Cumulative patch from commit 00033a0903f69b2f0e0c048840bff059f5a3eab9

00033a0 OpenSSL: Always accept pinned certificates b2329e4 Add QCA vendor subcmd for Data Offload 1d246a1 Make rate-not-supported debug print more useful 761396e Reject Group Key message 1/2 prior to completion of 4-way handshake 3f0e6ec nl80211: Extend NL80211_CMD_TDLS_OPER to support discovery c10ca2a TDLS: Allow driver to request TDLS Discovery Request initiation 41312fc mesh: Leave mesh in driver setup if initialization fails ac8e074 Clear RSN timers for preauth and PTK rekeying on disassociation f2f65dd Reserve QCA vendor specific nl80211 commands 61..90 088a210 HS 2.0: Add NULL check before dereferencing in hs20-osu-client bea8d9a nl80211: Use the new bridge port option proxyarp_wifi Change-Id: I1ef819ab4efa554f059787e02570f48be39819a6 Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
author: Dmitry Shmidt <dimitrysh@google.com> 2015-03-10 11:21:43 -0700
committer: Dmitry Shmidt <dimitrysh@google.com> 2015-03-10 11:23:54 -0700
commit: 4dd28dc25895165566a1c8a9cac7bcd755ff8fe3 (patch)
tree: d7a99dcc7114a2848063c9bef6b5c94dd97babb4 /src/crypto
parent: 203eadb9eda41a1dde4a583edb4684319e3f399e (diff)
download: android_external_wpa_supplicant_8-4dd28dc25895165566a1c8a9cac7bcd755ff8fe3.tar.gz
android_external_wpa_supplicant_8-4dd28dc25895165566a1c8a9cac7bcd755ff8fe3.tar.bz2
android_external_wpa_supplicant_8-4dd28dc25895165566a1c8a9cac7bcd755ff8fe3.zip
1 files changed, 13 insertions, 1 deletions
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 46c4a461..52db8fc0 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1516,7 +1516,11 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 	err_str = X509_verify_cert_error_string(err);
 
 #ifdef CONFIG_SHA256
-	if (preverify_ok && depth == 0 && conn->server_cert_only) {
+	/*
+	 * Do not require preverify_ok so we can explicity allow otherwise
+	 * invalid pinned server certificates.
+	 */
+	if (depth == 0 && conn->server_cert_only) {
 		struct wpabuf *cert;
 		cert = get_x509_cert(err_cert);
 		if (!cert) {
@@ -1534,6 +1538,14 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 				err_str = "Server certificate mismatch";
 				err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
 				preverify_ok = 0;
+			} else if (!preverify_ok) {
+				/*
+				 * Certificate matches pinned certificate, allow
+				 * regardless of other problems.
+				 */
+				wpa_printf(MSG_DEBUG,
+					   "OpenSSL: Ignore validation issues for a pinned server certificate");
+				preverify_ok = 1;
 			}
 			wpabuf_free(cert);
 		}
author	Dmitry Shmidt <dimitrysh@google.com>	2015-03-10 11:21:43 -0700
committer	Dmitry Shmidt <dimitrysh@google.com>	2015-03-10 11:23:54 -0700
commit	4dd28dc25895165566a1c8a9cac7bcd755ff8fe3 (patch)
tree	d7a99dcc7114a2848063c9bef6b5c94dd97babb4 /src/crypto
parent	203eadb9eda41a1dde4a583edb4684319e3f399e (diff)
download	android_external_wpa_supplicant_8-4dd28dc25895165566a1c8a9cac7bcd755ff8fe3.tar.gz android_external_wpa_supplicant_8-4dd28dc25895165566a1c8a9cac7bcd755ff8fe3.tar.bz2 android_external_wpa_supplicant_8-4dd28dc25895165566a1c8a9cac7bcd755ff8fe3.zip