diff options
| author | Jouni Malinen <j@w1.fi> | 2011-07-05 11:29:42 +0300 |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2011-07-05 11:29:42 +0300 |
| commit | 235279e777137dd7b03cd09ea8ad0fb2dc605e4e (patch) | |
| tree | 88c646c17b5000c4cc34bcb23e1c6c29e7831117 /src/crypto | |
| parent | 572a171f4f88dbaae9ea0b99b0ed1b25a268bebb (diff) | |
| download | external_wpa_supplicant_8_ti-235279e777137dd7b03cd09ea8ad0fb2dc605e4e.zip external_wpa_supplicant_8_ti-235279e777137dd7b03cd09ea8ad0fb2dc605e4e.tar.gz external_wpa_supplicant_8_ti-235279e777137dd7b03cd09ea8ad0fb2dc605e4e.tar.bz2 | |
TLS: Add support for tls_disable_time_checks=1 in client mode
This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/tls_internal.c | 5 | ||||
| -rw-r--r-- | src/crypto/tls_openssl.c | 13 |
2 files changed, 16 insertions, 2 deletions
diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c index 64124d8..cc165f6 100644 --- a/src/crypto/tls_internal.c +++ b/src/crypto/tls_internal.c @@ -1,6 +1,6 @@ /* * TLS interface functions and an internal TLS implementation - * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> + * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + tlsv1_client_set_time_checks( + conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS)); + return 0; #else /* CONFIG_TLS_INTERNAL_CLIENT */ return -1; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index bf92a11..14ff87e 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1,6 +1,6 @@ /* * SSL/TLS interface functions for OpenSSL - * Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi> + * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -86,6 +86,8 @@ struct tls_connection { unsigned int server_cert_only:1; u8 srv_cert_hash[32]; + + unsigned int flags; }; @@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) preverify_ok = 1; if (!preverify_ok && depth > 0 && conn->server_cert_only) preverify_ok = 1; + if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) && + (err == X509_V_ERR_CERT_HAS_EXPIRED || + err == X509_V_ERR_CERT_NOT_YET_VALID)) { + wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity " + "time mismatch"); + preverify_ok = 1; + } err_str = X509_verify_cert_error_string(err); @@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + conn->flags = params->flags; + tls_get_errors(tls_ctx); return 0; |