NIAP: Log certificate validation failure for audit.
Bug: 70886042
Test: attempt connecting to EAP-TLS wifi with self-signed cert.
Change-Id: Ic61de6bcd6b0494e5ecc0f1ff97af7c36f56d8f8
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 988c9d2..7243d9f 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -116,6 +116,20 @@
#include <openssl/pem.h>
#include <keystore/keystore_get.h>
+#include <log/log.h>
+#include <log/log_event_list.h>
+
+#define CERT_VALIDATION_FAILURE 210033
+
+static void log_cert_validation_failure(const char *reason)
+{
+ android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
+ android_log_write_string8(ctx, reason);
+ android_log_write_list(ctx, LOG_ID_SECURITY);
+ android_log_destroy(&ctx);
+}
+
+
static BIO * BIO_from_keystore(const char *key)
{
BIO *bio = NULL;
@@ -1787,6 +1801,10 @@
struct wpabuf *cert = NULL;
struct tls_context *context = conn->context;
+#ifdef ANDROID
+ log_cert_validation_failure(err_str);
+#endif
+
if (context->event_cb == NULL)
return;
diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c
index 3f6388d..26ce50d 100644
--- a/src/utils/os_unix.c
+++ b/src/utils/os_unix.c
@@ -342,21 +342,26 @@
if (!gid_wifi || !uid_wifi) return -1;
#else /* ANDROID_SETGROUPS_OVERRIDE */
- gid_t groups[3];
+ gid_t groups[4];
+ int group_idx = 0;
if (!gid_wifi || !uid_wifi) return -1;
- groups[0] = gid_wifi;
+ groups[group_idx] = gid_wifi;
grp = getgrnam("inet");
- groups[1] = grp ? grp->gr_gid : 0;
- if (!groups[1]) return -1;
+ groups[++group_idx] = grp ? grp->gr_gid : 0;
+ if (!groups[group_idx]) return -1;
grp = getgrnam("keystore");
- groups[2] = grp ? grp->gr_gid : 0;
- if (!groups[2]) return -1;
+ groups[++group_idx] = grp ? grp->gr_gid : 0;
+ if (!groups[group_idx]) return -1;
+
+ grp = getgrnam("log");
+ groups[++group_idx] = grp ? grp->gr_gid : 0;
+ if (!groups[group_idx]) group_idx--;
#endif /* ANDROID_SETGROUPS_OVERRIDE */
- setgroups(ARRAY_SIZE(groups), groups);
+ setgroups(group_idx + 1, groups);
prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);