From a647a0ad75fd2650ce1be300327f7ea8c9ff3a1e Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 16 Aug 2019 15:51:40 +0300 Subject: [PATCH] Extend server certificate TOD policy reporting to include TOD-TOFU The previously used single TOD policy was split into two policies: TOD-STRICT and TOD-TOFU. Report these separately in the CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for TOD-TOFU). Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 4 +++- wpa_supplicant/notify.c | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 07d38e47b..e67756af6 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2186,7 +2186,9 @@ static int openssl_cert_tod(X509 *cert) continue; wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf); if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0) - tod = 1; + tod = 1; /* TOD-STRICT */ + else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod) + tod = 2; /* TOD-TOFU */ } return tod; diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c index e41d7c41c..0ba1e144c 100644 --- a/wpa_supplicant/notify.c +++ b/wpa_supplicant/notify.c @@ -794,10 +794,11 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s, int i; wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT - "depth=%d subject='%s'%s%s%s", + "depth=%d subject='%s'%s%s%s%s", cert->depth, cert->subject, cert_hash ? " hash=" : "", cert_hash ? cert_hash : "", - cert->tod ? " tod=1" : ""); + cert->tod == 2 ? " tod=2" : "", + cert->tod == 1 ? " tod=1" : ""); if (cert->cert) { char *cert_hex;