Allow TLS flags to be configured (allow MD5, disable time checks)
Undocumented (at least for the time being) TLS parameters can now be provided in wpa_supplicant configuration to enable some workarounds for being able to connect insecurely to some networks. phase1 and phase2 network parameters can use following options: tls_allow_md5=1 - allow MD5 signature to be used (disabled by default with GnuTLS) tls_disable_time_checks=1 - ignore certificate expiration time For now, only the GnuTLS TLS wrapper implements support for these.
This commit is contained in:
Jouni Malinen
parent
4a1e97790d
commit
2944656925
3 changed files with 43 additions and 0 deletions
|
|
@ -35,6 +35,9 @@ struct tls_config {
|
|||
int fips_mode;
|
||||
};
|
||||
|
||||
#define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
|
||||
#define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
|
||||
|
||||
/**
|
||||
* struct tls_connection_params - Parameters for TLS connection
|
||||
* @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
|
||||
|
|
@ -69,6 +72,7 @@ struct tls_config {
|
|||
* @cert_id: the certificate's id when using engine
|
||||
* @ca_cert_id: the CA certificate's id when using engine
|
||||
* @tls_ia: Whether to enable TLS/IA (for EAP-TTLSv1)
|
||||
* @flags: Parameter options (TLS_CONN_*)
|
||||
*
|
||||
* TLS connection parameters to be configured with tls_connection_set_params()
|
||||
* and tls_global_set_params().
|
||||
|
|
@ -104,6 +108,8 @@ struct tls_connection_params {
|
|||
const char *key_id;
|
||||
const char *cert_id;
|
||||
const char *ca_cert_id;
|
||||
|
||||
unsigned int flags;
|
||||
};
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -591,6 +591,17 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
|
||||
gnutls_certificate_set_verify_flags(
|
||||
conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
|
||||
}
|
||||
|
||||
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
|
||||
gnutls_certificate_set_verify_flags(
|
||||
conn->xcred,
|
||||
GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
|
||||
}
|
||||
}
|
||||
|
||||
if (params->client_cert && params->private_key) {
|
||||
|
|
@ -711,6 +722,18 @@ int tls_global_set_params(void *tls_ctx,
|
|||
goto fail;
|
||||
}
|
||||
}
|
||||
|
||||
if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
|
||||
gnutls_certificate_set_verify_flags(
|
||||
global->xcred,
|
||||
GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
|
||||
}
|
||||
|
||||
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
|
||||
gnutls_certificate_set_verify_flags(
|
||||
global->xcred,
|
||||
GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
|
||||
}
|
||||
}
|
||||
|
||||
if (params->client_cert && params->private_key) {
|
||||
|
|
|
|||
|
|
@ -45,6 +45,18 @@ static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
|
|||
}
|
||||
|
||||
|
||||
static void eap_tls_params_flags(struct tls_connection_params *params,
|
||||
const char *txt)
|
||||
{
|
||||
if (txt == NULL)
|
||||
return;
|
||||
if (os_strstr(txt, "tls_allow_md5=1"))
|
||||
params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
|
||||
if (os_strstr(txt, "tls_disable_time_checks=1"))
|
||||
params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;
|
||||
}
|
||||
|
||||
|
||||
static void eap_tls_params_from_conf1(struct tls_connection_params *params,
|
||||
struct eap_peer_config *config)
|
||||
{
|
||||
|
|
@ -62,6 +74,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
|
|||
params->key_id = config->key_id;
|
||||
params->cert_id = config->cert_id;
|
||||
params->ca_cert_id = config->ca_cert_id;
|
||||
eap_tls_params_flags(params, config->phase1);
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -82,6 +95,7 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
|
|||
params->key_id = config->key2_id;
|
||||
params->cert_id = config->cert2_id;
|
||||
params->ca_cert_id = config->ca_cert2_id;
|
||||
eap_tls_params_flags(params, config->phase2);
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue