TLS: Add support for tls_disable_time_checks=1 in client mode
This phase1 parameter for TLS-based EAP methods was already supported with GnuTLS and this commit extends that support for OpenSSL and the internal TLS implementation.
This commit is contained in:
Jouni Malinen
parent
572a171f4f
commit
235279e777
9 changed files with 39 additions and 15 deletions
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* TLS interface functions and an internal TLS implementation
|
||||
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
return -1;
|
||||
}
|
||||
|
||||
tlsv1_client_set_time_checks(
|
||||
conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
|
||||
|
||||
return 0;
|
||||
#else /* CONFIG_TLS_INTERNAL_CLIENT */
|
||||
return -1;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* SSL/TLS interface functions for OpenSSL
|
||||
* Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -86,6 +86,8 @@ struct tls_connection {
|
|||
unsigned int server_cert_only:1;
|
||||
|
||||
u8 srv_cert_hash[32];
|
||||
|
||||
unsigned int flags;
|
||||
};
|
||||
|
||||
|
||||
|
|
@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
|||
preverify_ok = 1;
|
||||
if (!preverify_ok && depth > 0 && conn->server_cert_only)
|
||||
preverify_ok = 1;
|
||||
if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
|
||||
(err == X509_V_ERR_CERT_HAS_EXPIRED ||
|
||||
err == X509_V_ERR_CERT_NOT_YET_VALID)) {
|
||||
wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
|
||||
"time mismatch");
|
||||
preverify_ok = 1;
|
||||
}
|
||||
|
||||
err_str = X509_verify_cert_error_string(err);
|
||||
|
||||
|
|
@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
return -1;
|
||||
}
|
||||
|
||||
conn->flags = params->flags;
|
||||
|
||||
tls_get_errors(tls_ctx);
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* TLSv1 client (RFC 2246)
|
||||
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -656,6 +656,12 @@ int tlsv1_client_set_cred(struct tlsv1_client *conn,
|
|||
}
|
||||
|
||||
|
||||
void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled)
|
||||
{
|
||||
conn->disable_time_checks = !enabled;
|
||||
}
|
||||
|
||||
|
||||
void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn,
|
||||
tlsv1_client_session_ticket_cb cb,
|
||||
void *ctx)
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* TLSv1 client (RFC 2246)
|
||||
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -47,6 +47,7 @@ int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn);
|
|||
int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers);
|
||||
int tlsv1_client_set_cred(struct tlsv1_client *conn,
|
||||
struct tlsv1_credentials *cred);
|
||||
void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled);
|
||||
|
||||
typedef int (*tlsv1_client_session_ticket_cb)
|
||||
(void *ctx, const u8 *ticket, size_t len, const u8 *client_random,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* TLSv1 client - internal structures
|
||||
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -39,6 +39,7 @@ struct tlsv1_client {
|
|||
unsigned int session_resumed:1;
|
||||
unsigned int session_ticket_included:1;
|
||||
unsigned int use_session_ticket:1;
|
||||
unsigned int disable_time_checks:1;
|
||||
|
||||
struct crypto_public_key *server_rsa_key;
|
||||
|
||||
|
|
|
|||
|
|
@ -365,7 +365,8 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
|
|||
|
||||
if (conn->cred &&
|
||||
x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
|
||||
&reason) < 0) {
|
||||
&reason, conn->disable_time_checks)
|
||||
< 0) {
|
||||
int tls_reason;
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
|
||||
"validation failed (reason=%d)", reason);
|
||||
|
|
|
|||
|
|
@ -424,7 +424,7 @@ static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
|
|||
}
|
||||
|
||||
if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
|
||||
&reason) < 0) {
|
||||
&reason, 0) < 0) {
|
||||
int tls_reason;
|
||||
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
|
||||
"validation failed (reason=%d)", reason);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* X.509v3 certificate parsing and processing (RFC 3280 profile)
|
||||
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -1834,7 +1834,7 @@ static int x509_valid_issuer(const struct x509_certificate *cert)
|
|||
*/
|
||||
int x509_certificate_chain_validate(struct x509_certificate *trusted,
|
||||
struct x509_certificate *chain,
|
||||
int *reason)
|
||||
int *reason, int disable_time_checks)
|
||||
{
|
||||
long unsigned idx;
|
||||
int chain_trusted = 0;
|
||||
|
|
@ -1854,10 +1854,11 @@ int x509_certificate_chain_validate(struct x509_certificate *trusted,
|
|||
if (chain_trusted)
|
||||
continue;
|
||||
|
||||
if ((unsigned long) now.sec <
|
||||
(unsigned long) cert->not_before ||
|
||||
(unsigned long) now.sec >
|
||||
(unsigned long) cert->not_after) {
|
||||
if (!disable_time_checks &&
|
||||
((unsigned long) now.sec <
|
||||
(unsigned long) cert->not_before ||
|
||||
(unsigned long) now.sec >
|
||||
(unsigned long) cert->not_after)) {
|
||||
wpa_printf(MSG_INFO, "X509: Certificate not valid "
|
||||
"(now=%lu not_before=%lu not_after=%lu)",
|
||||
now.sec, cert->not_before, cert->not_after);
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* X.509v3 certificate parsing and processing
|
||||
* Copyright (c) 2006, Jouni Malinen <j@w1.fi>
|
||||
* Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
|
|
@ -120,7 +120,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
|
|||
struct x509_certificate *cert);
|
||||
int x509_certificate_chain_validate(struct x509_certificate *trusted,
|
||||
struct x509_certificate *chain,
|
||||
int *reason);
|
||||
int *reason, int disable_time_checks);
|
||||
struct x509_certificate *
|
||||
x509_certificate_get_subject(struct x509_certificate *chain,
|
||||
struct x509_name *name);
|
||||
|
|
|
|||
Loading…
Reference in a new issue