commit 55840adb6cd32ca52064f327b72a40e769f70661
author Dmitry Shmidt <dimitrysh@google.com> Mon Dec 14 12:45:46 2015 -0800
committer Dmitry Shmidt <dimitrysh@google.com> Mon Dec 14 16:03:59 2015 -0800
tree 40e19b01486781811b9037aa3cb7a093cf83b921
parent ae24cbe9b93567c1ae4d1fd332fab07a04965b33

Cumulative patch from commit 06f14421ea8644d12a7b0be6b583114869f9c451 (DO NOT MERGE)

06f1442 TLS: Parse OCSPResponse to extract BasicOCSPResponse
d560288 TLS: Parse CertificateStatus message
eeba168 TLS: Add status_request ClientHello extension if OCSP is requested
4303d53 TLS: Parse ServerHello extensions
6b7bb42 TLS: Add minimal support for PKCS #12
5ce2941 TLS: Extend PKCS #5 to support PKCS #12 style key decryption
f6a62df TLS: Fix and complete ASN.1 tag list
3c108b7 EAP peer: External server certificate chain validation
b6e5e14 EAP-FAST peer: Fix PAC parser error messages
5b904b3 EAP-FAST: Check T-PRF result in MSK/EMSK derivation
b1d8c5c EAP-FAST peer: Fix error path handling for Session-Id
36478a1 OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1
9257610 FT: Fix FTIE generation for EAPOL-Key msg 3/4
e44bd28 FT: Fix sm->assoc_resp_ftie storing on the AP side
59e78c2 FT: Fix FTIE generation for 4-way handshake after FT protocol run
b0ecbd3 AP: Use more readable version of management group cipher in error cases
651c6a8 Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side
58059e6 FST: Print debug entry on MB IE update based on EVENT_AUTH
af041f9 dbus: Add support for vendor specific elements
5c8acf7 EAP-IKEv2: Check HMAC SHA1/MD5 result
7b991b4 Use proper build config for parsing proxy_arp
4db29e6 TLS: Add support for PKCS #5 v2.0 PBES2

Change-Id: I10b71e4d3573ef60a52ea6ff56afcd3a06a0b7b0
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

src/eap_peer/eap.c

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 28d5116..5c18978 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -48,6 +48,8 @@
 static const char * eap_sm_method_state_txt(EapMethodState state);
 static const char * eap_sm_decision_txt(EapDecision decision);
 #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
+static void eap_sm_request(struct eap_sm *sm, enum wpa_ctrl_req_type field,
+			   const char *msg, size_t msglen);
 
 
 
@@ -320,11 +322,14 @@
 	wpa_printf(MSG_DEBUG, "EAP: Initialize selected EAP method: "
 		   "vendor %u method %u (%s)",
 		   sm->reqVendor, method, sm->m->name);
-	if (reinit)
+	if (reinit) {
 		sm->eap_method_priv = sm->m->init_for_reauth(
 			sm, sm->eap_method_priv);
-	else
+	} else {
+		sm->waiting_ext_cert_check = 0;
+		sm->ext_cert_check = 0;
 		sm->eap_method_priv = sm->m->init(sm);
+	}
 
 	if (sm->eap_method_priv == NULL) {
 		struct eap_peer_config *config = eap_get_config(sm);
@@ -1858,6 +1863,11 @@
 	case TLS_CERT_CHAIN_SUCCESS:
 		eap_notify_status(sm, "remote certificate verification",
 				  "success");
+		if (sm->ext_cert_check) {
+			sm->waiting_ext_cert_check = 1;
+			eap_sm_request(sm, WPA_CTRL_REQ_EXT_CERT_CHECK,
+				       NULL, 0);
+		}
 		break;
 	case TLS_CERT_CHAIN_FAILURE:
 		wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TLS_CERT_ERROR
@@ -2180,10 +2190,10 @@
 #endif /* CONFIG_CTRL_IFACE */
 
 
-#if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
 static void eap_sm_request(struct eap_sm *sm, enum wpa_ctrl_req_type field,
 			   const char *msg, size_t msglen)
 {
+#if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
 	struct eap_peer_config *config;
 	const char *txt = NULL;
 	char *tmp;
@@ -2232,16 +2242,17 @@
 	case WPA_CTRL_REQ_SIM:
 		txt = msg;
 		break;
+	case WPA_CTRL_REQ_EXT_CERT_CHECK:
+		break;
 	default:
 		return;
 	}
 
 	if (sm->eapol_cb->eap_param_needed)
 		sm->eapol_cb->eap_param_needed(sm->eapol_ctx, field, txt);
-}
-#else /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
-#define eap_sm_request(sm, type, msg, msglen) do { } while (0)
 #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
+}
+
 
 const char * eap_sm_get_method_name(struct eap_sm *sm)
 {