Added a EAP TLS Accept Any Client Cert Option

EAP TLS accept any auth was previous a compile time option, it's not a
proper hostapd option, including runtime configurability.

I needed to remove the compile time config option from .config and
defcon, plus change the if in src/crypto/tls_openssl.c.

I also rearranged some mana options to be grouped together, and fixed
the tabs on some other ones to be consistent (i.e. remove spaces).

hostapd/.config

@@ -9,9 +9,6 @@
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 
-# MANA Disable EAP-TLS Client Certificate Validation
-CONFIG_EAP_UNAUTH_TLS=y
-
 # Driver interface for Host AP driver
 CONFIG_DRIVER_HOSTAP=y
 

hostapd/config_file.c

@@ -2198,6 +2198,12 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		if (conf->mana_eapsuccess) {
 			wpa_printf(MSG_DEBUG, "MANA: EAP success mode enabled");
 		}
+	} else if (os_strcmp(buf, "mana_eaptls") == 0) {
+		int val = atoi(pos);
+		conf->mana_eaptls = (val != 0);
+		if (conf->mana_eaptls) {
+			wpa_printf(MSG_DEBUG, "MANA: EAP TLS modes will accept any client certificate.");
+		}
 	// MANA END
 	} else if (os_strcmp(buf, "dump_file") == 0) {
 		wpa_printf(MSG_INFO, "Line %d: DEPRECATED: 'dump_file' configuration variable is not used anymore",
@@ -3719,6 +3725,7 @@ struct hostapd_config * hostapd_config_read(const char *fname)
 	conf->mana_wpe = 0; //default off; 1 - dump credentials captured during EAP exchanges 0 - function as normal
 	conf->mana_credout = "NOT_SET"; //default non
 	conf->mana_eapsuccess = 0; //default off; 1 - allow clients to connect even with incorrect creds 0 - function as normal
+	conf->mana_eaptls = 0; //default off; 1 - accept any client certificate presented in EAP-TLS modes. 0 - validate certificates as normal.
 	// MANA END
 
 	while (fgets(buf, sizeof(buf), f)) {

hostapd/ctrl_iface.c

@@ -124,37 +124,6 @@ static int hostapd_ctrl_iface_new_sta(struct hostapd_data *hapd,
 }
 
 // MANA START
-
-static int hostapd_ctrl_iface_mana_get_state (struct hostapd_data *hapd)
-{
-	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE STATUS QUERY");
-	return hapd->iconf->enable_mana;
-}
-
-static int hostapd_ctrl_iface_mana_get_mode (struct hostapd_data *hapd)
-{
-	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE LOUD MODE STATUS QUERY");
-	return hapd->iconf->mana_loud;
-}
-
-static int hostapd_ctrl_iface_mana_get_aclmode (struct hostapd_data *hapd)
-{
-	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE MAC ACL STATUS QUERY");
-	return hapd->iconf->mana_macacl;
-}
-
-static int hostapd_ctrl_iface_mana_get_wpemode (struct hostapd_data *hapd)
-{
-	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE WPE MODE STATUS QUERY");
-	return hapd->iconf->mana_wpe;
-}
-
-static int hostapd_ctrl_iface_mana_get_eapsuccessmode (struct hostapd_data *hapd)
-{
-	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE STATUS QUERY");
-	return hapd->iconf->mana_eapsuccess;
-}
-
 static int hostapd_ctrl_iface_mana_change_ssid (struct hostapd_data *hapd,
 					     const char *ssid) {
 	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE CHANGE SSID %s", ssid);
@@ -183,6 +152,12 @@ static int hostapd_ctrl_iface_mana_enable_disable (struct hostapd_data *hapd, in
 	return 0;
 }
 
+static int hostapd_ctrl_iface_mana_get_state (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE STATUS QUERY");
+	return hapd->iconf->enable_mana;
+}
+
 static int hostapd_ctrl_iface_mana_loud_enable_disable (struct hostapd_data *hapd, int status)
 {
 	if (status) {
@@ -195,6 +170,12 @@ static int hostapd_ctrl_iface_mana_loud_enable_disable (struct hostapd_data *hap
 	return 0;
 }
 
+static int hostapd_ctrl_iface_mana_get_mode (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE LOUD MODE STATUS QUERY");
+	return hapd->iconf->mana_loud;
+}
+
 static int hostapd_ctrl_iface_mana_macacl_enable_disable (struct hostapd_data *hapd, int status)
 {
 	if (status) {
@@ -207,6 +188,12 @@ static int hostapd_ctrl_iface_mana_macacl_enable_disable (struct hostapd_data *h
 	return 0;
 }
 
+static int hostapd_ctrl_iface_mana_get_aclmode (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE MAC ACL STATUS QUERY");
+	return hapd->iconf->mana_macacl;
+}
+
 static int hostapd_ctrl_iface_mana_wpe_enable_disable (struct hostapd_data *hapd, int status)
 {
 	if (status) {
@@ -219,6 +206,12 @@ static int hostapd_ctrl_iface_mana_wpe_enable_disable (struct hostapd_data *hapd
 	return 0;
 }
 
+static int hostapd_ctrl_iface_mana_get_wpemode (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE WPE MODE STATUS QUERY");
+	return hapd->iconf->mana_wpe;
+}
+
 static int hostapd_ctrl_iface_mana_eapsuccess_enable_disable (struct hostapd_data *hapd, int status)
 {
 	if (status) {
@@ -230,6 +223,30 @@ static int hostapd_ctrl_iface_mana_eapsuccess_enable_disable (struct hostapd_dat
 
 	return 0;
 }
+
+static int hostapd_ctrl_iface_mana_get_eapsuccessmode (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE STATUS QUERY");
+	return hapd->iconf->mana_eapsuccess;
+}
+
+static int hostapd_ctrl_iface_mana_eaptls_enable_disable (struct hostapd_data *hapd, int status)
+{
+	if (status) {
+		wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPTLS MODE ENABLED");
+	} else {
+		wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPTLS MODE DISABLED");
+	}
+	hapd->iconf->mana_eaptls = status;
+
+	return 0;
+}
+
+static int hostapd_ctrl_iface_mana_get_eaptlsmode (struct hostapd_data *hapd)
+{
+	wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPTLS MODE STATUS QUERY");
+	return hapd->iconf->mana_eaptls;
+}
 // MANA END
 
 #ifdef CONFIG_IEEE80211W
@@ -2742,6 +2759,20 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd,
 			os_memcpy(reply, "MANA EAPSUCCESS MODE DISABLED\n", 30);
 			reply_len = 30;
 		}
+	} else if (os_strcmp(buf, "MANA_EAPTLS_ENABLE") == 0) {
+		if (hostapd_ctrl_iface_mana_eaptls_enable_disable(hapd, 1))
+			reply_len = -1;
+	} else if (os_strcmp(buf, "MANA_EAPTLS_DISABLE") == 0) {
+		if (hostapd_ctrl_iface_mana_eaptls_enable_disable(hapd, 0))
+			reply_len = -1;
+	} else if (os_strcmp(buf, "MANA_EAPTLS_MODE") == 0) {
+		if (hostapd_ctrl_iface_mana_get_eaptlsmode(hapd)) {
+			os_memcpy(reply, "MANA EAPTLS MODE ENABLED\n", 25);
+			reply_len = 25;
+		} else {
+			os_memcpy(reply, "MANA EAPTLS MODE DISABLED\n", 26);
+			reply_len = 26;
+		}
  	// END MANA
 	} else {
 		os_memcpy(reply, "UNKNOWN COMMAND\n", 16);

hostapd/defconfig

@@ -9,9 +9,6 @@
 # be modified from here. In most cass, these lines should use += in order not
 # to override previous values of the variables.
 
-# MANA Disable EAP-TLS Client Certificate Validation
-#CONFIG_EAP_UNAUTH_TLS=y
-
 # Driver interface for Host AP driver
 CONFIG_DRIVER_HOSTAP=y
 

hostapd/hostapd_cli.c

@@ -419,6 +419,18 @@ static int hostapd_cli_cmd_mana_get_eapsuccess(struct wpa_ctrl *ctrl, int argc,
 {
 	return wpa_ctrl_command(ctrl, "EAPSUCCESS_STATE");
 }
+static int hostapd_cli_cmd_mana_eaptls_disable(struct wpa_ctrl *ctrl, int argc, char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "MANA_EAPTLS_DISABLE");
+}
+static int hostapd_cli_cmd_mana_eaptls_enable(struct wpa_ctrl *ctrl, int argc, char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "MANA_EAPTLS_ENABLE");
+}
+static int hostapd_cli_cmd_mana_get_eaptls(struct wpa_ctrl *ctrl, int argc, char *argv[])
+{
+	return wpa_ctrl_command(ctrl, "MANA_EAPTLS_STATE");
+}
 // END MANA
 
 
@@ -1450,24 +1462,27 @@ static const struct hostapd_cli_cmd hostapd_cli_commands[] = {
 	{ "req_range", hostapd_cli_cmd_req_range, NULL, NULL },
 	{ "driver_flags", hostapd_cli_cmd_driver_flags, NULL, NULL },
  // MANA START
- 	{ "?", hostapd_cli_cmd_help, NULL, NULL }, //One of digininja's original changes :)
- 	{ "mana_change_ssid", hostapd_cli_cmd_mana_change_ssid, NULL, "= change the default SSID for when mana is off" },
- 	{ "mana_get_ssid", hostapd_cli_cmd_mana_get_ssid, NULL, "= get the default SSID for when mana is off" },
- 	{ "mana_get_state", hostapd_cli_cmd_mana_get_state, NULL, "= get whether mana is enabled or not" },
- 	{ "mana_disable", hostapd_cli_cmd_mana_disable, NULL, "= disable mana" },
- 	{ "mana_enable", hostapd_cli_cmd_mana_enable, NULL, "= enable mana" },
- 	{ "mana_loud_off", hostapd_cli_cmd_mana_loud_disable, NULL, "= disable mana's loud mode" },
- 	{ "mana_loud_on", hostapd_cli_cmd_mana_loud_enable, NULL, "= enable mana's loud mode" },
- 	{ "mana_loud_state",  hostapd_cli_cmd_mana_get_mode, NULL, "= check mana's loud mode" },
- 	{ "mana_macacl_off", hostapd_cli_cmd_mana_macacl_disable, NULL, "= disable MAC ACLs at management frame level" },
- 	{ "mana_macacl_on", hostapd_cli_cmd_mana_macacl_enable, NULL, "= enable MAC ACLs at management frame level" },
- 	{ "mana_macacl_state", hostapd_cli_cmd_mana_get_aclmode, NULL, "= check mana's MAC ACL mode" },
- 	{ "mana_wpe_off", hostapd_cli_cmd_mana_wpe_disable, NULL, "= disable mana's wpe mode" },
- 	{ "mana_wpe_on", hostapd_cli_cmd_mana_wpe_enable, NULL, "= enable mana's wpe mode" },
+	{ "?", hostapd_cli_cmd_help, NULL, NULL }, //One of digininja's original changes :)
+	{ "mana_change_ssid", hostapd_cli_cmd_mana_change_ssid, NULL, "= change the default SSID for when mana is off" },
+	{ "mana_get_ssid", hostapd_cli_cmd_mana_get_ssid, NULL, "= get the default SSID for when mana is off" },
+	{ "mana_get_state", hostapd_cli_cmd_mana_get_state, NULL, "= get whether mana is enabled or not" },
+	{ "mana_disable", hostapd_cli_cmd_mana_disable, NULL, "= disable mana" },
+	{ "mana_enable", hostapd_cli_cmd_mana_enable, NULL, "= enable mana" },
+	{ "mana_loud_off", hostapd_cli_cmd_mana_loud_disable, NULL, "= disable mana's loud mode" },
+	{ "mana_loud_on", hostapd_cli_cmd_mana_loud_enable, NULL, "= enable mana's loud mode" },
+	{ "mana_loud_state",  hostapd_cli_cmd_mana_get_mode, NULL, "= check mana's loud mode" },
+	{ "mana_macacl_off", hostapd_cli_cmd_mana_macacl_disable, NULL, "= disable MAC ACLs at management frame level" },
+	{ "mana_macacl_on", hostapd_cli_cmd_mana_macacl_enable, NULL, "= enable MAC ACLs at management frame level" },
+	{ "mana_macacl_state", hostapd_cli_cmd_mana_get_aclmode, NULL, "= check mana's MAC ACL mode" },
+	{ "mana_wpe_off", hostapd_cli_cmd_mana_wpe_disable, NULL, "= disable mana's wpe mode" },
+	{ "mana_wpe_on", hostapd_cli_cmd_mana_wpe_enable, NULL, "= enable mana's wpe mode" },
 	{ "mana_wpe_state", hostapd_cli_cmd_mana_get_wpemode, NULL, "= check mana's wpe mode" },
- 	{ "mana_eapsuccess_off", hostapd_cli_cmd_mana_eapsuccess_disable, NULL, "= disable mana's eapsuccess mode" },
- 	{ "mana_eapsuccess_on", hostapd_cli_cmd_mana_eapsuccess_enable, NULL, "= enable mana's eapsuccess mode" },
+	{ "mana_eapsuccess_off", hostapd_cli_cmd_mana_eapsuccess_disable, NULL, "= disable mana's eapsuccess mode" },
+	{ "mana_eapsuccess_on", hostapd_cli_cmd_mana_eapsuccess_enable, NULL, "= enable mana's eapsuccess mode" },
 	{ "mana_eapsuccess_state", hostapd_cli_cmd_mana_get_eapsuccess, NULL, "= check mana's eapsuccess mode" },
+	{ "mana_eaptls_off", hostapd_cli_cmd_mana_eaptls_disable, NULL, "= disable mana's eaptls mode" },
+	{ "mana_eaptls_on", hostapd_cli_cmd_mana_eaptls_enable, NULL, "= enable mana's eaptls mode" },
+	{ "mana_eaptls_state", hostapd_cli_cmd_mana_get_eaptls, NULL, "= check mana's eaptls mode" },
  // END MANA
 
 	{ NULL, NULL, NULL, NULL }

src/ap/ap_config.h

@@ -621,6 +621,7 @@ struct hostapd_config {
 	int mana_wpe;
 	char * mana_credout;
 	int mana_eapsuccess;
+	int mana_eaptls;
 	// MANA END
 
 	u16 beacon_int;

src/crypto/tls_openssl.c

@@ -37,6 +37,7 @@
 #include "sha256.h"
 #include "tls.h"
 #include "tls_openssl.h"
+#include "common/mana.h" //MANA
 
 #if !defined(CONFIG_FIPS) &&                             \
     (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) ||   \
@@ -1773,11 +1774,10 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
 
 static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
-  //MANA
-  #ifdef EAP_SERVER_UNAUTH_TLS
-    return 1;
-  #endif
-  //END MANA
+	//START MANA
+	if (mana.conf->mana_eaptls)
+		return 1;
+	//END MANA
 	char buf[256];
 	X509 *err_cert;
 	int err, depth;