From dbc5778228874534af55361506b39f0e1f700590 Mon Sep 17 00:00:00 2001
From: David Lam <david@thedavid.net>
Date: Thu, 16 Jan 2020 01:15:11 -0800
Subject: [PATCH] luci-mod-network: add system cert bundle validation

This commit adds the ability for users to validate against the system's
built-in CA bundle if it is installed. The process is made much easier because
the user does not have to first extract the CA certificate from the EAPOL
handshake and upload it via LuCI uploads. Dependent on commit
openwrt/openwrt#2696.

Signed-off-by: David Lam <david@thedavid.net>
---
 .../resources/view/network/wireless.js        | 34 +++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js
index 54786d36a0..9c437c566b 100644
--- a/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js
+++ b/modules/luci-mod-network/htdocs/luci-static/resources/view/network/wireless.js
@@ -1428,11 +1428,26 @@ return L.view.extend({
 					o.depends({ mode: 'sta-wds', encryption: 'wpa' });
 					o.depends({ mode: 'sta-wds', encryption: 'wpa2' });
 
-					o = ss.taboption('encryption', form.FileUpload, 'ca_cert', _('Path to CA-Certificate'));
+					o = ss.taboption('encryption', form.Flag, 'ca_cert_usesystem', _('Use system certificates'), _("Validate server certificate using built-in system CA bundle,<br />requires the \"ca-bundle\" package"))
+					o.enabled = '1';
+					o.disabled = '0';
+					o.default = o.disabled;
 					o.depends({ mode: 'sta', encryption: 'wpa' });
 					o.depends({ mode: 'sta', encryption: 'wpa2' });
 					o.depends({ mode: 'sta-wds', encryption: 'wpa' });
 					o.depends({ mode: 'sta-wds', encryption: 'wpa2' });
+					o.validate = function(section_id, value) {
+						if (value == '1' && !L.hasSystemFeature('cabundle')) {
+							return _("This option cannot be used because the ca-bundle package is not installed.");
+						}
+						return true;
+					};
+
+					o = ss.taboption('encryption', form.FileUpload, 'ca_cert', _('Path to CA-Certificate'));
+					o.depends({ mode: 'sta', encryption: 'wpa', ca_cert_usesystem: '0' });
+					o.depends({ mode: 'sta', encryption: 'wpa2', ca_cert_usesystem: '0' });
+					o.depends({ mode: 'sta-wds', encryption: 'wpa', ca_cert_usesystem: '0' });
+					o.depends({ mode: 'sta-wds', encryption: 'wpa2', ca_cert_usesystem: '0' });
 
 					o = ss.taboption('encryption', form.Value, 'subject_match', _('Certificate constraint (Subject)'), _("Certificate constraint substring - e.g. /CN=wifi.mycompany.com<br />See `logread -f` during handshake for actual values"));
 					o.depends({ mode: 'sta', encryption: 'wpa' });
@@ -1509,11 +1524,26 @@ return L.view.extend({
 						return true;
 					};
 
-					o = ss.taboption('encryption', form.FileUpload, 'ca_cert2', _('Path to inner CA-Certificate'));
+					o = ss.taboption('encryption', form.Flag, 'ca_cert2_usesystem', _('Use system certificates for inner-tunnel'), _("Validate server certificate using built-in system CA bundle,<br />requires the \"ca-bundle\" package"))
+					o.enabled = '1';
+					o.disabled = '0';
+					o.default = o.disabled;
 					o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa' });
 					o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa2' });
 					o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa' });
 					o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa2' });
+					o.validate = function(section_id, value) {
+						if (value == '1' && !L.hasSystemFeature('cabundle')) {
+							return _("This option cannot be used because the ca-bundle package is not installed.");
+						}
+						return true;
+					};
+
+					o = ss.taboption('encryption', form.FileUpload, 'ca_cert2', _('Path to inner CA-Certificate'));
+					o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa', ca_cert2_usesystem: '0' });
+					o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa2', ca_cert2_usesystem: '0' });
+					o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa', ca_cert2_usesystem: '0' });
+					o.depends({ mode: 'sta-wds', auth: 'EAP-TLS', encryption: 'wpa2', ca_cert2_usesystem: '0' });
 
 					o = ss.taboption('encryption', form.Value, 'subject_match2', _('Inner certificate constraint (Subject)'), _("Certificate constraint substring - e.g. /CN=wifi.mycompany.com<br />See `logread -f` during handshake for actual values"));
 					o.depends({ mode: 'sta', auth: 'EAP-TLS', encryption: 'wpa' });
-- 
2.30.2