OpenSSL: Always accept pinned certificates
If OpenSSL reports that a presented leaf certificate is invalid, but it has been explicitly pinned, accept it anyway. Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
This commit is contained in:
parent
b2329e4ad5
commit
00033a0903
1 changed files with 13 additions and 1 deletions
|
@ -1516,7 +1516,11 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||||
err_str = X509_verify_cert_error_string(err);
|
err_str = X509_verify_cert_error_string(err);
|
||||||
|
|
||||||
#ifdef CONFIG_SHA256
|
#ifdef CONFIG_SHA256
|
||||||
if (preverify_ok && depth == 0 && conn->server_cert_only) {
|
/*
|
||||||
|
* Do not require preverify_ok so we can explicity allow otherwise
|
||||||
|
* invalid pinned server certificates.
|
||||||
|
*/
|
||||||
|
if (depth == 0 && conn->server_cert_only) {
|
||||||
struct wpabuf *cert;
|
struct wpabuf *cert;
|
||||||
cert = get_x509_cert(err_cert);
|
cert = get_x509_cert(err_cert);
|
||||||
if (!cert) {
|
if (!cert) {
|
||||||
|
@ -1534,6 +1538,14 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||||
err_str = "Server certificate mismatch";
|
err_str = "Server certificate mismatch";
|
||||||
err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
|
err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
|
||||||
preverify_ok = 0;
|
preverify_ok = 0;
|
||||||
|
} else if (!preverify_ok) {
|
||||||
|
/*
|
||||||
|
* Certificate matches pinned certificate, allow
|
||||||
|
* regardless of other problems.
|
||||||
|
*/
|
||||||
|
wpa_printf(MSG_DEBUG,
|
||||||
|
"OpenSSL: Ignore validation issues for a pinned server certificate");
|
||||||
|
preverify_ok = 1;
|
||||||
}
|
}
|
||||||
wpabuf_free(cert);
|
wpabuf_free(cert);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue