wpa_supplicant: ca_cert_verify for TPM

Message ID	20120724221118.E25A77428BB@wiley.mtv.corp.google.com
State	Accepted
Commit	d8858cadeb6159105c25348e3476ea9d7781a23d
Headers	show Return-Path: <hostap-bounces@lists.shmoo.com> From: Christopher Wiley <wiley@chromium.org> Date: Tue, 24 Jul 2012 14:10:15 -0700 Subject: [PATCH] wpa_supplicant: ca_cert_verify for TPM To: hostap@lists.shmoo.com Message-Id: <20120724221118.E25A77428BB@wiley.mtv.corp.google.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com

Message ID

20120724221118.E25A77428BB@wiley.mtv.corp.google.com

State

Accepted

Commit

d8858cadeb6159105c25348e3476ea9d7781a23d

Headers

From: Christopher Wiley <wiley@chromium.org>
Date: Tue, 24 Jul 2012 14:10:15 -0700
Subject: [PATCH] wpa_supplicant: ca_cert_verify for TPM
To: hostap@lists.shmoo.com
Message-Id: <20120724221118.E25A77428BB@wiley.mtv.corp.google.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: hostap-bounces@lists.shmoo.com
Errors-To: hostap-bounces@lists.shmoo.com

Commit Message

Christopher Wiley July 24, 2012, 9:10 p.m. UTC

This bit is set in the code path that handles keys and certs from places
other than openssl authentication engines.  Setting this bit causes
authentication to fail when the server provides certificates that don't
match the client certificate authority.
---
 src/crypto/tls_openssl.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

Comments

Jouni Malinen Aug. 4, 2012, 9:37 p.m. UTC | #1

On Tue, Jul 24, 2012 at 02:10:15PM -0700, Christopher Wiley wrote:
> This bit is set in the code path that handles keys and certs from places
> other than openssl authentication engines.  Setting this bit causes
> authentication to fail when the server provides certificates that don't
> match the client certificate authority.

Thanks! Applied.

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 3bbd457..19fa3fb 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1922,6 +1922,8 @@  static int tls_connection_engine_ca_cert(void *_ssl_ctx,
 	wpa_printf(MSG_DEBUG, "OpenSSL: %s - added CA certificate from engine "
 		   "to certificate store", __func__);
 	SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
+	conn->ca_cert_verify = 1;
+
 	return 0;
 
 #else /* OPENSSL_NO_ENGINE */
@@ -2085,7 +2087,7 @@  static int tls_connection_private_key(void *_ssl_ctx,
 	ERR_clear_error();
 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
 	os_free(passwd);
-	
+
 	if (!SSL_check_private_key(conn->ssl)) {
 		tls_show_errors(MSG_INFO, __func__, "Private key failed "
 				"verification");
@@ -2131,7 +2133,7 @@  static int tls_global_private_key(SSL_CTX *ssl_ctx, const char *private_key,
 	os_free(passwd);
 	ERR_clear_error();
 	SSL_CTX_set_default_passwd_cb(ssl_ctx, NULL);
-	
+
 	if (!SSL_CTX_check_private_key(ssl_ctx)) {
 		tls_show_errors(MSG_INFO, __func__,
 				"Private key failed verification");

wpa_supplicant: ca_cert_verify for TPM

Commit Message

Comments

Patch