diff mbox

[v2] Pinned certificates are always accepted

Message ID 1425482658-6799-1-git-send-email-rohit.agrawal.mn@gmail.com
State Accepted
Headers show

Commit Message

Rohit Agrawal March 4, 2015, 3:24 p.m. UTC 
If OpenSSL reports that a presented leaf certificate is invalid
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
---
 src/crypto/tls_openssl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Jouni Malinen March 7, 2015, 8:11 p.m. UTC | #1 
On Wed, Mar 04, 2015 at 09:24:18AM -0600, Rohit Agrawal wrote:
> If OpenSSL reports that a presented leaf certificate is invalid
> but it has been explicitly pinned, accept it anyway.

Thanks, applied.
diff mbox

Patch

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 46c4a46..36869e5 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1516,7 +1516,9 @@  static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 	err_str = X509_verify_cert_error_string(err);
 
 #ifdef CONFIG_SHA256
-	if (preverify_ok && depth == 0 && conn->server_cert_only) {
+	/* don't require preverify_ok so we can explicity allow otherwise
+	 * invalid pinned certs */
+	if (depth == 0 && conn->server_cert_only) {
 		struct wpabuf *cert;
 		cert = get_x509_cert(err_cert);
 		if (!cert) {
@@ -1534,6 +1536,10 @@  static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 				err_str = "Server certificate mismatch";
 				err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
 				preverify_ok = 0;
+			} else {
+				/* certificate matches pinned certificate, allow
+				 * regardless of other problems */
+				preverify_ok = 1;
 			}
 			wpabuf_free(cert);
 		}