In documentation is written: "If ca_cert and ca_path are not included,
server certificate will not be verified". This is the case when
wpa_supplicant is compiled with OpenSSL library, but when using the
internal TLS implementation and some certificates in CA chain are in
unsupported format (e.g., use SHA384 or SHA512 hash functions) then
verification fails even if ca_cert property is not specified.
This commit changes behavior so that certificate verification in
internal TLS implementation is really skipped when ca_cert is not
specified.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
pos += cert_len;
}
- if (conn->cred &&
+ if (conn->cred && conn->cred->ca_cert_verify &&
x509_certificate_chain_validate(conn->cred->trusted_certs, chain,
&reason, conn->disable_time_checks)
< 0) {
const u8 *cert_blob, size_t cert_blob_len,
const char *path)
{
+ cred->ca_cert_verify = cert || cert_blob || path;
+
if (tlsv1_set_cert_chain(&cred->trusted_certs, cert,
cert_blob, cert_blob_len) < 0)
return -1;
struct x509_certificate *cert;
struct crypto_private_key *key;
+ unsigned int ca_cert_verify:1;
+
/* Diffie-Hellman parameters */
u8 *dh_p; /* prime */
size_t dh_p_len;
projects / thirdparty / hostap.git / commitdiff
