Include peer certificate always in EAP events

This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.

The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.

Signed-off-by: Jouni Malinen <j@w1.fi>

1 files changed, 9 insertions, 0 deletions

diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index dca17c2..be82c3c 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -31,6 +31,7 @@
 #define DEFAULT_P2P_SEARCH_DELAY 500
 #define DEFAULT_RAND_ADDR_LIFETIME 60
 #define DEFAULT_KEY_MGMT_OFFLOAD 1
+#define DEFAULT_CERT_IN_CB 1
 
 #include "config_ssid.h"
 #include "wps/wps.h"
@@ -1119,6 +1120,14 @@ struct wpa_config {
 	 * Maximum number of mesh peering currently maintained by the STA.
 	 */
 	int max_peer_links;
+
+	/**
+	 * cert_in_cb - Whether to include a peer certificate dump in events
+	 *
+	 * This controls whether peer certificates for authentication server and
+	 * its certificate chain are included in EAP peer certificate events.
+	 */
+	int cert_in_cb;
 };