GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the tls_gnutls.c implementation. The former was configured to use the request to ignore time checks while the latter was not. Complete support for this parameter by ignoring the internal expiration checks if requested. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
594d1fc084
commit
d4d1f5cb33
1 changed files with 6 additions and 2 deletions
|
|
@ -44,6 +44,7 @@ struct tls_connection {
|
|||
size_t pre_shared_secret_len;
|
||||
int established;
|
||||
int verify_peer;
|
||||
unsigned int disable_time_checks:1;
|
||||
|
||||
struct wpabuf *push_buf;
|
||||
struct wpabuf *pull_buf;
|
||||
|
|
@ -412,6 +413,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
return -1;
|
||||
}
|
||||
|
||||
conn->disable_time_checks = 0;
|
||||
if (params->ca_cert || params->ca_cert_blob) {
|
||||
conn->verify_peer = 1;
|
||||
gnutls_certificate_set_verify_function(
|
||||
|
|
@ -423,6 +425,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
}
|
||||
|
||||
if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
|
||||
conn->disable_time_checks = 1;
|
||||
gnutls_certificate_set_verify_flags(
|
||||
conn->xcred,
|
||||
GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
|
||||
|
|
@ -903,8 +906,9 @@ static int tls_connection_verify_peer(gnutls_session_t session)
|
|||
* tls_connection_set_params() */
|
||||
}
|
||||
|
||||
if (gnutls_x509_crt_get_expiration_time(cert) < now.sec ||
|
||||
gnutls_x509_crt_get_activation_time(cert) > now.sec) {
|
||||
if (!conn->disable_time_checks &&
|
||||
(gnutls_x509_crt_get_expiration_time(cert) < now.sec ||
|
||||
gnutls_x509_crt_get_activation_time(cert) > now.sec)) {
|
||||
wpa_printf(MSG_INFO, "TLS: Peer certificate %d/%d is "
|
||||
"not valid at this time",
|
||||
i + 1, num_certs);
|
||||
|
|
|
|||
Loading…
Reference in a new issue