OpenSSL: Enforce leaf cert expiry check with server cert pinning

When wpa_supplicant is configured to use EAP authentication with
ca_cert="hash://server/sha256/<hex>", the connection is set to
server_cert_only mode. In this mode, all leaf certificate validation
errors are currently ignored if the hash matches. This behavior was
introduced in commit 00033a0903f6 ("OpenSSL: Always accept pinned
certificates") to ignore chain validation problems [1], but it also
unintentionally ignores expiry and not-yet-valid errors on the leaf
certificate.

This patch changes the validation logic under servert_cert_only mode so
that expiry (X509_V_ERR_CERT_HAS_EXPIRED) and not-yet-valid
(X509_V_ERR_CERT_NOT_YET_VALID) errors are not ignored, while other
validation errors continue to be bypassed if the hash matches. If expiry
checks must be disabled, the existing tls_disable_time_checks option can
still be used.

[1] https://lists.infradead.org/pipermail/hostap/2015-March/032240.html

Signed-off-by: Rathan Appana <rathanappana@gmail.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 625d4fec93bddcb76230d60555f610a4d9c6bb64..f172241b4f4251479e8a28c99bdee2d2f60c1189 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -2764,7 +2764,9 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
                                err_str = "Server certificate mismatch";
                                err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
                                preverify_ok = 0;
-                       } else if (!preverify_ok) {
+                       } else if (!preverify_ok &&
+                                  err != X509_V_ERR_CERT_HAS_EXPIRED &&
+                                  err != X509_V_ERR_CERT_NOT_YET_VALID) {
                                /*
                                 * Certificate matches pinned certificate, allow
                                 * regardless of other problems.