TLS: Add support for tls_disable_time_checks=1 in client mode

This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
This commit is contained in:
Jouni Malinen 2011-07-05 11:29:42 +03:00
parent 572a171f4f
commit 235279e777
9 changed files with 39 additions and 15 deletions

View file

@ -1,6 +1,6 @@
/* /*
* TLS interface functions and an internal TLS implementation * TLS interface functions and an internal TLS implementation
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi> * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
} }
tlsv1_client_set_time_checks(
conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
return 0; return 0;
#else /* CONFIG_TLS_INTERNAL_CLIENT */ #else /* CONFIG_TLS_INTERNAL_CLIENT */
return -1; return -1;

View file

@ -1,6 +1,6 @@
/* /*
* SSL/TLS interface functions for OpenSSL * SSL/TLS interface functions for OpenSSL
* Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi> * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -86,6 +86,8 @@ struct tls_connection {
unsigned int server_cert_only:1; unsigned int server_cert_only:1;
u8 srv_cert_hash[32]; u8 srv_cert_hash[32];
unsigned int flags;
}; };
@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
preverify_ok = 1; preverify_ok = 1;
if (!preverify_ok && depth > 0 && conn->server_cert_only) if (!preverify_ok && depth > 0 && conn->server_cert_only)
preverify_ok = 1; preverify_ok = 1;
if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
(err == X509_V_ERR_CERT_HAS_EXPIRED ||
err == X509_V_ERR_CERT_NOT_YET_VALID)) {
wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
"time mismatch");
preverify_ok = 1;
}
err_str = X509_verify_cert_error_string(err); err_str = X509_verify_cert_error_string(err);
@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1; return -1;
} }
conn->flags = params->flags;
tls_get_errors(tls_ctx); tls_get_errors(tls_ctx);
return 0; return 0;

View file

@ -1,6 +1,6 @@
/* /*
* TLSv1 client (RFC 2246) * TLSv1 client (RFC 2246)
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -656,6 +656,12 @@ int tlsv1_client_set_cred(struct tlsv1_client *conn,
} }
void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled)
{
conn->disable_time_checks = !enabled;
}
void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn, void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn,
tlsv1_client_session_ticket_cb cb, tlsv1_client_session_ticket_cb cb,
void *ctx) void *ctx)

View file

@ -1,6 +1,6 @@
/* /*
* TLSv1 client (RFC 2246) * TLSv1 client (RFC 2246)
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -47,6 +47,7 @@ int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn);
int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers); int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers);
int tlsv1_client_set_cred(struct tlsv1_client *conn, int tlsv1_client_set_cred(struct tlsv1_client *conn,
struct tlsv1_credentials *cred); struct tlsv1_credentials *cred);
void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled);
typedef int (*tlsv1_client_session_ticket_cb) typedef int (*tlsv1_client_session_ticket_cb)
(void *ctx, const u8 *ticket, size_t len, const u8 *client_random, (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,

View file

@ -1,6 +1,6 @@
/* /*
* TLSv1 client - internal structures * TLSv1 client - internal structures
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -39,6 +39,7 @@ struct tlsv1_client {
unsigned int session_resumed:1; unsigned int session_resumed:1;
unsigned int session_ticket_included:1; unsigned int session_ticket_included:1;
unsigned int use_session_ticket:1; unsigned int use_session_ticket:1;
unsigned int disable_time_checks:1;
struct crypto_public_key *server_rsa_key; struct crypto_public_key *server_rsa_key;

View file

@ -365,7 +365,8 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
if (conn->cred && if (conn->cred &&
x509_certificate_chain_validate(conn->cred->trusted_certs, chain, x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
&reason) < 0) { &reason, conn->disable_time_checks)
< 0) {
int tls_reason; int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason); "validation failed (reason=%d)", reason);

View file

@ -424,7 +424,7 @@ static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
} }
if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain, if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
&reason) < 0) { &reason, 0) < 0) {
int tls_reason; int tls_reason;
wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain " wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
"validation failed (reason=%d)", reason); "validation failed (reason=%d)", reason);

View file

@ -1,6 +1,6 @@
/* /*
* X.509v3 certificate parsing and processing (RFC 3280 profile) * X.509v3 certificate parsing and processing (RFC 3280 profile)
* Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -1834,7 +1834,7 @@ static int x509_valid_issuer(const struct x509_certificate *cert)
*/ */
int x509_certificate_chain_validate(struct x509_certificate *trusted, int x509_certificate_chain_validate(struct x509_certificate *trusted,
struct x509_certificate *chain, struct x509_certificate *chain,
int *reason) int *reason, int disable_time_checks)
{ {
long unsigned idx; long unsigned idx;
int chain_trusted = 0; int chain_trusted = 0;
@ -1854,10 +1854,11 @@ int x509_certificate_chain_validate(struct x509_certificate *trusted,
if (chain_trusted) if (chain_trusted)
continue; continue;
if ((unsigned long) now.sec < if (!disable_time_checks &&
(unsigned long) cert->not_before || ((unsigned long) now.sec <
(unsigned long) now.sec > (unsigned long) cert->not_before ||
(unsigned long) cert->not_after) { (unsigned long) now.sec >
(unsigned long) cert->not_after)) {
wpa_printf(MSG_INFO, "X509: Certificate not valid " wpa_printf(MSG_INFO, "X509: Certificate not valid "
"(now=%lu not_before=%lu not_after=%lu)", "(now=%lu not_before=%lu not_after=%lu)",
now.sec, cert->not_before, cert->not_after); now.sec, cert->not_before, cert->not_after);

View file

@ -1,6 +1,6 @@
/* /*
* X.509v3 certificate parsing and processing * X.509v3 certificate parsing and processing
* Copyright (c) 2006, Jouni Malinen <j@w1.fi> * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
@ -120,7 +120,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
struct x509_certificate *cert); struct x509_certificate *cert);
int x509_certificate_chain_validate(struct x509_certificate *trusted, int x509_certificate_chain_validate(struct x509_certificate *trusted,
struct x509_certificate *chain, struct x509_certificate *chain,
int *reason); int *reason, int disable_time_checks);
struct x509_certificate * struct x509_certificate *
x509_certificate_get_subject(struct x509_certificate *chain, x509_certificate_get_subject(struct x509_certificate *chain,
struct x509_name *name); struct x509_name *name);