hostapd: add support for system cert bundle validation

Currently, it is very cumbersome for a user to connect to a WPA-Enterprise
based network securely because the RADIUS server's CA certificate must first be
extracted from the EAPOL handshake using tcpdump or other methods before it can
be pinned using the ca_cert(2) fields. To make this process easier and more
secure (combined with changes in openwrt/openwrt#2654), this commit adds
support for validating against the built-in CA bundle when the ca-bundle
package is installed. Related LuCI changes in openwrt/luci#3513.

Signed-off-by: David Lam <david@thedavid.net>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile
index 231c2c1b886e643bb12d8931fb5bb4928d9fb09c..2642a263dcf0b436be68e5dedd2cee09a217e462 100644 (file)
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index b52d305f952ee014b6b804e37142bc0e7b405454..ab86638e1172a853c4112b287cedf0b97c96269e 100644 (file)
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -212,6 +212,7 @@ hostapd_common_add_bss_config() {
        config_add_string radius_client_addr
        config_add_string iapp_interface
        config_add_string eap_type ca_cert client_cert identity anonymous_identity auth priv_key priv_key_pwd
+       config_add_boolean ca_cert_usesystem ca_cert2_usesystem
        config_add_string subject_match subject_match2
        config_add_array altsubject_match altsubject_match2
        config_add_array domain_match domain_match2 domain_suffix_match domain_suffix_match2
@@ -872,8 +873,13 @@ wpa_supplicant_add_network() {
                        hostapd_append_wpa_key_mgmt
                        key_mgmt="$wpa_key_mgmt"
 
-                       json_get_vars eap_type identity anonymous_identity ca_cert
-                       [ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
+                       json_get_vars eap_type identity anonymous_identity ca_cert ca_cert_usesystem
+
+                       if [ "$ca_cert_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+                               append network_data "ca_cert=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
+                       else
+                               [ -n "$ca_cert" ] && append network_data "ca_cert=\"$ca_cert\"" "$N$T"
+                       fi
                        [ -n "$identity" ] && append network_data "identity=\"$identity\"" "$N$T"
                        [ -n "$anonymous_identity" ] && append network_data "anonymous_identity=\"$anonymous_identity\"" "$N$T"
                        case "$eap_type" in
@@ -914,12 +920,15 @@ wpa_supplicant_add_network() {
                                        fi
                                ;;
                                fast|peap|ttls)
-                                       json_get_vars auth password ca_cert2 client_cert2 priv_key2 priv_key2_pwd
+                                       json_get_vars auth password ca_cert2 ca_cert2_usesystem client_cert2 priv_key2 priv_key2_pwd
                                        set_default auth MSCHAPV2
 
                                        if [ "$auth" = "EAP-TLS" ]; then
-                                               [ -n "$ca_cert2" ] &&
-                                                       append network_data "ca_cert2=\"$ca_cert2\"" "$N$T"
+                                               if [ "$ca_cert2_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
+                                                       append network_data "ca_cert2=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
+                                               else
+                                                       [ -n "$ca_cert2" ] && append network_data "ca_cert2=\"$ca_cert2\"" "$N$T"
+                                               fi
                                                append network_data "client_cert2=\"$client_cert2\"" "$N$T"
                                                append network_data "private_key2=\"$priv_key2\"" "$N$T"
                                                append network_data "private_key2_passwd=\"$priv_key2_pwd\"" "$N$T"