commit 4d8552e9d137f0aab7d64e1476b7f892d0468aeb
author Pavel Grafov <pgrafov@google.com> Tue Feb 06 11:28:29 2018 +0000
committer Pavel Grafov <pgrafov@google.com> Tue Feb 13 15:12:36 2018 +0000
tree 93204a3fdf693a0ea4c51615a732fcbd8973c1c1
parent 3fcb563f763eef4ea1255be88aa12e9a631c665c

NIAP: Log certificate validation failure for audit.

Bug: 70886042
Test: attempt connecting to EAP-TLS wifi with self-signed cert.
Change-Id: Ic61de6bcd6b0494e5ecc0f1ff97af7c36f56d8f8

src/crypto/tls_openssl.c

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 988c9d2..7243d9f 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -116,6 +116,20 @@
 #include <openssl/pem.h>
 #include <keystore/keystore_get.h>
 
+#include <log/log.h>
+#include <log/log_event_list.h>
+
+#define CERT_VALIDATION_FAILURE 210033
+
+static void log_cert_validation_failure(const char *reason)
+{
+	android_log_context ctx = create_android_logger(CERT_VALIDATION_FAILURE);
+	android_log_write_string8(ctx, reason);
+	android_log_write_list(ctx, LOG_ID_SECURITY);
+	android_log_destroy(&ctx);
+}
+
+
 static BIO * BIO_from_keystore(const char *key)
 {
 	BIO *bio = NULL;
@@ -1787,6 +1801,10 @@
 	struct wpabuf *cert = NULL;
 	struct tls_context *context = conn->context;
 
+#ifdef ANDROID
+	log_cert_validation_failure(err_str);
+#endif
+
 	if (context->event_cb == NULL)
 		return;
 

src/utils/os_unix.c

diff --git a/src/utils/os_unix.c b/src/utils/os_unix.c
index 3f6388d..26ce50d 100644
--- a/src/utils/os_unix.c
+++ b/src/utils/os_unix.c
@@ -342,21 +342,26 @@
 
 	if (!gid_wifi || !uid_wifi) return -1;
 #else /* ANDROID_SETGROUPS_OVERRIDE */
-	gid_t groups[3];
+	gid_t groups[4];
+	int group_idx = 0;
 
 	if (!gid_wifi || !uid_wifi) return -1;
-	groups[0] = gid_wifi;
+	groups[group_idx] = gid_wifi;
 
 	grp = getgrnam("inet");
-	groups[1] = grp ? grp->gr_gid : 0;
-	if (!groups[1]) return -1;
+	groups[++group_idx] = grp ? grp->gr_gid : 0;
+	if (!groups[group_idx]) return -1;
 
 	grp = getgrnam("keystore");
-	groups[2] = grp ? grp->gr_gid : 0;
-	if (!groups[2]) return -1;
+	groups[++group_idx] = grp ? grp->gr_gid : 0;
+	if (!groups[group_idx]) return -1;
+
+	grp = getgrnam("log");
+	groups[++group_idx] = grp ? grp->gr_gid : 0;
+	if (!groups[group_idx]) group_idx--;
 #endif /* ANDROID_SETGROUPS_OVERRIDE */
 
-	setgroups(ARRAY_SIZE(groups), groups);
+	setgroups(group_idx + 1, groups);
 
 	prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);