[PATCH 1/4] TLS client: Do not verify CA certificates when ca_cert is not specified

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

In documentation is written: "If ca_cert and ca_path are not included,
server certificate will not be verified". This is truth when wpa_supplicant
is compiled with OpenSSL library.

But when using internal TLS implementation and some certificates in CA
chain are in unsupported format (e.g. use SHA384 or SHA512 hash functions)
then verification fails even if ca_cert property is not specified.

This commit change behaviour and certificate verification in internal TLS
implementation is really skipped when ca_cert is not specified.

Signed-off-by: Pali Rohár <pali.rohar@xxxxxxxxx>
---
 src/tls/tlsv1_client_read.c |    2 +-
 src/tls/tlsv1_cred.c        |    2 ++
 src/tls/tlsv1_cred.h        |    2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index 9ce9680..4fe9580 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -364,7 +364,7 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 		pos += cert_len;
 	}
 
-	if (conn->cred &&
+	if (conn->cred && conn->cred->ca_cert_verify &&
 	    x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
 					    &reason, conn->disable_time_checks)
 	    < 0) {
diff --git a/src/tls/tlsv1_cred.c b/src/tls/tlsv1_cred.c
index 1ea6827..fbac965 100644
--- a/src/tls/tlsv1_cred.c
+++ b/src/tls/tlsv1_cred.c
@@ -190,6 +190,8 @@ int tlsv1_set_ca_cert(struct tlsv1_credentials *cred, const char *cert,
 		      const u8 *cert_blob, size_t cert_blob_len,
 		      const char *path)
 {
+	cred->ca_cert_verify = cert || cert_blob || path;
+
 	if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
 				 cert_blob, cert_blob_len) < 0)
 		return -1;
diff --git a/src/tls/tlsv1_cred.h b/src/tls/tlsv1_cred.h
index 68fbdc9..b1e3e00 100644
--- a/src/tls/tlsv1_cred.h
+++ b/src/tls/tlsv1_cred.h
@@ -14,6 +14,8 @@ struct tlsv1_credentials {
 	struct x509_certificate *cert;
 	struct crypto_private_key *key;
 
+	unsigned int ca_cert_verify:1;
+
 	/* Diffie-Hellman parameters */
 	u8 *dh_p; /* prime */
 	size_t dh_p_len;
-- 
1.7.9.5


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux