diff options
author | Dmitry Shmidt <dimitrysh@google.com> | 2011-07-07 11:18:38 -0700 |
---|---|---|
committer | Dmitry Shmidt <dimitrysh@google.com> | 2011-07-07 11:23:25 -0700 |
commit | c55524ad84d13014e8019491c2b17e5dcf13545a (patch) | |
tree | 3c1a0f04ed12cadca7312b1b6f3f0c0caa6018ca /src | |
parent | 13970b010f3e5b274336677311a5586410ecc8fa (diff) | |
download | external_wpa_supplicant_8-c55524ad84d13014e8019491c2b17e5dcf13545a.zip external_wpa_supplicant_8-c55524ad84d13014e8019491c2b17e5dcf13545a.tar.gz external_wpa_supplicant_8-c55524ad84d13014e8019491c2b17e5dcf13545a.tar.bz2 |
Accumulative patch from commit 8fd0f0f323a922aa88ec720ee524f7105d3b0f64
Fix D-Bus build without CONFIG_P2P=y
nl80211: Allow AP mode to be started without monitor interface
nl80211: Process association/disassociation events in AP mode
DBus/P2P: Adding decl for PersistentGroupRemoved signal
DBus/P2P: Rectified type of SecondaryDeviceTypes in device property Get
P2P: Only call dev_lost() for devices that have been dev_found()
wpa_cli: Add missing parameter for P2P_GROUP_ADD command
wpa_supplicant: Respect PKG_CONFIG variable if set in the environment
TLS: Add support for tls_disable_time_checks=1 in client mode
hostapd: Clear keys configured when hostapd reloads configuration
Add dbus signal for information about server certification
Move peer certificate wpa_msg() calls to notify.c
wpa_supplicant AP: Disable AP mode on disassoc paths
wpa_s AP mode: Enable HT20 if driver supports it
Allow PMKSA caching to be disabled on Authenticator
FT: Disable PMKSA cache for FT-IEEE8021X
FT: Clear SME ft_used/ft_ies when disconnecting
8fd0f0f323a922aa88ec720ee524f7105d3b0f64
Change-Id: I6ae333196c36ffa7589662d5269fabfc3b994605
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/ap/ap_config.h | 1 | ||||
-rw-r--r-- | src/ap/hostapd.c | 2 | ||||
-rw-r--r-- | src/ap/wpa_auth.c | 3 | ||||
-rw-r--r-- | src/ap/wpa_auth.h | 1 | ||||
-rw-r--r-- | src/ap/wpa_auth_glue.c | 1 | ||||
-rw-r--r-- | src/crypto/tls_internal.c | 5 | ||||
-rw-r--r-- | src/crypto/tls_openssl.c | 13 | ||||
-rw-r--r-- | src/drivers/driver_nl80211.c | 39 | ||||
-rw-r--r-- | src/eap_peer/eap.c | 30 | ||||
-rw-r--r-- | src/eap_peer/eap.h | 11 | ||||
-rw-r--r-- | src/eapol_supp/eapol_supp_sm.c | 12 | ||||
-rw-r--r-- | src/eapol_supp/eapol_supp_sm.h | 11 | ||||
-rw-r--r-- | src/p2p/p2p.c | 5 | ||||
-rw-r--r-- | src/rsn_supp/wpa.c | 6 | ||||
-rw-r--r-- | src/tls/tlsv1_client.c | 8 | ||||
-rw-r--r-- | src/tls/tlsv1_client.h | 3 | ||||
-rw-r--r-- | src/tls/tlsv1_client_i.h | 3 | ||||
-rw-r--r-- | src/tls/tlsv1_client_read.c | 3 | ||||
-rw-r--r-- | src/tls/tlsv1_server_read.c | 2 | ||||
-rw-r--r-- | src/tls/x509v3.c | 13 | ||||
-rw-r--r-- | src/tls/x509v3.h | 4 |
21 files changed, 132 insertions, 44 deletions
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 0a3e76e..09eed5a 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -288,6 +288,7 @@ struct hostapd_bss_config { */ u16 max_listen_interval; + int disable_pmksa_caching; int okc; /* Opportunistic Key Caching */ int wps_state; diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index d8af571..f00a544 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -40,6 +40,7 @@ static int hostapd_flush_old_stations(struct hostapd_data *hapd); static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd); +static int hostapd_broadcast_wep_clear(struct hostapd_data *hapd); extern int wpa_debug_level; @@ -109,6 +110,7 @@ int hostapd_reload_config(struct hostapd_iface *iface) */ for (j = 0; j < iface->num_bss; j++) { hostapd_flush_old_stations(iface->bss[j]); + hostapd_broadcast_wep_clear(iface->bss[j]); #ifndef CONFIG_NO_RADIUS /* TODO: update dynamic data based on changed configuration diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index cfb2cad..3fbb88b 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -2727,7 +2727,8 @@ const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len) int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk, int session_timeout, struct eapol_state_machine *eapol) { - if (sm == NULL || sm->wpa != WPA_VERSION_WPA2) + if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 || + sm->wpa_auth->conf.disable_pmksa_caching) return -1; if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN, diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h index b3e1ff0..e533a14 100644 --- a/src/ap/wpa_auth.h +++ b/src/ap/wpa_auth.h @@ -143,6 +143,7 @@ struct wpa_auth_config { int peerkey; int wmm_enabled; int wmm_uapsd; + int disable_pmksa_caching; int okc; int tx_status; #ifdef CONFIG_IEEE80211W diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c index b35b7ba..0e3cb31 100644 --- a/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c @@ -48,6 +48,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, wconf->peerkey = conf->peerkey; wconf->wmm_enabled = conf->wmm_enabled; wconf->wmm_uapsd = conf->wmm_uapsd; + wconf->disable_pmksa_caching = conf->disable_pmksa_caching; wconf->okc = conf->okc; #ifdef CONFIG_IEEE80211W wconf->ieee80211w = conf->ieee80211w; diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c index 64124d8..cc165f6 100644 --- a/src/crypto/tls_internal.c +++ b/src/crypto/tls_internal.c @@ -1,6 +1,6 @@ /* * TLS interface functions and an internal TLS implementation - * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> + * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + tlsv1_client_set_time_checks( + conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS)); + return 0; #else /* CONFIG_TLS_INTERNAL_CLIENT */ return -1; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index bf92a11..14ff87e 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1,6 +1,6 @@ /* * SSL/TLS interface functions for OpenSSL - * Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi> + * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -86,6 +86,8 @@ struct tls_connection { unsigned int server_cert_only:1; u8 srv_cert_hash[32]; + + unsigned int flags; }; @@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) preverify_ok = 1; if (!preverify_ok && depth > 0 && conn->server_cert_only) preverify_ok = 1; + if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) && + (err == X509_V_ERR_CERT_HAS_EXPIRED || + err == X509_V_ERR_CERT_NOT_YET_VALID)) { + wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity " + "time mismatch"); + preverify_ok = 1; + } err_str = X509_verify_cert_error_string(err); @@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + conn->flags = params->flags; + tls_get_errors(tls_ctx); return 0; diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c index cfc9372..50eac8a 100644 --- a/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c @@ -157,6 +157,7 @@ struct wpa_driver_nl80211_data { int monitor_sock; int monitor_ifidx; + int no_monitor_iface_capab; int disable_11b_rates; unsigned int pending_remain_on_chan:1; @@ -1325,6 +1326,20 @@ static void nl80211_new_station_event(struct wpa_driver_nl80211_data *drv, return; addr = nla_data(tb[NL80211_ATTR_MAC]); wpa_printf(MSG_DEBUG, "nl80211: New station " MACSTR, MAC2STR(addr)); + + if (drv->nlmode == NL80211_IFTYPE_AP && + drv->no_monitor_iface_capab) { + u8 *ies = NULL; + size_t ies_len = 0; + if (tb[NL80211_ATTR_IE]) { + ies = nla_data(tb[NL80211_ATTR_IE]); + ies_len = nla_len(tb[NL80211_ATTR_IE]); + } + wpa_hexdump(MSG_DEBUG, "nl80211: Assoc Req IEs", ies, ies_len); + drv_event_assoc(drv->ctx, addr, ies, ies_len, 0); + return; + } + if (drv->nlmode != NL80211_IFTYPE_ADHOC) return; @@ -1345,6 +1360,13 @@ static void nl80211_del_station_event(struct wpa_driver_nl80211_data *drv, addr = nla_data(tb[NL80211_ATTR_MAC]); wpa_printf(MSG_DEBUG, "nl80211: Delete station " MACSTR, MAC2STR(addr)); + + if (drv->nlmode == NL80211_IFTYPE_AP && + drv->no_monitor_iface_capab) { + drv_event_disassoc(drv->ctx, addr); + return; + } + if (drv->nlmode != NL80211_IFTYPE_ADHOC) return; @@ -3635,6 +3657,12 @@ static int wpa_driver_nl80211_send_frame(struct wpa_driver_nl80211_data *drv, if (encrypt) rtap_hdr[8] |= IEEE80211_RADIOTAP_F_WEP; + if (drv->monitor_sock < 0) { + wpa_printf(MSG_DEBUG, "nl80211: No monitor socket available " + "for %s", __func__); + return -1; + } + res = sendmsg(drv->monitor_sock, &msg, 0); if (res < 0) { wpa_printf(MSG_INFO, "nl80211: sendmsg: %s", strerror(errno)); @@ -4273,6 +4301,12 @@ nl80211_create_monitor_interface(struct wpa_driver_nl80211_data *drv) nl80211_create_iface(drv, buf, NL80211_IFTYPE_MONITOR, NULL, 0); + if (drv->monitor_ifidx == -EOPNOTSUPP) { + wpa_printf(MSG_DEBUG, "nl80211: Driver does not support " + "monitor interface type - try to run without it"); + drv->no_monitor_iface_capab = 1; + } + if (drv->monitor_ifidx < 0) return -1; @@ -4971,8 +5005,9 @@ static int wpa_driver_nl80211_set_mode(void *priv, int mode) done: if (!ret && nlmode == NL80211_IFTYPE_AP) { /* Setup additional AP mode functionality if needed */ - if (drv->monitor_ifidx < 0 && - nl80211_create_monitor_interface(drv)) + if (!drv->no_monitor_iface_capab && drv->monitor_ifidx < 0 && + nl80211_create_monitor_interface(drv) && + !drv->no_monitor_iface_capab) return -1; } else if (!ret && nlmode != NL80211_IFTYPE_AP) { /* Remove additional AP mode functionality */ diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 8a9826f..ecfaf30 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -1168,7 +1168,6 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, { struct eap_sm *sm = ctx; char *hash_hex = NULL; - char *cert_hex = NULL; switch (ev) { case TLS_CERT_CHAIN_FAILURE: @@ -1180,6 +1179,9 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, data->cert_fail.reason_txt); break; case TLS_PEER_CERTIFICATE: + if (!sm->eapol_cb->notify_cert) + break; + if (data->peer_cert.hash) { size_t len = data->peer_cert.hash_len * 2 + 1; hash_hex = os_malloc(len); @@ -1189,31 +1191,15 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev, data->peer_cert.hash_len); } } - wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PEER_CERT - "depth=%d subject='%s'%s%s", - data->peer_cert.depth, data->peer_cert.subject, - hash_hex ? " hash=" : "", hash_hex ? hash_hex : ""); - - if (data->peer_cert.cert) { - size_t len = wpabuf_len(data->peer_cert.cert) * 2 + 1; - cert_hex = os_malloc(len); - if (cert_hex == NULL) - break; - wpa_snprintf_hex(cert_hex, len, - wpabuf_head(data->peer_cert.cert), - wpabuf_len(data->peer_cert.cert)); - wpa_msg_ctrl(sm->msg_ctx, MSG_INFO, - WPA_EVENT_EAP_PEER_CERT - "depth=%d subject='%s' cert=%s", - data->peer_cert.depth, - data->peer_cert.subject, - cert_hex); - } + + sm->eapol_cb->notify_cert(sm->eapol_ctx, + data->peer_cert.depth, + data->peer_cert.subject, + hash_hex, data->peer_cert.cert); break; } os_free(hash_hex); - os_free(cert_hex); } diff --git a/src/eap_peer/eap.h b/src/eap_peer/eap.h index 3550909..2a80d4e 100644 --- a/src/eap_peer/eap.h +++ b/src/eap_peer/eap.h @@ -221,6 +221,17 @@ struct eapol_callbacks { */ void (*eap_param_needed)(void *ctx, const char *field, const char *txt); + + /** + * notify_cert - Notification of a peer certificate + * @ctx: eapol_ctx from eap_peer_sm_init() call + * @depth: Depth in certificate chain (0 = server) + * @subject: Subject of the peer certificate + * @cert_hash: SHA-256 hash of the certificate + * @cert: Peer certificate + */ + void (*notify_cert)(void *ctx, int depth, const char *subject, + const char *cert_hash, const struct wpabuf *cert); }; /** diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c index 18abb4e..bb6cff6 100644 --- a/src/eapol_supp/eapol_supp_sm.c +++ b/src/eapol_supp/eapol_supp_sm.c @@ -1825,6 +1825,15 @@ static void eapol_sm_eap_param_needed(void *ctx, const char *field, #define eapol_sm_eap_param_needed NULL #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */ +static void eapol_sm_notify_cert(void *ctx, int depth, const char *subject, + const char *cert_hash, + const struct wpabuf *cert) +{ + struct eapol_sm *sm = ctx; + if (sm->ctx->cert_cb) + sm->ctx->cert_cb(sm->ctx->ctx, depth, subject, + cert_hash, cert); +} static struct eapol_callbacks eapol_cb = { @@ -1837,7 +1846,8 @@ static struct eapol_callbacks eapol_cb = eapol_sm_set_config_blob, eapol_sm_get_config_blob, eapol_sm_notify_pending, - eapol_sm_eap_param_needed + eapol_sm_eap_param_needed, + eapol_sm_notify_cert }; diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h index 1bdf8cd..3ea7e79 100644 --- a/src/eapol_supp/eapol_supp_sm.h +++ b/src/eapol_supp/eapol_supp_sm.h @@ -220,6 +220,17 @@ struct eapol_ctx { * @authorized: Whether the supplicant port is now in authorized state */ void (*port_cb)(void *ctx, int authorized); + + /** + * cert_cb - Notification of a peer certificate + * @ctx: Callback context (ctx) + * @depth: Depth in certificate chain (0 = server) + * @subject: Subject of the peer certificate + * @cert_hash: SHA-256 hash of the certificate + * @cert: Peer certificate + */ + void (*cert_cb)(void *ctx, int depth, const char *subject, + const char *cert_hash, const struct wpabuf *cert); }; diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c index 191099a..d4fac56 100644 --- a/src/p2p/p2p.c +++ b/src/p2p/p2p.c @@ -634,7 +634,10 @@ static void p2p_device_free(struct p2p_data *p2p, struct p2p_device *dev) if (p2p->pending_client_disc_go == dev) p2p->pending_client_disc_go = NULL; - p2p->cfg->dev_lost(p2p->cfg->cb_ctx, dev->info.p2p_device_addr); + /* dev_lost() device, but only if it was previously dev_found() */ + if (dev->flags & P2P_DEV_REPORTED_ONCE) + p2p->cfg->dev_lost(p2p->cfg->cb_ctx, + dev->info.p2p_device_addr); for (i = 0; i < P2P_MAX_WPS_VENDOR_EXT; i++) { wpabuf_free(dev->info.wps_vendor_ext[i]); diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c index 01a46dc..7c0ac87 100644 --- a/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c @@ -198,7 +198,8 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm, wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state " "machines", sm->pmk, pmk_len); sm->pmk_len = pmk_len; - if (sm->proto == WPA_PROTO_RSN) { + if (sm->proto == WPA_PROTO_RSN && + !wpa_key_mgmt_ft(sm->key_mgmt)) { pmksa_cache_add(sm->pmksa, sm->pmk, pmk_len, src_addr, sm->own_addr, sm->network_ctx, sm->key_mgmt); @@ -227,7 +228,8 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm, } } - if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) { + if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) && + !wpa_key_mgmt_ft(sm->key_mgmt)) { /* Send EAPOL-Start to trigger full EAP authentication. */ u8 *buf; size_t buflen; diff --git a/src/tls/tlsv1_client.c b/src/tls/tlsv1_client.c index afb6031..8b7e26f 100644 --- a/src/tls/tlsv1_client.c +++ b/src/tls/tlsv1_client.c @@ -1,6 +1,6 @@ /* * TLSv1 client (RFC 2246) - * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> + * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -656,6 +656,12 @@ int tlsv1_client_set_cred(struct tlsv1_client *conn, } +void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled) +{ + conn->disable_time_checks = !enabled; +} + + void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, tlsv1_client_session_ticket_cb cb, void *ctx) diff --git a/src/tls/tlsv1_client.h b/src/tls/tlsv1_client.h index 16ad57d..a620d62 100644 --- a/src/tls/tlsv1_client.h +++ b/src/tls/tlsv1_client.h @@ -1,6 +1,6 @@ /* * TLSv1 client (RFC 2246) - * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> + * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -47,6 +47,7 @@ int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn); int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers); int tlsv1_client_set_cred(struct tlsv1_client *conn, struct tlsv1_credentials *cred); +void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled); typedef int (*tlsv1_client_session_ticket_cb) (void *ctx, const u8 *ticket, size_t len, const u8 *client_random, diff --git a/src/tls/tlsv1_client_i.h b/src/tls/tlsv1_client_i.h index 7fe179f..f091bcf 100644 --- a/src/tls/tlsv1_client_i.h +++ b/src/tls/tlsv1_client_i.h @@ -1,6 +1,6 @@ /* * TLSv1 client - internal structures - * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> + * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -39,6 +39,7 @@ struct tlsv1_client { unsigned int session_resumed:1; unsigned int session_ticket_included:1; unsigned int use_session_ticket:1; + unsigned int disable_time_checks:1; struct crypto_public_key *server_rsa_key; diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c index ed3f260..faa891a 100644 --- a/src/tls/tlsv1_client_read.c +++ b/src/tls/tlsv1_client_read.c @@ -365,7 +365,8 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct, if (conn->cred && x509_certificate_chain_validate(conn->cred->trusted_certs, chain, - &reason) < 0) { + &reason, conn->disable_time_checks) + < 0) { int tls_reason; wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " "validation failed (reason=%d)", reason); diff --git a/src/tls/tlsv1_server_read.c b/src/tls/tlsv1_server_read.c index 49e811f..fd74436 100644 --- a/src/tls/tlsv1_server_read.c +++ b/src/tls/tlsv1_server_read.c @@ -424,7 +424,7 @@ static int tls_process_certificate(struct tlsv1_server *conn, u8 ct, } if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, - &reason) < 0) { + &reason, 0) < 0) { int tls_reason; wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " "validation failed (reason=%d)", reason); diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c index bc93df6..347f975 100644 --- a/src/tls/x509v3.c +++ b/src/tls/x509v3.c @@ -1,6 +1,6 @@ /* * X.509v3 certificate parsing and processing (RFC 3280 profile) - * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> + * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -1834,7 +1834,7 @@ static int x509_valid_issuer(const struct x509_certificate *cert) */ int x509_certificate_chain_validate(struct x509_certificate *trusted, struct x509_certificate *chain, - int *reason) + int *reason, int disable_time_checks) { long unsigned idx; int chain_trusted = 0; @@ -1854,10 +1854,11 @@ int x509_certificate_chain_validate(struct x509_certificate *trusted, if (chain_trusted) continue; - if ((unsigned long) now.sec < - (unsigned long) cert->not_before || - (unsigned long) now.sec > - (unsigned long) cert->not_after) { + if (!disable_time_checks && + ((unsigned long) now.sec < + (unsigned long) cert->not_before || + (unsigned long) now.sec > + (unsigned long) cert->not_after)) { wpa_printf(MSG_INFO, "X509: Certificate not valid " "(now=%lu not_before=%lu not_after=%lu)", now.sec, cert->not_before, cert->not_after); diff --git a/src/tls/x509v3.h b/src/tls/x509v3.h index 37292d7..3e2005b 100644 --- a/src/tls/x509v3.h +++ b/src/tls/x509v3.h @@ -1,6 +1,6 @@ /* * X.509v3 certificate parsing and processing - * Copyright (c) 2006, Jouni Malinen <j@w1.fi> + * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -120,7 +120,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer, struct x509_certificate *cert); int x509_certificate_chain_validate(struct x509_certificate *trusted, struct x509_certificate *chain, - int *reason); + int *reason, int disable_time_checks); struct x509_certificate * x509_certificate_get_subject(struct x509_certificate *chain, struct x509_name *name); |