aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-06-11 01:39:57 (GMT)
committerJouni Malinen <jouni@codeaurora.org>2019-06-14 20:10:50 (GMT)
commit21f1a1e66c390d55e7bc7dd62bd6a378b11e0e22 (patch)
tree24c8156b756d6fa3c120b89ec42ff51298b3cadd
parentbc0634da4a3ef468f3142fb39ebdabb08566f411 (diff)
downloadhostap-21f1a1e66c390d55e7bc7dd62bd6a378b11e0e22.zip
hostap-21f1a1e66c390d55e7bc7dd62bd6a378b11e0e22.tar.gz
hostap-21f1a1e66c390d55e7bc7dd62bd6a378b11e0e22.tar.bz2
Report TOD policy in peer certificate events
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate includes the TOD policy in the X.509v3 Certificate Policies extension. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-rw-r--r--src/crypto/tls.h1
-rw-r--r--src/crypto/tls_openssl.c30
-rw-r--r--wpa_supplicant/notify.c5
3 files changed, 34 insertions, 2 deletions
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index b7a677f..9f07e10 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -57,6 +57,7 @@ struct tls_cert_data {
const char *altsubject[TLS_MAX_ALT_SUBJECT];
int num_altsubject;
const char *serial_num;
+ int tod;
};
union tls_event_data {
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index f1f9793..9980f03 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2149,6 +2149,34 @@ static void openssl_tls_fail_event(struct tls_connection *conn,
}
+static int openssl_cert_tod(X509 *cert)
+{
+ CERTIFICATEPOLICIES *ext;
+ stack_index_t i;
+ char buf[100];
+ int res;
+ int tod = 0;
+
+ ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
+ if (!ext)
+ return 0;
+
+ for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
+ POLICYINFO *policy;
+
+ policy = sk_POLICYINFO_value(ext, i);
+ res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
+ if (res < 0 || (size_t) res >= sizeof(buf))
+ continue;
+ wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
+ if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
+ tod = 1;
+ }
+
+ return tod;
+}
+
+
static void openssl_tls_cert_event(struct tls_connection *conn,
X509 *err_cert, int depth,
const char *subject)
@@ -2241,6 +2269,8 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
ev.peer_cert.altsubject[alt] = altsubject[alt];
ev.peer_cert.num_altsubject = num_altsubject;
+ ev.peer_cert.tod = openssl_cert_tod(err_cert);
+
context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
wpabuf_free(cert);
for (alt = 0; alt < num_altsubject; alt++)
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index f592566..dd627d0 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -792,9 +792,10 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
const char *cert_hash)
{
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
- "depth=%d subject='%s'%s%s",
+ "depth=%d subject='%s'%s%s%s",
cert->depth, cert->subject, cert_hash ? " hash=" : "",
- cert_hash ? cert_hash : "");
+ cert_hash ? cert_hash : "",
+ cert->tod ? " tod=1" : "");
if (cert->cert) {
char *cert_hex;