GnuTLS: Fix tls_disable_time_checks=1 processing

Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 17378892182c2e0b70512479340d02c5933b152d..3245bfd4599fa3c8e5170da7c4747541aea9da6e 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -44,6 +44,7 @@ struct tls_connection {
        size_t pre_shared_secret_len;
        int established;
        int verify_peer;
+       unsigned int disable_time_checks:1;
 
        struct wpabuf *push_buf;
        struct wpabuf *pull_buf;
@@ -412,6 +413,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
        }
 
+       conn->disable_time_checks = 0;
        if (params->ca_cert || params->ca_cert_blob) {
                conn->verify_peer = 1;
                gnutls_certificate_set_verify_function(
@@ -423,6 +425,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                }
 
                if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
+                       conn->disable_time_checks = 1;
                        gnutls_certificate_set_verify_flags(
                                conn->xcred,
                                GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
@@ -903,8 +906,9 @@ static int tls_connection_verify_peer(gnutls_session_t session)
                         * tls_connection_set_params() */
                }
 
-               if (gnutls_x509_crt_get_expiration_time(cert) < now.sec ||
-                   gnutls_x509_crt_get_activation_time(cert) > now.sec) {
+               if (!conn->disable_time_checks &&
+                   (gnutls_x509_crt_get_expiration_time(cert) < now.sec ||
+                    gnutls_x509_crt_get_activation_time(cert) > now.sec)) {
                        wpa_printf(MSG_INFO, "TLS: Peer certificate %d/%d is "
                                   "not valid at this time",
                                   i + 1, num_certs);