Report TOD policy in peer certificate events

Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate
includes the TOD policy in the X.509v3 Certificate Policies extension.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index b7a677fd8c6f31bd56daa7a9a21cbc33d87f6e2a..9f07e10d963003c2a68237a9001873c3cbd292fc 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -57,6 +57,7 @@ struct tls_cert_data {
        const char *altsubject[TLS_MAX_ALT_SUBJECT];
        int num_altsubject;
        const char *serial_num;
+       int tod;
 };
 
 union tls_event_data {

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index f1f979348d1816b9dce2959da81fb231b1e4ce16..9980f032daa0b05f212f1b355b718afc18784b65 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2149,6 +2149,34 @@ static void openssl_tls_fail_event(struct tls_connection *conn,
 }
 
 
+static int openssl_cert_tod(X509 *cert)
+{
+       CERTIFICATEPOLICIES *ext;
+       stack_index_t i;
+       char buf[100];
+       int res;
+       int tod = 0;
+
+       ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL);
+       if (!ext)
+               return 0;
+
+       for (i = 0; i < sk_POLICYINFO_num(ext); i++) {
+               POLICYINFO *policy;
+
+               policy = sk_POLICYINFO_value(ext, i);
+               res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0);
+               if (res < 0 || (size_t) res >= sizeof(buf))
+                       continue;
+               wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf);
+               if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
+                       tod = 1;
+       }
+
+       return tod;
+}
+
+
 static void openssl_tls_cert_event(struct tls_connection *conn,
                                   X509 *err_cert, int depth,
                                   const char *subject)
@@ -2241,6 +2269,8 @@ static void openssl_tls_cert_event(struct tls_connection *conn,
                ev.peer_cert.altsubject[alt] = altsubject[alt];
        ev.peer_cert.num_altsubject = num_altsubject;
 
+       ev.peer_cert.tod = openssl_cert_tod(err_cert);
+
        context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
        wpabuf_free(cert);
        for (alt = 0; alt < num_altsubject; alt++)

diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index f5925666d8f14b2ab8bf474287846b70dec86581..dd627d015e06dd85585d73791318b70d8179346c 100644 (file)
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -792,9 +792,10 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s,
                               const char *cert_hash)
 {
        wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
-               "depth=%d subject='%s'%s%s",
+               "depth=%d subject='%s'%s%s%s",
                cert->depth, cert->subject, cert_hash ? " hash=" : "",
-               cert_hash ? cert_hash : "");
+               cert_hash ? cert_hash : "",
+               cert->tod ? " tod=1" : "");
 
        if (cert->cert) {
                char *cert_hex;