From 5ed2778dbfdd30007c610820b6fa49906c7ab92f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 4 Apr 2024 20:16:11 +0200 Subject: [PATCH] wolfssl: Support tod policy Implement wolfssl_cert_tod() to support setting the correct tod value in the certificate event message. Always send the certificate event message in addition to error messages. This is the same order of messages that the OpenSSL backend sends. Signed-off-by: Juliusz Sosinowicz --- src/crypto/tls_wolfssl.c | 36 ++++++++++++++++++++++++++++++++++-- tests/hwsim/utils.py | 4 +++- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c index 0f7ea44f1..dda9d081d 100644 --- a/src/crypto/tls_wolfssl.c +++ b/src/crypto/tls_wolfssl.c @@ -881,6 +881,37 @@ static void wolfssl_tls_fail_event(struct tls_connection *conn, } +static int wolfssl_cert_tod(X509 *cert) +{ + WOLFSSL_STACK *ext; + int i; + char *buf; + int tod = 0; + + ext = wolfSSL_X509_get_ext_d2i(cert, CERT_POLICY_OID, NULL, NULL); + if (!ext) + return 0; + + for (i = 0; i < wolfSSL_sk_num(ext); i++) { + WOLFSSL_ASN1_OBJECT *policy; + + policy = wolfSSL_sk_value(ext, i); + if (!policy) + continue; + + buf = (char*)policy->obj; + wpa_printf(MSG_DEBUG, "wolfSSL: Certificate Policy %s", buf); + if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0) + tod = 1; /* TOD-STRICT */ + else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod) + tod = 2; /* TOD-TOFU */ + } + wolfSSL_sk_pop_free(ext, NULL); + + return tod; +} + + static void wolfssl_tls_cert_event(struct tls_connection *conn, WOLFSSL_X509 *err_cert, int depth, const char *subject) @@ -968,6 +999,7 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn, for (alt = 0; alt < num_alt_subject; alt++) ev.peer_cert.altsubject[alt] = alt_subject[alt]; ev.peer_cert.num_altsubject = num_alt_subject; + ev.peer_cert.tod = wolfssl_cert_tod(err_cert); context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev); wpabuf_free(cert); @@ -1073,6 +1105,8 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) } #endif /* CONFIG_SHA256 */ + wolfssl_tls_cert_event(conn, err_cert, depth, buf); + if (!preverify_ok) { wpa_printf(MSG_WARNING, "TLS: Certificate verification failed, error %d (%s) depth %d for '%s'", @@ -1120,8 +1154,6 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx) wolfssl_tls_fail_event(conn, err_cert, err, depth, buf, "Domain mismatch", TLS_FAIL_DOMAIN_MISMATCH); - } else { - wolfssl_tls_cert_event(conn, err_cert, depth, buf); } if (conn->cert_probe && preverify_ok && depth == 0) { diff --git a/tests/hwsim/utils.py b/tests/hwsim/utils.py index 9505be4ef..62371b0d7 100644 --- a/tests/hwsim/utils.py +++ b/tests/hwsim/utils.py @@ -149,7 +149,9 @@ def check_imsi_privacy_support(dev): def check_tls_tod(dev): tls = dev.request("GET tls_library") - if not tls.startswith("OpenSSL") and not tls.startswith("internal"): + if not tls.startswith("OpenSSL") and \ + not tls.startswith("wolfSSL") and \ + not tls.startswith("internal"): raise HwsimSkip("TLS TOD-TOFU/STRICT not supported with this TLS library: " + tls) def vht_supported(): -- 2.47.3