projects / mech_eap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0184c4f)
Ensure that we call the server_cert_cb, if present, for server certificates
authorDan Breslau <dbreslau@painless-security.com>
Wed, 5 Oct 2016 17:30:52 +0000 (13:30 -0400)
committerDan Breslau <dbreslau@painless-security.com>
Wed, 5 Oct 2016 17:30:52 +0000 (13:30 -0400)
libeap/src/crypto/tls_openssl.c patch | blob | history
mech_eap/init_sec_context.c patch | blob | history

diff --git a/libeap/src/crypto/tls_openssl.c b/libeap/src/crypto/tls_openssl.c
index 491182b..fab1865 100644 (file)
--- a/libeap/src/crypto/tls_openssl.c
+++ b/libeap/src/crypto/tls_openssl.c
@@ -1627,12 +1627,12 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
        err_str = X509_verify_cert_error_string(err);
 
 #ifdef CONFIG_SHA256
-       if (depth == 0 && conn->server_cert_only) {
-        if (depth == 0 && conn->server_cert_cb) {
+       if (depth == 0) {
+        if (conn->server_cert_cb) {
             preverify_ok = conn->server_cert_cb(preverify_ok, err_cert, conn->server_cert_ctx);
             wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb: server_cert_cb returned %d", preverify_ok);
         }
-        else {
+        if (conn->server_cert_only) {
             /*
              * Do not require preverify_ok so we can explicity allow otherwise
              * invalid pinned server certificates.
diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index c4769d7..2a1d3e0 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -419,7 +419,7 @@ static int sha256(unsigned char *bytes, int len, unsigned char *hash)
 }
 
 
-static int peerValidateCA(int ok_so_far, X509* cert, void *ca_ctx)
+static int peerValidateServer(int ok_so_far, X509* cert, void *ca_ctx)
 {
     const char           *realm = NULL;
     unsigned char        *cert_bytes = NULL;
@@ -441,7 +441,7 @@ static int peerValidateCA(int ok_so_far, X509* cert, void *ca_ctx)
     GSSEAP_FREE(cert_bytes);
     
     if (hash_len != 32) {
-        printf("peerValidateCA: Error: hash_len=%d, not 32!\n", hash_len);
+        printf("peerValidateServer: Error: hash_len=%d, not 32!\n", hash_len);
         return FALSE;
     }
 
@@ -453,7 +453,7 @@ static int peerValidateCA(int ok_so_far, X509* cert, void *ca_ctx)
     ok_so_far = moonshot_confirm_ca_certificate(identity, realm, hash, 32, &error);
     free(identity);
 
-    printf("peerValidateCA: Returning %d\n", ok_so_far);
+    printf("peerValidateServer: Returning %d\n", ok_so_far);
     return ok_so_far;
 }
 
@@ -566,7 +566,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
         eapPeerConfig->private_key_passwd = (char *)cred->password.value;
     }
 
-    eapPeerConfig->server_cert_cb = peerValidateCA;
+    eapPeerConfig->server_cert_cb = peerValidateServer;
     eapPeerConfig->server_cert_ctx = eapPeerConfig;
 
     *minor = 0;
Moonshot GSS-API mechanism