OpenSSL: Always accept pinned certificates

If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
This commit is contained in:
Rohit Agrawal 2015-03-04 09:24:18 -06:00 committed by Jouni Malinen
parent b2329e4ad5
commit 00033a0903

View file

@ -1516,7 +1516,11 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
err_str = X509_verify_cert_error_string(err); err_str = X509_verify_cert_error_string(err);
#ifdef CONFIG_SHA256 #ifdef CONFIG_SHA256
if (preverify_ok && depth == 0 && conn->server_cert_only) { /*
* Do not require preverify_ok so we can explicity allow otherwise
* invalid pinned server certificates.
*/
if (depth == 0 && conn->server_cert_only) {
struct wpabuf *cert; struct wpabuf *cert;
cert = get_x509_cert(err_cert); cert = get_x509_cert(err_cert);
if (!cert) { if (!cert) {
@ -1534,6 +1538,14 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
err_str = "Server certificate mismatch"; err_str = "Server certificate mismatch";
err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
preverify_ok = 0; preverify_ok = 0;
} else if (!preverify_ok) {
/*
* Certificate matches pinned certificate, allow
* regardless of other problems.
*/
wpa_printf(MSG_DEBUG,
"OpenSSL: Ignore validation issues for a pinned server certificate");
preverify_ok = 1;
} }
wpabuf_free(cert); wpabuf_free(cert);
} }