TLS: Add support for tls_disable_time_checks=1 in client mode

This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.

diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 64124d8a8e3ef74c8bbaa4709d6ea208189bbb27..cc165f6407df4c9397cec73de3184f86542f9228 100644 (file)
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -1,6 +1,6 @@
 /*
  * TLS interface functions and an internal TLS implementation
- * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -211,6 +211,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
        }
 
+       tlsv1_client_set_time_checks(
+               conn->client, !(params->flags & TLS_CONN_DISABLE_TIME_CHECKS));
+
        return 0;
 #else /* CONFIG_TLS_INTERNAL_CLIENT */
        return -1;

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index bf92a1133d862d67558416312cf6dc49d021d2a0..14ff87e2632b983fba1f53afcede067970ffa563 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1,6 +1,6 @@
 /*
  * SSL/TLS interface functions for OpenSSL
- * Copyright (c) 2004-2010, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -86,6 +86,8 @@ struct tls_connection {
        unsigned int server_cert_only:1;
 
        u8 srv_cert_hash[32];
+
+       unsigned int flags;
 };
 
 
@@ -1192,6 +1194,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
                preverify_ok = 1;
        if (!preverify_ok && depth > 0 && conn->server_cert_only)
                preverify_ok = 1;
+       if (!preverify_ok && (conn->flags & TLS_CONN_DISABLE_TIME_CHECKS) &&
+           (err == X509_V_ERR_CERT_HAS_EXPIRED ||
+            err == X509_V_ERR_CERT_NOT_YET_VALID)) {
+               wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
+                          "time mismatch");
+               preverify_ok = 1;
+       }
 
        err_str = X509_verify_cert_error_string(err);
 
@@ -2730,6 +2739,8 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                return -1;
        }
 
+       conn->flags = params->flags;
+
        tls_get_errors(tls_ctx);
 
        return 0;

diff --git a/src/tls/tlsv1_client.c b/src/tls/tlsv1_client.c
index afb603175a11a80a53d0cb3577ad430af7d04bcc..8b7e26f2afd1e995107d8e1d56c3e289aaeee1d1 100644 (file)
--- a/src/tls/tlsv1_client.c
+++ b/src/tls/tlsv1_client.c
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client (RFC 2246)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -656,6 +656,12 @@ int tlsv1_client_set_cred(struct tlsv1_client *conn,
 }
 
 
+void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled)
+{
+       conn->disable_time_checks = !enabled;
+}
+
+
 void tlsv1_client_set_session_ticket_cb(struct tlsv1_client *conn,
                                        tlsv1_client_session_ticket_cb cb,
                                        void *ctx)

diff --git a/src/tls/tlsv1_client.h b/src/tls/tlsv1_client.h
index 16ad57d4007feb3fe70d1d85beda67f0a65390fd..a620d62e8020fb89b3edc38ec597268a376ca740 100644 (file)
--- a/src/tls/tlsv1_client.h
+++ b/src/tls/tlsv1_client.h
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client (RFC 2246)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -47,6 +47,7 @@ int tlsv1_client_get_keyblock_size(struct tlsv1_client *conn);
 int tlsv1_client_set_cipher_list(struct tlsv1_client *conn, u8 *ciphers);
 int tlsv1_client_set_cred(struct tlsv1_client *conn,
                          struct tlsv1_credentials *cred);
+void tlsv1_client_set_time_checks(struct tlsv1_client *conn, int enabled);
 
 typedef int (*tlsv1_client_session_ticket_cb)
 (void *ctx, const u8 *ticket, size_t len, const u8 *client_random,

diff --git a/src/tls/tlsv1_client_i.h b/src/tls/tlsv1_client_i.h
index 7fe179f10c63bae7ae404cbb82980927ab0d2605..f091bcf032b322a05358d7b7b6c2c59a6f223bb0 100644 (file)
--- a/src/tls/tlsv1_client_i.h
+++ b/src/tls/tlsv1_client_i.h
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client - internal structures
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -39,6 +39,7 @@ struct tlsv1_client {
        unsigned int session_resumed:1;
        unsigned int session_ticket_included:1;
        unsigned int use_session_ticket:1;
+       unsigned int disable_time_checks:1;
 
        struct crypto_public_key *server_rsa_key;
 

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index ed3f2606c8cc24d87effcbe93e0999ed22f4222c..faa891aaf2dbdf317cd0506b990da20769d99650 100644 (file)
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -365,7 +365,8 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
 
        if (conn->cred &&
            x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
-                                           &reason) < 0) {
+                                           &reason, conn->disable_time_checks)
+           < 0) {
                int tls_reason;
                wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
                           "validation failed (reason=%d)", reason);

diff --git a/src/tls/tlsv1_server_read.c b/src/tls/tlsv1_server_read.c
index 49e811ffcff514252ac11d04054c6aeeb1b5755a..fd7443656a26e8dcf6b9ea02589c15dad2152ec8 100644 (file)
--- a/src/tls/tlsv1_server_read.c
+++ b/src/tls/tlsv1_server_read.c
@@ -424,7 +424,7 @@ static int tls_process_certificate(struct tlsv1_server *conn, u8 ct,
        }
 
        if (x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
-                                           &reason) < 0) {
+                                           &reason, 0) < 0) {
                int tls_reason;
                wpa_printf(MSG_DEBUG, "TLSv1: Server certificate chain "
                           "validation failed (reason=%d)", reason);

diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index bc93df6837873d9ce826f689c5ca96a47a09cc3d..347f9759008f1eaf6c78ca56aaedc2ac4d85fd1e 100644 (file)
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -1,6 +1,6 @@
 /*
  * X.509v3 certificate parsing and processing (RFC 3280 profile)
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -1834,7 +1834,7 @@ static int x509_valid_issuer(const struct x509_certificate *cert)
  */
 int x509_certificate_chain_validate(struct x509_certificate *trusted,
                                    struct x509_certificate *chain,
-                                   int *reason)
+                                   int *reason, int disable_time_checks)
 {
        long unsigned idx;
        int chain_trusted = 0;
@@ -1854,10 +1854,11 @@ int x509_certificate_chain_validate(struct x509_certificate *trusted,
                if (chain_trusted)
                        continue;
 
-               if ((unsigned long) now.sec <
-                   (unsigned long) cert->not_before ||
-                   (unsigned long) now.sec >
-                   (unsigned long) cert->not_after) {
+               if (!disable_time_checks &&
+                   ((unsigned long) now.sec <
+                    (unsigned long) cert->not_before ||
+                    (unsigned long) now.sec >
+                    (unsigned long) cert->not_after)) {
                        wpa_printf(MSG_INFO, "X509: Certificate not valid "
                                   "(now=%lu not_before=%lu not_after=%lu)",
                                   now.sec, cert->not_before, cert->not_after);

diff --git a/src/tls/x509v3.h b/src/tls/x509v3.h
index 37292d7e7dec9b13819683331d86f050c001973f..3e2005b9090570e54eef06ad0d7ee8256e4a061d 100644 (file)
--- a/src/tls/x509v3.h
+++ b/src/tls/x509v3.h
@@ -1,6 +1,6 @@
 /*
  * X.509v3 certificate parsing and processing
- * Copyright (c) 2006, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -120,7 +120,7 @@ int x509_certificate_check_signature(struct x509_certificate *issuer,
                                     struct x509_certificate *cert);
 int x509_certificate_chain_validate(struct x509_certificate *trusted,
                                    struct x509_certificate *chain,
-                                   int *reason);
+                                   int *reason, int disable_time_checks);
 struct x509_certificate *
 x509_certificate_get_subject(struct x509_certificate *chain,
                             struct x509_name *name);