Extend server certificate TOD policy reporting to include TOD-TOFU

The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 07d38e47b917dab320395f4a8273d2a06d81f924..e67756af69e125a3c8ff2577e2cfbf7b9dd916a9 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2186,7 +2186,9 @@ static int openssl_cert_tod(X509 *cert)
                        continue;
                wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
                if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
-                       tod = 1;
+                       tod = 1; /* TOD-STRICT */
+               else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
+                       tod = 2; /* TOD-TOFU */
        }
 
        return tod;

diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index e41d7c41c61cfb2103f84f5258b8f21bdda73552..0ba1e144c1d24685d48ab6175a6bca15f1caa409 100644 (file)
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -794,10 +794,11 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
        int i;
 
        wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
-               "depth=%d subject='%s'%s%s%s",
+               "depth=%d subject='%s'%s%s%s%s",
                cert->depth, cert->subject, cert_hash ? " hash=" : "",
                cert_hash ? cert_hash : "",
-               cert->tod ? " tod=1" : "");
+               cert->tod == 2 ? " tod=2" : "",
+               cert->tod == 1 ? " tod=1" : "");
 
        if (cert->cert) {
                char *cert_hex;