Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/<hash>", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
dd5f902584
commit
483dd6a5e0
5 changed files with 20 additions and 0 deletions
|
@ -3490,6 +3490,7 @@ struct wpa_config * wpa_config_alloc_empty(const char *ctrl_interface,
|
|||
config->p2p_search_delay = DEFAULT_P2P_SEARCH_DELAY;
|
||||
config->rand_addr_lifetime = DEFAULT_RAND_ADDR_LIFETIME;
|
||||
config->key_mgmt_offload = DEFAULT_KEY_MGMT_OFFLOAD;
|
||||
config->cert_in_cb = DEFAULT_CERT_IN_CB;
|
||||
|
||||
if (ctrl_interface)
|
||||
config->ctrl_interface = os_strdup(ctrl_interface);
|
||||
|
|
|
@ -31,6 +31,7 @@
|
|||
#define DEFAULT_P2P_SEARCH_DELAY 500
|
||||
#define DEFAULT_RAND_ADDR_LIFETIME 60
|
||||
#define DEFAULT_KEY_MGMT_OFFLOAD 1
|
||||
#define DEFAULT_CERT_IN_CB 1
|
||||
|
||||
#include "config_ssid.h"
|
||||
#include "wps/wps.h"
|
||||
|
@ -1119,6 +1120,14 @@ struct wpa_config {
|
|||
* Maximum number of mesh peering currently maintained by the STA.
|
||||
*/
|
||||
int max_peer_links;
|
||||
|
||||
/**
|
||||
* cert_in_cb - Whether to include a peer certificate dump in events
|
||||
*
|
||||
* This controls whether peer certificates for authentication server and
|
||||
* its certificate chain are included in EAP peer certificate events.
|
||||
*/
|
||||
int cert_in_cb;
|
||||
};
|
||||
|
||||
|
||||
|
|
|
@ -1218,6 +1218,9 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config)
|
|||
|
||||
if (config->max_peer_links != DEFAULT_MAX_PEER_LINKS)
|
||||
fprintf(f, "max_peer_links=%d\n", config->max_peer_links);
|
||||
|
||||
if (config->cert_in_cb != DEFAULT_CERT_IN_CB)
|
||||
fprintf(f, "cert_in_cb=%d\n", config->cert_in_cb);
|
||||
}
|
||||
|
||||
#endif /* CONFIG_NO_CONFIG_WRITE */
|
||||
|
|
|
@ -127,6 +127,12 @@ ap_scan=1
|
|||
# Maximum number of mesh peering currently maintained by the STA.
|
||||
#max_peer_links=99
|
||||
|
||||
# cert_in_cb - Whether to include a peer certificate dump in events
|
||||
# This controls whether peer certificates for authentication server and
|
||||
# its certificate chain are included in EAP peer certificate events. This is
|
||||
# enabled by default.
|
||||
#cert_in_cb=1
|
||||
|
||||
# EAP fast re-authentication
|
||||
# By default, fast re-authentication is enabled for all EAP methods that
|
||||
# support it. This variable can be used to disable fast re-authentication.
|
||||
|
|
|
@ -948,6 +948,7 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s)
|
|||
ctx->port_cb = wpa_supplicant_port_cb;
|
||||
ctx->cb = wpa_supplicant_eapol_cb;
|
||||
ctx->cert_cb = wpa_supplicant_cert_cb;
|
||||
ctx->cert_in_cb = wpa_s->conf->cert_in_cb;
|
||||
ctx->status_cb = wpa_supplicant_status_cb;
|
||||
ctx->set_anon_id = wpa_supplicant_set_anon_id;
|
||||
ctx->cb_ctx = wpa_s;
|
||||
|
|
Loading…
Reference in a new issue