DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

TLS: Add support for tls_disable_time_checks=1 in client mode

Browse source 
This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
This commit is contained in:
Jouni Malinen 2011-07-05 11:29:42 +03:00
parent 572a171f4f
commit 235279e777
9 changed files with 39 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/crypto/tls_internal.c
View file

@ -1,6 +1,6 @@
/*
* TLS interface functions and an internal TLS implementation
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
}
tlsv1_client_set_time_checks(
conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
return 0;
#else /* CONFIG_TLS_INTERNAL_CLIENT */
return -1;

13
src/crypto/tls_openssl.c
View file

@ -1,6 +1,6 @@
/*
* SSL/TLS interface functions for OpenSSL
* Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi>
* Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@ -86,6 +86,8 @@ struct tls_connection {
unsigned int server_cert_only:1;
u8 srv_cert_hash[32];
unsigned int flags;
};
@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
preverify_ok = 1;
if (!preverify_ok && depth > 0 && conn->server_cert_only)
preverify_ok = 1;
if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
(err == X509_V_ERR_CERT_HAS_EXPIRED ||
err == X509_V_ERR_CERT_NOT_YET_VALID)) {
wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
"time mismatch");
preverify_ok = 1;
}
err_str = X509_verify_cert_error_string(err);
@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
}
conn->flags = params->flags;
tls_get_errors(tls_ctx);
return 0;