; i++)

5
wpa_supplicant/interworking.c
View file

@ -1100,6 +1100,11 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
wpa_config_set_quoted(ssid, "ca_cert", cred->ca_cert) < 0) wpa_config_set_quoted(ssid, "ca_cert", cred->ca_cert) < 0)
return -1; return -1;
if (cred->domain_suffix_match && cred->domain_suffix_match[0] &&
wpa_config_set_quoted(ssid, "domain_suffix_match",
cred->domain_suffix_match) < 0)
return -1;
return 0; return 0;
} }