From patchwork Tue Jul 24 21:10:15 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: wpa_supplicant: ca_cert_verify for TPM Date: Tue, 24 Jul 2012 11:10:15 -0000 From: Christopher Wiley X-Patchwork-Id: 173058 Message-Id: <20120724221118.E25A77428BB@wiley.mtv.corp.google.com> To: hostap@lists.shmoo.com This bit is set in the code path that handles keys and certs from places other than openssl authentication engines. Setting this bit causes authentication to fail when the server provides certificates that don't match the client certificate authority. --- src/crypto/tls_openssl.c | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 3bbd457..19fa3fb 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1922,6 +1922,8 @@ static int tls_connection_engine_ca_cert(void *_ssl_ctx, wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine " "to certificate store", __func__); SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb); + conn->ca_cert_verify = 1; + return 0; #else /* OPENSSL_NO_ENGINE */ @@ -2085,7 +2087,7 @@ static int tls_connection_private_key(void *_ssl_ctx, ERR_clear_error(); SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); os_free(passwd); - + if (!SSL_check_private_key(conn->ssl)) { tls_show_errors(MSG_INFO, __func__, "Private key failed " "verification"); @@ -2131,7 +2133,7 @@ static int tls_global_private_key(SSL_CTX *ssl_ctx, const char *private_key, os_free(passwd); ERR_clear_error(); SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL); - + if (!SSL_CTX_check_private_key(ssl_ctx)) { tls_show_errors(MSG_INFO, __func__, "Private key failed verification");