Accumulative patch from commit 8fd0f0f323a922aa88ec720ee524f7105d3b0f64

Fix D-Bus build without CONFIG_P2P=y
nl80211: Allow AP mode to be started without monitor interface
nl80211: Process association/disassociation events in AP mode
DBus/P2P: Adding decl for PersistentGroupRemoved signal
DBus/P2P: Rectified type of SecondaryDeviceTypes in device property Get
P2P: Only call dev_lost() for devices that have been dev_found()
wpa_cli: Add missing parameter for P2P_GROUP_ADD command
wpa_supplicant: Respect PKG_CONFIG variable if set in the environment
TLS: Add support for tls_disable_time_checks=1 in client mode
hostapd: Clear keys configured when hostapd reloads configuration
Add dbus signal for information about server certification
Move peer certificate wpa_msg() calls to notify.c
wpa_supplicant AP: Disable AP mode on disassoc paths
wpa_s AP mode: Enable HT20 if driver supports it
Allow PMKSA caching to be disabled on Authenticator
FT: Disable PMKSA cache for FT-IEEE8021X
FT: Clear SME ft_used/ft_ies when disconnecting
	8fd0f0f323a922aa88ec720ee524f7105d3b0f64

Change-Id: I6ae333196c36ffa7589662d5269fabfc3b994605
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

21 files changed, 132 insertions, 44 deletions

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 0a3e76e..09eed5a 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -288,6 +288,7 @@ struct hostapd_bss_config {
 	 */
 	u16 max_listen_interval;
 
+	int disable_pmksa_caching;
 	int okc; /* Opportunistic Key Caching */
 
 	int wps_state;
diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c
index d8af571..f00a544 100644
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
@@ -40,6 +40,7 @@
 
 static int hostapd_flush_old_stations(struct hostapd_data *hapd);
 static int hostapd_setup_encryption(char *iface, struct hostapd_data *hapd);
+static int hostapd_broadcast_wep_clear(struct hostapd_data *hapd);
 
 extern int wpa_debug_level;
 
@@ -109,6 +110,7 @@ int hostapd_reload_config(struct hostapd_iface *iface)
 	 */
 	for (j = 0; j < iface->num_bss; j++) {
 		hostapd_flush_old_stations(iface->bss[j]);
+		hostapd_broadcast_wep_clear(iface->bss[j]);
 
 #ifndef CONFIG_NO_RADIUS
 		/* TODO: update dynamic data based on changed configuration
diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index cfb2cad..3fbb88b 100644
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -2727,7 +2727,8 @@ const u8 * wpa_auth_get_wpa_ie(struct wpa_authenticator *wpa_auth, size_t *len)
 int wpa_auth_pmksa_add(struct wpa_state_machine *sm, const u8 *pmk,
 		       int session_timeout, struct eapol_state_machine *eapol)
 {
-	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2)
+	if (sm == NULL || sm->wpa != WPA_VERSION_WPA2 ||
+	    sm->wpa_auth->conf.disable_pmksa_caching)
 		return -1;
 
 	if (pmksa_cache_auth_add(sm->wpa_auth->pmksa, pmk, PMK_LEN,
diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
index b3e1ff0..e533a14 100644
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -143,6 +143,7 @@ struct wpa_auth_config {
 	int peerkey;
 	int wmm_enabled;
 	int wmm_uapsd;
+	int disable_pmksa_caching;
 	int okc;
 	int tx_status;
 #ifdef CONFIG_IEEE80211W
diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
index b35b7ba..0e3cb31 100644
--- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c
@@ -48,6 +48,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
 	wconf->peerkey = conf->peerkey;
 	wconf->wmm_enabled = conf->wmm_enabled;
 	wconf->wmm_uapsd = conf->wmm_uapsd;
+	wconf->disable_pmksa_caching = conf->disable_pmksa_caching;
 	wconf->okc = conf->okc;
 #ifdef CONFIG_IEEE80211W
 	wconf->ieee80211w = conf->ieee80211w;
diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 64124d8..cc165f6 100644
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -1,6 +1,6 @@
 /*
  * TLS interface functions and an internal TLS implementation
- * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 	}
 
+	tlsv1_client_set_time_checks(
+		conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
+
 	return 0;
 #else /* CONFIG_TLS_INTERNAL_CLIENT */
 	return -1;
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index bf92a11..14ff87e 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1,6 +1,6 @@
 /*
  * SSL/TLS interface functions for OpenSSL
- * Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -86,6 +86,8 @@ struct tls_connection {
 	unsigned int server_cert_only:1;
 
 	u8 srv_cert_hash[32];
+
+	unsigned int flags;
 };
 
 
@@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 		preverify_ok = 1;
 	if (!preverify_ok && depth > 0 && conn->server_cert_only)
 		preverify_ok = 1;
+	if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
+	    (err == X509_V_ERR_CERT_HAS_EXPIRED ||
+	     err == X509_V_ERR_CERT_NOT_YET_VALID)) {
+		wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
+			   "time mismatch");
+		preverify_ok = 1;
+	}
 
 	err_str = X509_verify_cert_error_string(err);
 
@@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 	}
 
+	conn->flags = params->flags;
+
 	tls_get_errors(tls_ctx);
 
 	return 0;
diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
index cfc9372..50eac8a 100644
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
@@ -157,6 +157,7 @@ struct wpa_driver_nl80211_data {
 
 	int monitor_sock;
 	int monitor_ifidx;
+	int no_monitor_iface_capab;
 	int disable_11b_rates;
 
 	unsigned int pending_remain_on_chan:1;
@@ -1325,6 +1326,20 @@ static void nl80211_new_station_event(struct wpa_driver_nl80211_data *drv,
 		return;
 	addr = nla_data(tb[NL80211_ATTR_MAC]);
 	wpa_printf(MSG_DEBUG, "nl80211: New station " MACSTR, MAC2STR(addr));
+
+	if (drv->nlmode == NL80211_IFTYPE_AP &&
+	    drv->no_monitor_iface_capab) {
+		u8 *ies = NULL;
+		size_t ies_len = 0;
+		if (tb[NL80211_ATTR_IE]) {
+			ies = nla_data(tb[NL80211_ATTR_IE]);
+			ies_len = nla_len(tb[NL80211_ATTR_IE]);
+		}
+		wpa_hexdump(MSG_DEBUG, "nl80211: Assoc Req IEs", ies, ies_len);
+		drv_event_assoc(drv->ctx, addr, ies, ies_len, 0);
+		return;
+	}
+
 	if (drv->nlmode != NL80211_IFTYPE_ADHOC)
 		return;
 
@@ -1345,6 +1360,13 @@ static void nl80211_del_station_event(struct wpa_driver_nl80211_data *drv,
 	addr = nla_data(tb[NL80211_ATTR_MAC]);
 	wpa_printf(MSG_DEBUG, "nl80211: Delete station " MACSTR,
 		   MAC2STR(addr));
+
+	if (drv->nlmode == NL80211_IFTYPE_AP &&
+	    drv->no_monitor_iface_capab) {
+		drv_event_disassoc(drv->ctx, addr);
+		return;
+	}
+
 	if (drv->nlmode != NL80211_IFTYPE_ADHOC)
 		return;
 
@@ -3635,6 +3657,12 @@ static int wpa_driver_nl80211_send_frame(struct wpa_driver_nl80211_data *drv,
 	if (encrypt)
 		rtap_hdr[8] |= IEEE80211_RADIOTAP_F_WEP;
 
+	if (drv->monitor_sock < 0) {
+		wpa_printf(MSG_DEBUG, "nl80211: No monitor socket available "
+			   "for %s", __func__);
+		return -1;
+	}
+
 	res = sendmsg(drv->monitor_sock, &msg, 0);
 	if (res < 0) {
 		wpa_printf(MSG_INFO, "nl80211: sendmsg: %s", strerror(errno));
@@ -4273,6 +4301,12 @@ nl80211_create_monitor_interface(struct wpa_driver_nl80211_data *drv)
 		nl80211_create_iface(drv, buf, NL80211_IFTYPE_MONITOR, NULL,
 				     0);
 
+	if (drv->monitor_ifidx == -EOPNOTSUPP) {
+		wpa_printf(MSG_DEBUG, "nl80211: Driver does not support "
+			   "monitor interface type - try to run without it");
+		drv->no_monitor_iface_capab = 1;
+	}
+
 	if (drv->monitor_ifidx < 0)
 		return -1;
 
@@ -4971,8 +5005,9 @@ static int wpa_driver_nl80211_set_mode(void *priv, int mode)
 done:
 	if (!ret && nlmode == NL80211_IFTYPE_AP) {
 		/* Setup additional AP mode functionality if needed */
-		if (drv->monitor_ifidx < 0 &&
-		    nl80211_create_monitor_interface(drv))
+		if (!drv->no_monitor_iface_capab && drv->monitor_ifidx < 0 &&
+		    nl80211_create_monitor_interface(drv) &&
+		    !drv->no_monitor_iface_capab)
 			return -1;
 	} else if (!ret && nlmode != NL80211_IFTYPE_AP) {
 		/* Remove additional AP mode functionality */
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 8a9826f..ecfaf30 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -1168,7 +1168,6 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
 {
 	struct eap_sm *sm = ctx;
 	char *hash_hex = NULL;
-	char *cert_hex = NULL;
 
 	switch (ev) {
 	case TLS_CERT_CHAIN_FAILURE:
@@ -1180,6 +1179,9 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
 			data->cert_fail.reason_txt);
 		break;
 	case TLS_PEER_CERTIFICATE:
+		if (!sm->eapol_cb->notify_cert)
+			break;
+
 		if (data->peer_cert.hash) {
 			size_t len = data->peer_cert.hash_len * 2 + 1;
 			hash_hex = os_malloc(len);
@@ -1189,31 +1191,15 @@ static void eap_peer_sm_tls_event(void *ctx, enum tls_event ev,
 						 data->peer_cert.hash_len);
 			}
 		}
-		wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
-			"depth=%d subject='%s'%s%s",
-			data->peer_cert.depth, data->peer_cert.subject,
-			hash_hex ? " hash=" : "", hash_hex ? hash_hex : "");
-
-		if (data->peer_cert.cert) {
-			size_t len = wpabuf_len(data->peer_cert.cert) * 2 + 1;
-			cert_hex = os_malloc(len);
-			if (cert_hex == NULL)
-				break;
-			wpa_snprintf_hex(cert_hex, len,
-					 wpabuf_head(data->peer_cert.cert),
-					 wpabuf_len(data->peer_cert.cert));
-			wpa_msg_ctrl(sm->msg_ctx, MSG_INFO,
-				     WPA_EVENT_EAP_PEER_CERT
-				     "depth=%d subject='%s' cert=%s",
-				     data->peer_cert.depth,
-				     data->peer_cert.subject,
-				     cert_hex);
-		}
+
+		sm->eapol_cb->notify_cert(sm->eapol_ctx,
+					  data->peer_cert.depth,
+					  data->peer_cert.subject,
+					  hash_hex, data->peer_cert.cert);
 		break;
 	}
 
 	os_free(hash_hex);
-	os_free(cert_hex);
 }
 
 
diff --git a/src/eap_peer/eap.h b/src/eap_peer/eap.h
index 3550909..2a80d4e 100644
--- a/src/eap_peer/eap.h
+++ b/src/eap_peer/eap.h
@@ -221,6 +221,17 @@ struct eapol_callbacks {
 	 */
 	void (*eap_param_needed)(void *ctx, const char *field,
 				 const char *txt);
+
+	/**
+	 * notify_cert - Notification of a peer certificate
+	 * @ctx: eapol_ctx from eap_peer_sm_init() call
+	 * @depth: Depth in certificate chain (0 = server)
+	 * @subject: Subject of the peer certificate
+	 * @cert_hash: SHA-256 hash of the certificate
+	 * @cert: Peer certificate
+	 */
+	void (*notify_cert)(void *ctx, int depth, const char *subject,
+			    const char *cert_hash, const struct wpabuf *cert);
 };
 
 /**
diff --git a/src/eapol_supp/eapol_supp_sm.c b/src/eapol_supp/eapol_supp_sm.c
index 18abb4e..bb6cff6 100644
--- a/src/eapol_supp/eapol_supp_sm.c
+++ b/src/eapol_supp/eapol_supp_sm.c
@@ -1825,6 +1825,15 @@ static void eapol_sm_eap_param_needed(void *ctx, const char *field,
 #define eapol_sm_eap_param_needed NULL
 #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
 
+static void eapol_sm_notify_cert(void *ctx, int depth, const char *subject,
+				 const char *cert_hash,
+				 const struct wpabuf *cert)
+{
+	struct eapol_sm *sm = ctx;
+	if (sm->ctx->cert_cb)
+		sm->ctx->cert_cb(sm->ctx->ctx, depth, subject,
+				 cert_hash, cert);
+}
 
 static struct eapol_callbacks eapol_cb =
 {
@@ -1837,7 +1846,8 @@ static struct eapol_callbacks eapol_cb =
 	eapol_sm_set_config_blob,
 	eapol_sm_get_config_blob,
 	eapol_sm_notify_pending,
-	eapol_sm_eap_param_needed
+	eapol_sm_eap_param_needed,
+	eapol_sm_notify_cert
 };
 
 
diff --git a/src/eapol_supp/eapol_supp_sm.h b/src/eapol_supp/eapol_supp_sm.h
index 1bdf8cd..3ea7e79 100644
--- a/src/eapol_supp/eapol_supp_sm.h
+++ b/src/eapol_supp/eapol_supp_sm.h
@@ -220,6 +220,17 @@ struct eapol_ctx {
 	 * @authorized: Whether the supplicant port is now in authorized state
 	 */
 	void (*port_cb)(void *ctx, int authorized);
+
+	/**
+	 * cert_cb - Notification of a peer certificate
+	 * @ctx: Callback context (ctx)
+	 * @depth: Depth in certificate chain (0 = server)
+	 * @subject: Subject of the peer certificate
+	 * @cert_hash: SHA-256 hash of the certificate
+	 * @cert: Peer certificate
+	 */
+	void (*cert_cb)(void *ctx, int depth, const char *subject,
+			const char *cert_hash, const struct wpabuf *cert);
 };
 
 
diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c
index 191099a..d4fac56 100644
--- a/src/p2p/p2p.c
+++ b/src/p2p/p2p.c
@@ -634,7 +634,10 @@ static void p2p_device_free(struct p2p_data *p2p, struct p2p_device *dev)
 	if (p2p->pending_client_disc_go == dev)
 		p2p->pending_client_disc_go = NULL;
 
-	p2p->cfg->dev_lost(p2p->cfg->cb_ctx, dev->info.p2p_device_addr);
+	/* dev_lost() device, but only if it was previously dev_found() */
+	if (dev->flags & P2P_DEV_REPORTED_ONCE)
+		p2p->cfg->dev_lost(p2p->cfg->cb_ctx,
+				   dev->info.p2p_device_addr);
 
 	for (i = 0; i < P2P_MAX_WPS_VENDOR_EXT; i++) {
 		wpabuf_free(dev->info.wps_vendor_ext[i]);
diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 01a46dc..7c0ac87 100644
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -198,7 +198,8 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
 			wpa_hexdump_key(MSG_DEBUG, "WPA: PMK from EAPOL state "
 					"machines", sm->pmk, pmk_len);
 			sm->pmk_len = pmk_len;
-			if (sm->proto == WPA_PROTO_RSN) {
+			if (sm->proto == WPA_PROTO_RSN &&
+			    !wpa_key_mgmt_ft(sm->key_mgmt)) {
 				pmksa_cache_add(sm->pmksa, sm->pmk, pmk_len,
 						src_addr, sm->own_addr,
 						sm->network_ctx, sm->key_mgmt);
@@ -227,7 +228,8 @@ static int wpa_supplicant_get_pmk(struct wpa_sm *sm,
 		}
 	}
 
-	if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt)) {
+	if (abort_cached && wpa_key_mgmt_wpa_ieee8021x(sm->key_mgmt) &&
+	    !wpa_key_mgmt_ft(sm->key_mgmt)) {
 		/* Send EAPOL-Start to trigger full EAP authentication. */
 		u8 *buf;
 		size_t buflen;
diff --git a/src/tls/tlsv1_client.c b/src/tls/tlsv1_client.c
index afb6031..8b7e26f 100644
--- a/src/tls/tlsv1_client.c
+++ b/src/tls/tlsv1_client.c
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client (RFC 2246)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -656,6 +656,12 @@ int tlsv1_client_set_cred(struct tlsv1_client *conn,
 }
 
 
+void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled)
+{
+	conn->disable_time_checks = !enabled;
+}
+
+
 void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn,
 					tlsv1_client_session_ticket_cb cb,
 					void *ctx)
diff --git a/src/tls/tlsv1_client.h b/src/tls/tlsv1_client.h
index 16ad57d..a620d62 100644
--- a/src/tls/tlsv1_client.h
+++ b/src/tls/tlsv1_client.h
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client (RFC 2246)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -47,6 +47,7 @@ int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn);
 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers);
 int tlsv1_client_set_cred(struct tlsv1_client *conn,
 			  struct tlsv1_credentials *cred);
+void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled);
 
 typedef int (*tlsv1_client_session_ticket_cb)
 (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
diff --git a/src/tls/tlsv1_client_i.h b/src/tls/tlsv1_client_i.h
index 7fe179f..f091bcf 100644
--- a/src/tls/tlsv1_client_i.h
+++ b/src/tls/tlsv1_client_i.h
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client - internal structures
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -39,6 +39,7 @@ struct tlsv1_client {
 	unsigned int session_resumed:1;
 	unsigned int session_ticket_included:1;
 	unsigned int use_session_ticket:1;
+	unsigned int disable_time_checks:1;
 
 	struct crypto_public_key *server_rsa_key;
 
diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index ed3f260..faa891a 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -365,7 +365,8 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 
 	if (conn->cred &&
 	    x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
-					    &reason) < 0) {
+					    &reason, conn->disable_time_checks)
+	    < 0) {
 		int tls_reason;
 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 			   "validation failed (reason=%d)", reason);
diff --git a/src/tls/tlsv1_server_read.c b/src/tls/tlsv1_server_read.c
index 49e811f..fd74436 100644
--- a/src/tls/tlsv1_server_read.c
+++ b/src/tls/tlsv1_server_read.c
@@ -424,7 +424,7 @@ static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
 	}
 
 	if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
-					    &reason) < 0) {
+					    &reason, 0) < 0) {
 		int tls_reason;
 		wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
 			   "validation failed (reason=%d)", reason);
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index bc93df6..347f975 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1,6 +1,6 @@
 /*
  * X.509v3 certificate parsing and processing (RFC 3280 profile)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -1834,7 +1834,7 @@ static int x509_valid_issuer(const struct x509_certificate *cert)
  */
 int x509_certificate_chain_validate(struct x509_certificate *trusted,
 				    struct x509_certificate *chain,
-				    int *reason)
+				    int *reason, int disable_time_checks)
 {
 	long unsigned idx;
 	int chain_trusted = 0;
@@ -1854,10 +1854,11 @@ int x509_certificate_chain_validate(struct x509_certificate *trusted,
 		if (chain_trusted)
 			continue;
 
-		if ((unsigned long) now.sec <
-		    (unsigned long) cert->not_before ||
-		    (unsigned long) now.sec >
-		    (unsigned long) cert->not_after) {
+		if (!disable_time_checks &&
+		    ((unsigned long) now.sec <
+		     (unsigned long) cert->not_before ||
+		     (unsigned long) now.sec >
+		     (unsigned long) cert->not_after)) {
 			wpa_printf(MSG_INFO, "X509: Certificate not valid "
 				   "(now=%lu not_before=%lu not_after=%lu)",
 				   now.sec, cert->not_before, cert->not_after);
diff --git a/src/tls/x509v3.h b/src/tls/x509v3.h
index 37292d7..3e2005b 100644
--- a/src/tls/x509v3.h
+++ b/src/tls/x509v3.h
@@ -1,6 +1,6 @@
 /*
  * X.509v3 certificate parsing and processing
- * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -120,7 +120,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
 				     struct x509_certificate *cert);
 int x509_certificate_chain_validate(struct x509_certificate *trusted,
 				    struct x509_certificate *chain,
-				    int *reason);
+				    int *reason, int disable_time_checks);
 struct x509_certificate *
 x509_certificate_get_subject(struct x509_certificate *chain,
 			     struct x509_name *name);