summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 572a171)
raw | patch | inline | side by side (parent: 572a171)
author | Jouni Malinen <j@w1.fi> | |
Tue, 5 Jul 2011 08:29:42 +0000 (11:29 +0300) | ||
committer | Jouni Malinen <j@w1.fi> | |
Tue, 5 Jul 2011 08:29:42 +0000 (11:29 +0300) |
This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
index 64124d8a8e3ef74c8bbaa4709d6ea208189bbb27..cc165f6407df4c9397cec73de3184f86542f9228 100644 (file)
/*
* TLS interface functions and an internal TLS implementation
- * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
return -1;
}
+ tlsv1_client_set_time_checks(
+ conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
+
return 0;
#else /* CONFIG_TLS_INTERNAL_CLIENT */
return -1;
index bf92a1133d862d67558416312cf6dc49d021d2a0..14ff87e2632b983fba1f53afcede067970ffa563 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
/*
* SSL/TLS interface functions for OpenSSL
- * Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
unsigned int server_cert_only:1;
u8 srv_cert_hash[32];
+
+ unsigned int flags;
};
preverify_ok = 1;
if (!preverify_ok && depth > 0 && conn->server_cert_only)
preverify_ok = 1;
+ if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
+ (err == X509_V_ERR_CERT_HAS_EXPIRED ||
+ err == X509_V_ERR_CERT_NOT_YET_VALID)) {
+ wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
+ "time mismatch");
+ preverify_ok = 1;
+ }
err_str = X509_verify_cert_error_string(err);
return -1;
}
+ conn->flags = params->flags;
+
tls_get_errors(tls_ctx);
return 0;
diff --git a/src/tls/tlsv1_client.c b/src/tls/tlsv1_client.c
index afb603175a11a80a53d0cb3577ad430af7d04bcc..8b7e26f2afd1e995107d8e1d56c3e289aaeee1d1 100644 (file)
--- a/src/tls/tlsv1_client.c
+++ b/src/tls/tlsv1_client.c
/*
* TLSv1 client (RFC 2246)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
}
+void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled)
+{
+ conn->disable_time_checks = !enabled;
+}
+
+
void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn,
tlsv1_client_session_ticket_cb cb,
void *ctx)
diff --git a/src/tls/tlsv1_client.h b/src/tls/tlsv1_client.h
index 16ad57d4007feb3fe70d1d85beda67f0a65390fd..a620d62e8020fb89b3edc38ec597268a376ca740 100644 (file)
--- a/src/tls/tlsv1_client.h
+++ b/src/tls/tlsv1_client.h
/*
* TLSv1 client (RFC 2246)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers);
int tlsv1_client_set_cred(struct tlsv1_client *conn,
struct tlsv1_credentials *cred);
+void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled);
typedef int (*tlsv1_client_session_ticket_cb)
(void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
index 7fe179f10c63bae7ae404cbb82980927ab0d2605..f091bcf032b322a05358d7b7b6c2c59a6f223bb0 100644 (file)
--- a/src/tls/tlsv1_client_i.h
+++ b/src/tls/tlsv1_client_i.h
/*
* TLSv1 client - internal structures
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
unsigned int session_resumed:1;
unsigned int session_ticket_included:1;
unsigned int use_session_ticket:1;
+ unsigned int disable_time_checks:1;
struct crypto_public_key *server_rsa_key;
index ed3f2606c8cc24d87effcbe93e0999ed22f4222c..faa891aaf2dbdf317cd0506b990da20769d99650 100644 (file)
if (conn->cred &&
x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
- &reason) < 0) {
+ &reason, conn->disable_time_checks)
+ < 0) {
int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason);
index 49e811ffcff514252ac11d04054c6aeeb1b5755a..fd7443656a26e8dcf6b9ea02589c15dad2152ec8 100644 (file)
}
if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
- &reason) < 0) {
+ &reason, 0) < 0) {
int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason);
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index bc93df6837873d9ce826f689c5ca96a47a09cc3d..347f9759008f1eaf6c78ca56aaedc2ac4d85fd1e 100644 (file)
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
/*
* X.509v3 certificate parsing and processing (RFC 3280 profile)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
*/
int x509_certificate_chain_validate(struct x509_certificate *trusted,
struct x509_certificate *chain,
- int *reason)
+ int *reason, int disable_time_checks)
{
long unsigned idx;
int chain_trusted = 0;
if (chain_trusted)
continue;
- if ((unsigned long) now.sec <
- (unsigned long) cert->not_before ||
- (unsigned long) now.sec >
- (unsigned long) cert->not_after) {
+ if (!disable_time_checks &&
+ ((unsigned long) now.sec <
+ (unsigned long) cert->not_before ||
+ (unsigned long) now.sec >
+ (unsigned long) cert->not_after)) {
wpa_printf(MSG_INFO, "X509: Certificate not valid "
"(now=%lu not_before=%lu not_after=%lu)",
now.sec, cert->not_before, cert->not_after);
diff --git a/src/tls/x509v3.h b/src/tls/x509v3.h
index 37292d7e7dec9b13819683331d86f050c001973f..3e2005b9090570e54eef06ad0d7ee8256e4a061d 100644 (file)
--- a/src/tls/x509v3.h
+++ b/src/tls/x509v3.h
/*
* X.509v3 certificate parsing and processing
- * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
struct x509_certificate *cert);
int x509_certificate_chain_validate(struct x509_certificate *trusted,
struct x509_certificate *chain,
- int *reason);
+ int *reason, int disable_time_checks);
struct x509_certificate *
x509_certificate_get_subject(struct x509_certificate *chain,
struct x509_name *name);