diff options
author | Matt Housh <jaeger@crux.nu> | 2014-05-14 08:30:29 -0500 |
---|---|---|
committer | Matt Housh <jaeger@crux.nu> | 2014-05-14 08:30:29 -0500 |
commit | 5da07b6fa1e4abdc7ebc17f3f3f1b2eef9028035 (patch) | |
tree | 816494126b5680058137e0e40c0294bf8864b7f6 /wpa_supplicant | |
parent | 0aba3c7852e89ae9a023ea5c4b499137f1675f0b (diff) | |
download | opt-5da07b6fa1e4abdc7ebc17f3f3f1b2eef9028035.tar.gz opt-5da07b6fa1e4abdc7ebc17f3f3f1b2eef9028035.tar.xz |
wpa_supplicant: revert 'OpenSSL: Do not accept SSL Client certificate for server'
Diffstat (limited to 'wpa_supplicant')
-rw-r--r-- | wpa_supplicant/.md5sum | 1 | ||||
-rw-r--r-- | wpa_supplicant/Pkgfile | 7 | ||||
-rw-r--r-- | wpa_supplicant/revert-51e3eaf.patch | 68 |
3 files changed, 74 insertions, 2 deletions
diff --git a/wpa_supplicant/.md5sum b/wpa_supplicant/.md5sum index bf23d3eac..a00a43c70 100644 --- a/wpa_supplicant/.md5sum +++ b/wpa_supplicant/.md5sum @@ -1 +1,2 @@ +ba6674b926dc30cfca46cf9a6bdacd23 revert-51e3eaf.patch e96b8db5a8171cd17a5b2012d6ad7cc7 wpa_supplicant-2.1.tar.gz diff --git a/wpa_supplicant/Pkgfile b/wpa_supplicant/Pkgfile index b99bbf927..fb3d96845 100644 --- a/wpa_supplicant/Pkgfile +++ b/wpa_supplicant/Pkgfile @@ -5,10 +5,13 @@ name=wpa_supplicant version=2.1 -release=1 -source=(http://hostap.epitest.fi/releases/$name-$version.tar.gz) +release=2 +source=(http://hostap.epitest.fi/releases/$name-$version.tar.gz \ + revert-51e3eaf.patch) build () { + patch -d $name-$version -p1 -i $SRC/revert-51e3eaf.patch + cd $name-$version/$name cp defconfig .config diff --git a/wpa_supplicant/revert-51e3eaf.patch b/wpa_supplicant/revert-51e3eaf.patch new file mode 100644 index 000000000..e3141b0ea --- /dev/null +++ b/wpa_supplicant/revert-51e3eaf.patch @@ -0,0 +1,68 @@ +From b62d5b5450101676a0c05691b4bcd94e11426397 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Wed, 19 Feb 2014 09:56:02 +0000 +Subject: Revert "OpenSSL: Do not accept SSL Client certificate for server" + +This reverts commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304. There are +too many deployed AAA servers that include both id-kp-clientAuth and +id-kp-serverAuth EKUs for this change to be acceptable as a generic rule +for AAA authentication server validation. OpenSSL enforces the policy of +not connecting if only id-kp-clientAuth is included. If a valid EKU is +listed with it, the connection needs to be accepted. + +Signed-off-by: Jouni Malinen <j@w1.fi> +--- +diff --git a/src/crypto/tls.h b/src/crypto/tls.h +index 287fd33..feba13f 100644 +--- a/src/crypto/tls.h ++++ b/src/crypto/tls.h +@@ -41,8 +41,7 @@ enum tls_fail_reason { + TLS_FAIL_ALTSUBJECT_MISMATCH = 6, + TLS_FAIL_BAD_CERTIFICATE = 7, + TLS_FAIL_SERVER_CHAIN_PROBE = 8, +- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, +- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 ++ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9 + }; + + union tls_event_data { +diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c +index a13fa38..8cf1de8 100644 +--- a/src/crypto/tls_openssl.c ++++ b/src/crypto/tls_openssl.c +@@ -105,7 +105,6 @@ struct tls_connection { + unsigned int ca_cert_verify:1; + unsigned int cert_probe:1; + unsigned int server_cert_only:1; +- unsigned int server:1; + + u8 srv_cert_hash[32]; + +@@ -1480,16 +1479,6 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) + TLS_FAIL_SERVER_CHAIN_PROBE); + } + +- if (!conn->server && err_cert && preverify_ok && depth == 0 && +- (err_cert->ex_flags & EXFLAG_XKUSAGE) && +- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { +- wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); +- openssl_tls_fail_event(conn, err_cert, err, depth, buf, +- "Server used client certificate", +- TLS_FAIL_SERVER_USED_CLIENT_CERT); +- preverify_ok = 0; +- } +- + if (preverify_ok && context->event_cb != NULL) + context->event_cb(context->cb_ctx, + TLS_CERT_CHAIN_SUCCESS, NULL); +@@ -2541,8 +2530,6 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data, + int res; + struct wpabuf *out_data; + +- conn->server = !!server; +- + /* + * Give TLS handshake data from the server (if available) to OpenSSL + * for processing. +-- +cgit v0.9.2 |