aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2009-12-20 17:28:47 (GMT)
committerJouni Malinen <j@w1.fi>2010-01-09 19:01:51 (GMT)
commit8d89f41d8f2ac883805c90124e6f6a9bbf1b299b (patch)
tree337a8c3e797008d5901be5421c6539e00d8978f2
parent7bd9007b3c0cfedad951a070c922826675fc1074 (diff)
downloadhostap-06-8d89f41d8f2ac883805c90124e6f6a9bbf1b299b.zip
hostap-06-8d89f41d8f2ac883805c90124e6f6a9bbf1b299b.tar.gz
hostap-06-8d89f41d8f2ac883805c90124e6f6a9bbf1b299b.tar.bz2
Allow TLS flags to be configured (allow MD5, disable time checks)
Undocumented (at least for the time being) TLS parameters can now be provided in wpa_supplicant configuration to enable some workarounds for being able to connect insecurely to some networks. phase1 and phase2 network parameters can use following options: tls_allow_md5=1 - allow MD5 signature to be used (disabled by default with GnuTLS) tls_disable_time_checks=1 - ignore certificate expiration time For now, only the GnuTLS TLS wrapper implements support for these. (cherry picked from commit 29446569253c689356e7519feacddb7c923015cf)
-rw-r--r--src/crypto/tls.h6
-rw-r--r--src/crypto/tls_gnutls.c23
-rw-r--r--src/eap_peer/eap_tls_common.c14
3 files changed, 43 insertions, 0 deletions
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index dafe8bb..aafb799 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -34,6 +34,9 @@ struct tls_config {
const char *pkcs11_module_path;
};
+#define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
+#define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
+
/**
* struct tls_connection_params - Parameters for TLS connection
* @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
@@ -68,6 +71,7 @@ struct tls_config {
* @cert_id: the certificate's id when using engine
* @ca_cert_id: the CA certificate's id when using engine
* @tls_ia: Whether to enable TLS/IA (for EAP-TTLSv1)
+ * @flags: Parameter options (TLS_CONN_*)
*
* TLS connection parameters to be configured with tls_connection_set_params()
* and tls_global_set_params().
@@ -103,6 +107,8 @@ struct tls_connection_params {
const char *key_id;
const char *cert_id;
const char *ca_cert_id;
+
+ unsigned int flags;
};
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 5015585..2c5c5a2 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -595,6 +595,17 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
return -1;
}
}
+
+ if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
+ gnutls_certificate_set_verify_flags(
+ conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+ }
+
+ if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
+ gnutls_certificate_set_verify_flags(
+ conn->xcred,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
+ }
}
if (params->client_cert && params->private_key) {
@@ -715,6 +726,18 @@ int tls_global_set_params(void *tls_ctx,
goto fail;
}
}
+
+ if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
+ gnutls_certificate_set_verify_flags(
+ global->xcred,
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+ }
+
+ if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
+ gnutls_certificate_set_verify_flags(
+ global->xcred,
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
+ }
}
if (params->client_cert && params->private_key) {
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 19afb90..186feaa 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -45,6 +45,18 @@ static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
}
+static void eap_tls_params_flags(struct tls_connection_params *params,
+ const char *txt)
+{
+ if (txt == NULL)
+ return;
+ if (os_strstr(txt, "tls_allow_md5=1"))
+ params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
+ if (os_strstr(txt, "tls_disable_time_checks=1"))
+ params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;
+}
+
+
static void eap_tls_params_from_conf1(struct tls_connection_params *params,
struct eap_peer_config *config)
{
@@ -62,6 +74,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
params->key_id = config->key_id;
params->cert_id = config->cert_id;
params->ca_cert_id = config->ca_cert_id;
+ eap_tls_params_flags(params, config->phase1);
}
@@ -82,6 +95,7 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
params->key_id = config->key2_id;
params->cert_id = config->cert2_id;
params->ca_cert_id = config->ca_cert2_id;
+ eap_tls_params_flags(params, config->phase2);
}