From dbc5778228874534af55361506b39f0e1f700590 Mon Sep 17 00:00:00 2001 From: David Lam Date: Thu, 16 Jan 2020 01:15:11 -0800 Subject: luci-mod-network: add system cert bundle validation This commit adds the ability for users to validate against the system's built-in CA bundle if it is installed. The process is made much easier because the user does not have to first extract the CA certificate from the EAPOL handshake and upload it via LuCI uploads. Dependent on commit openwrt/openwrt#2696. Signed-off-by: David Lam --- .../luci-static/resources/view/network/wireless.js | 34 ++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js index 54786d36a..9c437c566 100644 --- a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js +++ b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js @@ -1428,11 +1428,26 @@ return L.view.extend({ o.depends({ mode: 'sta-wds', encryption: 'wpa' }); o.depends({ mode: 'sta-wds', encryption: 'wpa2' }); - o = ss.taboption('encryption', form.FileUpload, 'ca_cert', _('Path to CA-Certificate')); + o = ss.taboption('encryption', form.Flag, 'ca_cert_usesystem', _('Use system certificates'), _("Validate server certificate using built-in system CA bundle,
requires the \"ca-bundle\" package")) + o.enabled = '1'; + o.disabled = '0'; + o.default = o.disabled; o.depends({ mode: 'sta', encryption: 'wpa' }); o.depends({ mode: 'sta', encryption: 'wpa2' }); o.depends({ mode: 'sta-wds', encryption: 'wpa' }); o.depends({ mode: 'sta-wds', encryption: 'wpa2' }); + o.validate = function(section_id, value) { + if (value == '1' && !L.hasSystemFeature('cabundle')) { + return _("This option cannot be used because the ca-bundle package is not installed."); + } + return true; + }; + + o = ss.taboption('encryption', form.FileUpload, 'ca_cert', _('Path to CA-Certificate')); + o.depends({ mode: 'sta', encryption: 'wpa', ca_cert_usesystem: '0' }); + o.depends({ mode: 'sta', encryption: 'wpa2', ca_cert_usesystem: '0' }); + o.depends({ mode: 'sta-wds', encryption: 'wpa', ca_cert_usesystem: '0' }); + o.depends({ mode: 'sta-wds', encryption: 'wpa2', ca_cert_usesystem: '0' }); o = ss.taboption('encryption', form.Value, 'subject_match', _('Certificate constraint (Subject)'), _("Certificate constraint substring - e.g. /CN=wifi.mycompany.com
See `logread -f` during handshake for actual values")); o.depends({ mode: 'sta', encryption: 'wpa' }); @@ -1509,11 +1524,26 @@ return L.view.extend({ return true; }; - o = ss.taboption('encryption', form.FileUpload, 'ca_cert2', _('Path to inner CA-Certificate')); + o = ss.taboption('encryption', form.Flag, 'ca_cert2_usesystem', _('Use system certificates for inner-tunnel'), _("Validate server certificate using built-in system CA bundle,
requires the \"ca-bundle\" package")) + o.enabled = '1'; + o.disabled = '0'; + o.default = o.disabled; o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa' }); o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa2' }); o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa' }); o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa2' }); + o.validate = function(section_id, value) { + if (value == '1' && !L.hasSystemFeature('cabundle')) { + return _("This option cannot be used because the ca-bundle package is not installed."); + } + return true; + }; + + o = ss.taboption('encryption', form.FileUpload, 'ca_cert2', _('Path to inner CA-Certificate')); + o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa', ca_cert2_usesystem: '0' }); + o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa2', ca_cert2_usesystem: '0' }); + o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa', ca_cert2_usesystem: '0' }); + o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa2', ca_cert2_usesystem: '0' }); o = ss.taboption('encryption', form.Value, 'subject_match2', _('Inner certificate constraint (Subject)'), _("Certificate constraint substring - e.g. /CN=wifi.mycompany.com
See `logread -f` during handshake for actual values")); o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa' }); -- cgit v1.2.3 From 27b21c2a6262a8c383c783e98320746f22fe8f6f Mon Sep 17 00:00:00 2001 From: David Lam Date: Thu, 16 Jan 2020 01:15:40 -0800 Subject: luci-base: add system cert bundle detection Add detection mechanism for system cert CA bundle installed by the ca-bundle package. Used by LuCI to detect whether the "Use system certificates" certificate validation option should be enabled. Signed-off-by: David Lam --- modules/luci-base/root/usr/libexec/rpcd/luci | 1 + 1 file changed, 1 insertion(+) mode change 100755 => 100644 modules/luci-base/root/usr/libexec/rpcd/luci diff --git a/modules/luci-base/root/usr/libexec/rpcd/luci b/modules/luci-base/root/usr/libexec/rpcd/luci old mode 100755 new mode 100644 index 56cb7bc85..75afd27a0 --- a/modules/luci-base/root/usr/libexec/rpcd/luci +++ b/modules/luci-base/root/usr/libexec/rpcd/luci @@ -216,6 +216,7 @@ local methods = { rv.sysntpd = fs.readlink("/usr/sbin/ntpd") and true rv.ipv6 = fs.access("/proc/net/ipv6_route") rv.dropbear = fs.access("/usr/sbin/dropbear") + rv.cabundle = fs.access("/etc/ssl/certs/ca-certificates.crt") local wifi_features = { "eap", "11n", "11ac", "11r", "11w", "acs", "sae", "owe", "suiteb192" } -- cgit v1.2.3