diff --git a/hostapd/.config b/hostapd/.config index b71f6978..00e39dea 100644 --- a/hostapd/.config +++ b/hostapd/.config @@ -9,9 +9,6 @@ # be modified from here. In most cass, these lines should use += in order not # to override previous values of the variables. -# MANA Disable EAP-TLS Client Certificate Validation -CONFIG_EAP_UNAUTH_TLS=y - # Driver interface for Host AP driver CONFIG_DRIVER_HOSTAP=y diff --git a/hostapd/config_file.c b/hostapd/config_file.c index a876ab22..25e23be5 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2198,6 +2198,12 @@ static int hostapd_config_fill(struct hostapd_config *conf, if (conf->mana_eapsuccess) { wpa_printf(MSG_DEBUG, "MANA: EAP success mode enabled"); } + } else if (os_strcmp(buf, "mana_eaptls") == 0) { + int val = atoi(pos); + conf->mana_eaptls = (val != 0); + if (conf->mana_eaptls) { + wpa_printf(MSG_DEBUG, "MANA: EAP TLS modes will accept any client certificate."); + } // MANA END } else if (os_strcmp(buf, "dump_file") == 0) { wpa_printf(MSG_INFO, "Line %d: DEPRECATED: 'dump_file' configuration variable is not used anymore", @@ -3719,6 +3725,7 @@ struct hostapd_config * hostapd_config_read(const char *fname) conf->mana_wpe = 0; //default off; 1 - dump credentials captured during EAP exchanges 0 - function as normal conf->mana_credout = "NOT_SET"; //default non conf->mana_eapsuccess = 0; //default off; 1 - allow clients to connect even with incorrect creds 0 - function as normal + conf->mana_eaptls = 0; //default off; 1 - accept any client certificate presented in EAP-TLS modes. 0 - validate certificates as normal. // MANA END while (fgets(buf, sizeof(buf), f)) { diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c index 9864078a..9dcf7395 100644 --- a/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c @@ -124,37 +124,6 @@ static int hostapd_ctrl_iface_new_sta(struct hostapd_data *hapd, } // MANA START - -static int hostapd_ctrl_iface_mana_get_state (struct hostapd_data *hapd) -{ - wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE STATUS QUERY"); - return hapd->iconf->enable_mana; -} - -static int hostapd_ctrl_iface_mana_get_mode (struct hostapd_data *hapd) -{ - wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE LOUD MODE STATUS QUERY"); - return hapd->iconf->mana_loud; -} - -static int hostapd_ctrl_iface_mana_get_aclmode (struct hostapd_data *hapd) -{ - wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE MAC ACL STATUS QUERY"); - return hapd->iconf->mana_macacl; -} - -static int hostapd_ctrl_iface_mana_get_wpemode (struct hostapd_data *hapd) -{ - wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE WPE MODE STATUS QUERY"); - return hapd->iconf->mana_wpe; -} - -static int hostapd_ctrl_iface_mana_get_eapsuccessmode (struct hostapd_data *hapd) -{ - wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE STATUS QUERY"); - return hapd->iconf->mana_eapsuccess; -} - static int hostapd_ctrl_iface_mana_change_ssid (struct hostapd_data *hapd, const char *ssid) { wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE CHANGE SSID %s", ssid); @@ -183,6 +152,12 @@ static int hostapd_ctrl_iface_mana_enable_disable (struct hostapd_data *hapd, in return 0; } +static int hostapd_ctrl_iface_mana_get_state (struct hostapd_data *hapd) +{ + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE STATUS QUERY"); + return hapd->iconf->enable_mana; +} + static int hostapd_ctrl_iface_mana_loud_enable_disable (struct hostapd_data *hapd, int status) { if (status) { @@ -195,6 +170,12 @@ static int hostapd_ctrl_iface_mana_loud_enable_disable (struct hostapd_data *hap return 0; } +static int hostapd_ctrl_iface_mana_get_mode (struct hostapd_data *hapd) +{ + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE LOUD MODE STATUS QUERY"); + return hapd->iconf->mana_loud; +} + static int hostapd_ctrl_iface_mana_macacl_enable_disable (struct hostapd_data *hapd, int status) { if (status) { @@ -207,6 +188,12 @@ static int hostapd_ctrl_iface_mana_macacl_enable_disable (struct hostapd_data *h return 0; } +static int hostapd_ctrl_iface_mana_get_aclmode (struct hostapd_data *hapd) +{ + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE MAC ACL STATUS QUERY"); + return hapd->iconf->mana_macacl; +} + static int hostapd_ctrl_iface_mana_wpe_enable_disable (struct hostapd_data *hapd, int status) { if (status) { @@ -219,6 +206,12 @@ static int hostapd_ctrl_iface_mana_wpe_enable_disable (struct hostapd_data *hapd return 0; } +static int hostapd_ctrl_iface_mana_get_wpemode (struct hostapd_data *hapd) +{ + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE WPE MODE STATUS QUERY"); + return hapd->iconf->mana_wpe; +} + static int hostapd_ctrl_iface_mana_eapsuccess_enable_disable (struct hostapd_data *hapd, int status) { if (status) { @@ -230,6 +223,30 @@ static int hostapd_ctrl_iface_mana_eapsuccess_enable_disable (struct hostapd_dat return 0; } + +static int hostapd_ctrl_iface_mana_get_eapsuccessmode (struct hostapd_data *hapd) +{ + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPSUCCESS MODE STATUS QUERY"); + return hapd->iconf->mana_eapsuccess; +} + +static int hostapd_ctrl_iface_mana_eaptls_enable_disable (struct hostapd_data *hapd, int status) +{ + if (status) { + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPTLS MODE ENABLED"); + } else { + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPTLS MODE DISABLED"); + } + hapd->iconf->mana_eaptls = status; + + return 0; +} + +static int hostapd_ctrl_iface_mana_get_eaptlsmode (struct hostapd_data *hapd) +{ + wpa_printf(MSG_DEBUG, "MANA CTRL_IFACE EAPTLS MODE STATUS QUERY"); + return hapd->iconf->mana_eaptls; +} // MANA END #ifdef CONFIG_IEEE80211W @@ -2742,6 +2759,20 @@ static int hostapd_ctrl_iface_receive_process(struct hostapd_data *hapd, os_memcpy(reply, "MANA EAPSUCCESS MODE DISABLED\n", 30); reply_len = 30; } + } else if (os_strcmp(buf, "MANA_EAPTLS_ENABLE") == 0) { + if (hostapd_ctrl_iface_mana_eaptls_enable_disable(hapd, 1)) + reply_len = -1; + } else if (os_strcmp(buf, "MANA_EAPTLS_DISABLE") == 0) { + if (hostapd_ctrl_iface_mana_eaptls_enable_disable(hapd, 0)) + reply_len = -1; + } else if (os_strcmp(buf, "MANA_EAPTLS_MODE") == 0) { + if (hostapd_ctrl_iface_mana_get_eaptlsmode(hapd)) { + os_memcpy(reply, "MANA EAPTLS MODE ENABLED\n", 25); + reply_len = 25; + } else { + os_memcpy(reply, "MANA EAPTLS MODE DISABLED\n", 26); + reply_len = 26; + } // END MANA } else { os_memcpy(reply, "UNKNOWN COMMAND\n", 16); diff --git a/hostapd/defconfig b/hostapd/defconfig index e068ac7f..b77f66fe 100644 --- a/hostapd/defconfig +++ b/hostapd/defconfig @@ -9,9 +9,6 @@ # be modified from here. In most cass, these lines should use += in order not # to override previous values of the variables. -# MANA Disable EAP-TLS Client Certificate Validation -#CONFIG_EAP_UNAUTH_TLS=y - # Driver interface for Host AP driver CONFIG_DRIVER_HOSTAP=y diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c index e22c4be3..e1c8ff5c 100644 --- a/hostapd/hostapd_cli.c +++ b/hostapd/hostapd_cli.c @@ -419,6 +419,18 @@ static int hostapd_cli_cmd_mana_get_eapsuccess(struct wpa_ctrl *ctrl, int argc, { return wpa_ctrl_command(ctrl, "EAPSUCCESS_STATE"); } +static int hostapd_cli_cmd_mana_eaptls_disable(struct wpa_ctrl *ctrl, int argc, char *argv[]) +{ + return wpa_ctrl_command(ctrl, "MANA_EAPTLS_DISABLE"); +} +static int hostapd_cli_cmd_mana_eaptls_enable(struct wpa_ctrl *ctrl, int argc, char *argv[]) +{ + return wpa_ctrl_command(ctrl, "MANA_EAPTLS_ENABLE"); +} +static int hostapd_cli_cmd_mana_get_eaptls(struct wpa_ctrl *ctrl, int argc, char *argv[]) +{ + return wpa_ctrl_command(ctrl, "MANA_EAPTLS_STATE"); +} // END MANA @@ -1450,24 +1462,27 @@ static const struct hostapd_cli_cmd hostapd_cli_commands[] = { { "req_range", hostapd_cli_cmd_req_range, NULL, NULL }, { "driver_flags", hostapd_cli_cmd_driver_flags, NULL, NULL }, // MANA START - { "?", hostapd_cli_cmd_help, NULL, NULL }, //One of digininja's original changes :) - { "mana_change_ssid", hostapd_cli_cmd_mana_change_ssid, NULL, "= change the default SSID for when mana is off" }, - { "mana_get_ssid", hostapd_cli_cmd_mana_get_ssid, NULL, "= get the default SSID for when mana is off" }, - { "mana_get_state", hostapd_cli_cmd_mana_get_state, NULL, "= get whether mana is enabled or not" }, - { "mana_disable", hostapd_cli_cmd_mana_disable, NULL, "= disable mana" }, - { "mana_enable", hostapd_cli_cmd_mana_enable, NULL, "= enable mana" }, - { "mana_loud_off", hostapd_cli_cmd_mana_loud_disable, NULL, "= disable mana's loud mode" }, - { "mana_loud_on", hostapd_cli_cmd_mana_loud_enable, NULL, "= enable mana's loud mode" }, - { "mana_loud_state", hostapd_cli_cmd_mana_get_mode, NULL, "= check mana's loud mode" }, - { "mana_macacl_off", hostapd_cli_cmd_mana_macacl_disable, NULL, "= disable MAC ACLs at management frame level" }, - { "mana_macacl_on", hostapd_cli_cmd_mana_macacl_enable, NULL, "= enable MAC ACLs at management frame level" }, - { "mana_macacl_state", hostapd_cli_cmd_mana_get_aclmode, NULL, "= check mana's MAC ACL mode" }, - { "mana_wpe_off", hostapd_cli_cmd_mana_wpe_disable, NULL, "= disable mana's wpe mode" }, - { "mana_wpe_on", hostapd_cli_cmd_mana_wpe_enable, NULL, "= enable mana's wpe mode" }, + { "?", hostapd_cli_cmd_help, NULL, NULL }, //One of digininja's original changes :) + { "mana_change_ssid", hostapd_cli_cmd_mana_change_ssid, NULL, "= change the default SSID for when mana is off" }, + { "mana_get_ssid", hostapd_cli_cmd_mana_get_ssid, NULL, "= get the default SSID for when mana is off" }, + { "mana_get_state", hostapd_cli_cmd_mana_get_state, NULL, "= get whether mana is enabled or not" }, + { "mana_disable", hostapd_cli_cmd_mana_disable, NULL, "= disable mana" }, + { "mana_enable", hostapd_cli_cmd_mana_enable, NULL, "= enable mana" }, + { "mana_loud_off", hostapd_cli_cmd_mana_loud_disable, NULL, "= disable mana's loud mode" }, + { "mana_loud_on", hostapd_cli_cmd_mana_loud_enable, NULL, "= enable mana's loud mode" }, + { "mana_loud_state", hostapd_cli_cmd_mana_get_mode, NULL, "= check mana's loud mode" }, + { "mana_macacl_off", hostapd_cli_cmd_mana_macacl_disable, NULL, "= disable MAC ACLs at management frame level" }, + { "mana_macacl_on", hostapd_cli_cmd_mana_macacl_enable, NULL, "= enable MAC ACLs at management frame level" }, + { "mana_macacl_state", hostapd_cli_cmd_mana_get_aclmode, NULL, "= check mana's MAC ACL mode" }, + { "mana_wpe_off", hostapd_cli_cmd_mana_wpe_disable, NULL, "= disable mana's wpe mode" }, + { "mana_wpe_on", hostapd_cli_cmd_mana_wpe_enable, NULL, "= enable mana's wpe mode" }, { "mana_wpe_state", hostapd_cli_cmd_mana_get_wpemode, NULL, "= check mana's wpe mode" }, - { "mana_eapsuccess_off", hostapd_cli_cmd_mana_eapsuccess_disable, NULL, "= disable mana's eapsuccess mode" }, - { "mana_eapsuccess_on", hostapd_cli_cmd_mana_eapsuccess_enable, NULL, "= enable mana's eapsuccess mode" }, + { "mana_eapsuccess_off", hostapd_cli_cmd_mana_eapsuccess_disable, NULL, "= disable mana's eapsuccess mode" }, + { "mana_eapsuccess_on", hostapd_cli_cmd_mana_eapsuccess_enable, NULL, "= enable mana's eapsuccess mode" }, { "mana_eapsuccess_state", hostapd_cli_cmd_mana_get_eapsuccess, NULL, "= check mana's eapsuccess mode" }, + { "mana_eaptls_off", hostapd_cli_cmd_mana_eaptls_disable, NULL, "= disable mana's eaptls mode" }, + { "mana_eaptls_on", hostapd_cli_cmd_mana_eaptls_enable, NULL, "= enable mana's eaptls mode" }, + { "mana_eaptls_state", hostapd_cli_cmd_mana_get_eaptls, NULL, "= check mana's eaptls mode" }, // END MANA { NULL, NULL, NULL, NULL } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 52092ebc..79be510a 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -621,6 +621,7 @@ struct hostapd_config { int mana_wpe; char * mana_credout; int mana_eapsuccess; + int mana_eaptls; // MANA END u16 beacon_int; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index cefff189..a8efe552 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -37,6 +37,7 @@ #include "sha256.h" #include "tls.h" #include "tls_openssl.h" +#include "common/mana.h" //MANA #if !defined(CONFIG_FIPS) && \ (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ @@ -1773,11 +1774,10 @@ static void openssl_tls_cert_event(struct tls_connection *conn, static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) { - //MANA - #ifdef EAP_SERVER_UNAUTH_TLS - return 1; - #endif - //END MANA + //START MANA + if (mana.conf->mana_eaptls) + return 1; + //END MANA char buf[256]; X509 *err_cert; int err, depth;