[PATCH 05/24] wolfssl: support tod policy

Juliusz Sosinowicz juliusz at wolfssl.com
Thu Apr 4 11:16:11 PDT 2024


- Implement wolfssl_cert_tod() to support setting the correct tod value in the certificate event message.
- Always send the certificate event message in addition to error messages. This is the same order of messages that the OpenSSL backend sends.

Signed-off-by: Juliusz Sosinowicz <juliusz at wolfssl.com>
---
 src/crypto/tls_wolfssl.c | 34 ++++++++++++++++++++++++++++++++--
 tests/hwsim/utils.py     |  2 +-
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c
index e851dd09d1..38575375de 100644
--- a/src/crypto/tls_wolfssl.c
+++ b/src/crypto/tls_wolfssl.c
@@ -992,6 +992,35 @@ static void wolfssl_tls_fail_event(struct tls_connection *conn,
 	wpabuf_free(cert);
 }
 
+static int wolfssl_cert_tod(X509 *cert)
+{
+	WOLFSSL_STACK *ext;
+	int i;
+	char *buf;
+	int tod = 0;
+
+	ext = wolfSSL_X509_get_ext_d2i(cert, CERT_POLICY_OID, NULL, NULL);
+	if (!ext)
+		return 0;
+
+	for (i = 0; i < wolfSSL_sk_num(ext); i++) {
+		WOLFSSL_ASN1_OBJECT *policy;
+
+		policy = wolfSSL_sk_value(ext, i);
+		if (!policy)
+			continue;
+
+		buf = (char*)policy->obj;
+		wpa_printf(MSG_DEBUG, "wolfSSL: Certificate Policy %s", buf);
+		if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.1") == 0)
+			tod = 1; /* TOD-STRICT */
+		else if (os_strcmp(buf, "1.3.6.1.4.1.40808.1.3.2") == 0 && !tod)
+			tod = 2; /* TOD-TOFU */
+	}
+	wolfSSL_sk_pop_free(ext, NULL);
+
+	return tod;
+}
 
 static void wolfssl_tls_cert_event(struct tls_connection *conn,
 				   WOLFSSL_X509 *err_cert, int depth,
@@ -1080,6 +1109,7 @@ static void wolfssl_tls_cert_event(struct tls_connection *conn,
 	for (alt = 0; alt < num_alt_subject; alt++)
 		ev.peer_cert.altsubject[alt] = alt_subject[alt];
 	ev.peer_cert.num_altsubject = num_alt_subject;
+	ev.peer_cert.tod = wolfssl_cert_tod(err_cert);
 
 	context->event_cb(context->cb_ctx, TLS_PEER_CERTIFICATE, &ev);
 	wpabuf_free(cert);
@@ -1185,6 +1215,8 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx)
 	}
 #endif /* CONFIG_SHA256 */
 
+	wolfssl_tls_cert_event(conn, err_cert, depth, buf);
+
 	if (!preverify_ok) {
 		wpa_printf(MSG_WARNING,
 			   "TLS: Certificate verification failed, error %d (%s) depth %d for '%s'",
@@ -1232,8 +1264,6 @@ static int tls_verify_cb(int preverify_ok, WOLFSSL_X509_STORE_CTX *x509_ctx)
 		wolfssl_tls_fail_event(conn, err_cert, err, depth, buf,
 				       "Domain mismatch",
 				       TLS_FAIL_DOMAIN_MISMATCH);
-	} else {
-		wolfssl_tls_cert_event(conn, err_cert, depth, buf);
 	}
 
 	if (conn->cert_probe && preverify_ok && depth == 0) {
diff --git a/tests/hwsim/utils.py b/tests/hwsim/utils.py
index 7e36082843..cd97c0175e 100644
--- a/tests/hwsim/utils.py
+++ b/tests/hwsim/utils.py
@@ -145,7 +145,7 @@ def check_imsi_privacy_support(dev):
 
 def check_tls_tod(dev):
     tls = dev.request("GET tls_library")
-    if not tls.startswith("OpenSSL") and not tls.startswith("internal"):
+    if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL") and not tls.startswith("internal"):
         raise HwsimSkip("TLS TOD-TOFU/STRICT not supported with this TLS library: " + tls)
 
 def vht_supported():
-- 
2.34.1




More information about the Hostap mailing list