Backport of: commit 483dd6a5e0069d0646505c26a5194eda15472858 Author: Jouni Malinen Date: Wed Jan 14 12:14:31 2015 +0200 Include peer certificate always in EAP events This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen diff -up wpa_supplicant-2.0/wpa_supplicant/config.c.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/config.c --- wpa_supplicant-2.0/wpa_supplicant/config.c.cert-in-cb 2015-01-16 08:57:30.532900618 -0500 +++ wpa_supplicant-2.0/wpa_supplicant/config.c 2015-01-16 08:59:57.437986307 -0500 @@ -2644,6 +2644,7 @@ struct wpa_config * wpa_config_alloc_emp config->wmm_ac_params[1] = ac_bk; config->wmm_ac_params[2] = ac_vi; config->wmm_ac_params[3] = ac_vo; + config->cert_in_cb = DEFAULT_CERT_IN_CB; if (ctrl_interface) config->ctrl_interface = os_strdup(ctrl_interface); diff -up wpa_supplicant-2.0/wpa_supplicant/config_file.c.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/config_file.c --- wpa_supplicant-2.0/wpa_supplicant/config_file.c.cert-in-cb 2015-01-16 08:57:30.533900626 -0500 +++ wpa_supplicant-2.0/wpa_supplicant/config_file.c 2015-01-16 09:00:32.265243695 -0500 @@ -972,6 +972,9 @@ static void wpa_config_write_global(FILE fprintf(f, "okc=%d\n", config->okc); if (config->pmf) fprintf(f, "pmf=%d\n", config->pmf); + + if (config->cert_in_cb != DEFAULT_CERT_IN_CB) + fprintf(f, "cert_in_cb=%d\n", config->cert_in_cb); } #endif /* CONFIG_NO_CONFIG_WRITE */ diff -up wpa_supplicant-2.0/wpa_supplicant/config.h.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/config.h --- wpa_supplicant-2.0/wpa_supplicant/config.h.cert-in-cb 2015-01-16 08:57:30.532900618 -0500 +++ wpa_supplicant-2.0/wpa_supplicant/config.h 2015-01-16 08:59:32.442801582 -0500 @@ -24,6 +24,7 @@ #define DEFAULT_BSS_EXPIRATION_SCAN_COUNT 2 #define DEFAULT_MAX_NUM_STA 128 #define DEFAULT_ACCESS_NETWORK_TYPE 15 +#define DEFAULT_CERT_IN_CB 1 #include "config_ssid.h" #include "wps/wps.h" @@ -797,6 +798,14 @@ struct wpa_config { * this default behavior. */ enum mfp_options pmf; + + /** + * cert_in_cb - Whether to include a peer certificate dump in events + * + * This controls whether peer certificates for authentication server and + * its certificate chain are included in EAP peer certificate events. + */ + int cert_in_cb; }; diff -up wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c --- wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c.cert-in-cb 2013-01-12 10:42:53.000000000 -0500 +++ wpa_supplicant-2.0/wpa_supplicant/wpas_glue.c 2015-01-16 08:57:30.533900626 -0500 @@ -790,6 +790,7 @@ int wpa_supplicant_init_eapol(struct wpa ctx->port_cb = wpa_supplicant_port_cb; ctx->cb = wpa_supplicant_eapol_cb; ctx->cert_cb = wpa_supplicant_cert_cb; + ctx->cert_in_cb = wpa_s->conf->cert_in_cb; ctx->status_cb = wpa_supplicant_status_cb; ctx->set_anon_id = wpa_supplicant_set_anon_id; ctx->cb_ctx = wpa_s; diff -up wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf.cert-in-cb wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf --- wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf.cert-in-cb 2015-01-16 08:57:30.533900626 -0500 +++ wpa_supplicant-2.0/wpa_supplicant/wpa_supplicant.conf 2015-01-16 08:58:35.707382284 -0500 @@ -110,6 +110,12 @@ eapol_version=1 # networks are found, a new IBSS or AP mode network is created. ap_scan=1 +# cert_in_cb - Whether to include a peer certificate dump in events +# This controls whether peer certificates for authentication server and +# its certificate chain are included in EAP peer certificate events. This is +# enabled by default. +#cert_in_cb=1 + # EAP fast re-authentication # By default, fast re-authentication is enabled for all EAP methods that # support it. This variable can be used to disable fast re-authentication.