aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-01-14 10:14:31 (GMT)
committerJouni Malinen <j@w1.fi>2015-01-14 10:24:52 (GMT)
commit483dd6a5e0069d0646505c26a5194eda15472858 (patch)
tree01d05439b22e050c2b1a145e90c975c385ebeac4 /wpa_supplicant
parentdd5f9025841f3492b14e9898042c5cab1e270e9c (diff)
downloadhostap-483dd6a5e0069d0646505c26a5194eda15472858.zip
hostap-483dd6a5e0069d0646505c26a5194eda15472858.tar.gz
hostap-483dd6a5e0069d0646505c26a5194eda15472858.tar.bz2
Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/<hash>", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant')
-rw-r--r--wpa_supplicant/config.c1
-rw-r--r--wpa_supplicant/config.h9
-rw-r--r--wpa_supplicant/config_file.c3
-rw-r--r--wpa_supplicant/wpa_supplicant.conf6
-rw-r--r--wpa_supplicant/wpas_glue.c1
5 files changed, 20 insertions, 0 deletions
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index a810632..389ad65 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -3490,6 +3490,7 @@ struct wpa_config * wpa_config_alloc_empty(const char *ctrl_interface,
config->p2p_search_delay = DEFAULT_P2P_SEARCH_DELAY;
config->rand_addr_lifetime = DEFAULT_RAND_ADDR_LIFETIME;
config->key_mgmt_offload = DEFAULT_KEY_MGMT_OFFLOAD;
+ config->cert_in_cb = DEFAULT_CERT_IN_CB;
if (ctrl_interface)
config->ctrl_interface = os_strdup(ctrl_interface);
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index dca17c2..be82c3c 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -31,6 +31,7 @@
#define DEFAULT_P2P_SEARCH_DELAY 500
#define DEFAULT_RAND_ADDR_LIFETIME 60
#define DEFAULT_KEY_MGMT_OFFLOAD 1
+#define DEFAULT_CERT_IN_CB 1
#include "config_ssid.h"
#include "wps/wps.h"
@@ -1119,6 +1120,14 @@ struct wpa_config {
* Maximum number of mesh peering currently maintained by the STA.
*/
int max_peer_links;
+
+ /**
+ * cert_in_cb - Whether to include a peer certificate dump in events
+ *
+ * This controls whether peer certificates for authentication server and
+ * its certificate chain are included in EAP peer certificate events.
+ */
+ int cert_in_cb;
};
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index d8cbe8b..9d73a2f 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -1218,6 +1218,9 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config)
if (config->max_peer_links != DEFAULT_MAX_PEER_LINKS)
fprintf(f, "max_peer_links=%d\n", config->max_peer_links);
+
+ if (config->cert_in_cb != DEFAULT_CERT_IN_CB)
+ fprintf(f, "cert_in_cb=%d\n", config->cert_in_cb);
}
#endif /* CONFIG_NO_CONFIG_WRITE */
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 7d189c7..cb515c8 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -127,6 +127,12 @@ ap_scan=1
# Maximum number of mesh peering currently maintained by the STA.
#max_peer_links=99
+# cert_in_cb - Whether to include a peer certificate dump in events
+# This controls whether peer certificates for authentication server and
+# its certificate chain are included in EAP peer certificate events. This is
+# enabled by default.
+#cert_in_cb=1
+
# EAP fast re-authentication
# By default, fast re-authentication is enabled for all EAP methods that
# support it. This variable can be used to disable fast re-authentication.
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 209e2bc..8029ae5 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -948,6 +948,7 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s)
ctx->port_cb = wpa_supplicant_port_cb;
ctx->cb = wpa_supplicant_eapol_cb;
ctx->cert_cb = wpa_supplicant_cert_cb;
+ ctx->cert_in_cb = wpa_s->conf->cert_in_cb;
ctx->status_cb = wpa_supplicant_status_cb;
ctx->set_anon_id = wpa_supplicant_set_anon_id;
ctx->cb_ctx = wpa_s;