From d4d1f5cb3347d1c3b75138f981290731cf3a09cb Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 11 Jan 2015 18:13:17 +0200 Subject: [PATCH] GnuTLS: Fix tls_disable_time_checks=1 processing Certificate expiration is checked both within GnuTLS and in the tls_gnutls.c implementation. The former was configured to use the request to ignore time checks while the latter was not. Complete support for this parameter by ignoring the internal expiration checks if requested. Signed-off-by: Jouni Malinen --- src/crypto/tls_gnutls.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c index 173788921..3245bfd45 100644 --- a/src/crypto/tls_gnutls.c +++ b/src/crypto/tls_gnutls.c @@ -44,6 +44,7 @@ struct tls_connection { size_t pre_shared_secret_len; int established; int verify_peer; + unsigned int disable_time_checks:1; struct wpabuf *push_buf; struct wpabuf *pull_buf; @@ -412,6 +413,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, return -1; } + conn->disable_time_checks = 0; if (params->ca_cert || params->ca_cert_blob) { conn->verify_peer = 1; gnutls_certificate_set_verify_function( @@ -423,6 +425,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, } if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) { + conn->disable_time_checks = 1; gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS); @@ -903,8 +906,9 @@ static int tls_connection_verify_peer(gnutls_session_t session) * tls_connection_set_params() */ } - if (gnutls_x509_crt_get_expiration_time(cert) < now.sec || - gnutls_x509_crt_get_activation_time(cert) > now.sec) { + if (!conn->disable_time_checks && + (gnutls_x509_crt_get_expiration_time(cert) < now.sec || + gnutls_x509_crt_get_activation_time(cert) > now.sec)) { wpa_printf(MSG_INFO, "TLS: Peer certificate %d/%d is " "not valid at this time", i + 1, num_certs);