GnuTLS: Fix tls_disable_time_checks=1 processing

Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/crypto/tls_gnutls.c

@@ -44,6 +44,7 @@ struct tls_connection {
 	size_t pre_shared_secret_len;
 	int established;
 	int verify_peer;
+	unsigned int disable_time_checks:1;
 
 	struct wpabuf *push_buf;
 	struct wpabuf *pull_buf;
@@ -412,6 +413,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		return -1;
 	}
 
+	conn->disable_time_checks = 0;
 	if (params->ca_cert || params->ca_cert_blob) {
 		conn->verify_peer = 1;
 		gnutls_certificate_set_verify_function(
@@ -423,6 +425,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		}
 
 		if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
+			conn->disable_time_checks = 1;
 			gnutls_certificate_set_verify_flags(
 				conn->xcred,
 				GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
@@ -903,8 +906,9 @@ static int tls_connection_verify_peer(gnutls_session_t session)
 			 * tls_connection_set_params() */
 		}
 
-		if (gnutls_x509_crt_get_expiration_time(cert) < now.sec ||
+		if (!conn->disable_time_checks &&
-		    gnutls_x509_crt_get_activation_time(cert) > now.sec) {
+		    (gnutls_x509_crt_get_expiration_time(cert) < now.sec ||
+		     gnutls_x509_crt_get_activation_time(cert) > now.sec)) {
 			wpa_printf(MSG_INFO, "TLS: Peer certificate %d/%d is "
 				   "not valid at this time",
 				   i + 1, num_certs);