diff --git a/src/crypto/tls.h b/src/crypto/tls.h index b7a677fd8..9f07e10d9 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -57,6 +57,7 @@ struct tls_cert_data { const char *altsubject[TLS_MAX_ALT_SUBJECT]; int num_altsubject; const char *serial_num; + int tod; }; union tls_event_data { diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index f1f979348..9980f032d 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2149,6 +2149,34 @@ static void openssl_tls_fail_event(struct tls_connection *conn, } +static int openssl_cert_tod(X509 *cert) +{ + CERTIFICATEPOLICIES *ext; + stack_index_t i; + char buf[100]; + int res; + int tod = 0; + + ext = X509_get_ext_d2i(cert, NID_certificate_policies, NULL, NULL); + if (!ext) + return 0; + + for (i = 0; i < sk_POLICYINFO_num(ext); i++) { + POLICYINFO *policy; + + policy = sk_POLICYINFO_value(ext, i); + res = OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 0); + if (res < 0 || (size_t) res >= sizeof(buf)) + continue; + wpa_printf(MSG_DEBUG, "OpenSSL: Certificate Policy %s", buf); + if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0) + tod = 1; + } + + return tod; +} + + static void openssl_tls_cert_event(struct tls_connection *conn, X509 *err_cert, int depth, const char *subject) @@ -2241,6 +2269,8 @@ static void openssl_tls_cert_event(struct tls_connection *conn, ev.peer_cert.altsubject[alt] = altsubject[alt]; ev.peer_cert.num_altsubject = num_altsubject; + ev.peer_cert.tod = openssl_cert_tod(err_cert); + context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev); wpabuf_free(cert); for (alt = 0; alt < num_altsubject; alt++) diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c index f5925666d..dd627d015 100644 --- a/wpa_supplicant/notify.c +++ b/wpa_supplicant/notify.c @@ -792,9 +792,10 @@ void wpas_notify_certification(struct wpa_supplicant *wpa_s, const char *cert_hash) { wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT - "depth=%d subject='%s'%s%s", + "depth=%d subject='%s'%s%s%s", cert->depth, cert->subject, cert_hash ? " hash=" : "", - cert_hash ? cert_hash : ""); + cert_hash ? cert_hash : "", + cert->tod ? " tod=1" : ""); if (cert->cert) { char *cert_hex;