From: Jouni Malinen Date: Sun, 11 Jan 2015 16:13:17 +0000 (+0200) Subject: GnuTLS: Fix tls_disable_time_checks=1 processing X-Git-Tag: hostap_2_4~432 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4d1f5cb3347d1c3b75138f981290731cf3a09cb;p=thirdparty%2Fhostap.git GnuTLS: Fix tls_disable_time_checks=1 processing Certificate expiration is checked both within GnuTLS and in the tls_gnutls.c implementation. The former was configured to use the request to ignore time checks while the latter was not. Complete support for this parameter by ignoring the internal expiration checks if requested. Signed-off-by: Jouni Malinen --- diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c index 173788921..3245bfd45 100644 --- a/src/crypto/tls_gnutls.c +++ b/src/crypto/tls_gnutls.c @@ -44,6 +44,7 @@ struct tls_connection { size_t pre_shared_secret_len; int established; int verify_peer; + unsigned int disable_time_checks:1; struct wpabuf *push_buf; struct wpabuf *pull_buf; @@ -412,6 +413,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + conn->disable_time_checks = 0; if (params->ca_cert || params->ca_cert_blob) { conn->verify_peer = 1; gnutls_certificate_set_verify_function( @@ -423,6 +425,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, } if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) { + conn->disable_time_checks = 1; gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS); @@ -903,8 +906,9 @@ static int tls_connection_verify_peer(gnutls_session_t session) * tls_connection_set_params() */ } - if (gnutls_x509_crt_get_expiration_time(cert) < now.sec || - gnutls_x509_crt_get_activation_time(cert) > now.sec) { + if (!conn->disable_time_checks && + (gnutls_x509_crt_get_expiration_time(cert) < now.sec || + gnutls_x509_crt_get_activation_time(cert) > now.sec)) { wpa_printf(MSG_INFO, "TLS: Peer certificate %d/%d is " "not valid at this time", i + 1, num_certs);