[PATCH] Pinned certificates are always accepted

Rohit Agrawal rohit.agrawal.mn
Tue Mar 3 17:44:52 PST 2015


If OpenSSL reports that a presented leaf certificate is invalid
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn at gmail.com>
---
 src/crypto/tls_openssl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 46c4a46..f4b7620 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1516,7 +1516,9 @@ static int tls_verify_cb(int preverify_ok,
X509_STORE_CTX *x509_ctx)
  err_str = X509_verify_cert_error_string(err);

 #ifdef CONFIG_SHA256
- if (preverify_ok && depth == 0 && conn->server_cert_only) {
+ // don't require preverify_ok so we can explicity allow otherwise
+ // invalid pinned certs
+ if (depth == 0 && conn->server_cert_only) {
  struct wpabuf *cert;
  cert = get_x509_cert(err_cert);
  if (!cert) {
@@ -1534,6 +1536,10 @@ static int tls_verify_cb(int preverify_ok,
X509_STORE_CTX *x509_ctx)
  err_str = "Server certificate mismatch";
  err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
  preverify_ok = 0;
+ } else {
+ // certificate matches pinned certificate, allow
+ // regardless of other problems
+ preverify_ok = 1;
  }
  wpabuf_free(cert);
  }
-- 
2.3.1



More information about the Hostap mailing list