From cd961180d47d76e55de1c09e3ec6d7448f4e3359 Mon Sep 17 00:00:00 2001 From: Dan Breslau Date: Wed, 5 Oct 2016 13:30:52 -0400 Subject: [PATCH] Ensure that we call the server_cert_cb, if present, for server certificates --- libeap/src/crypto/tls_openssl.c | 6 +++--- mech_eap/init_sec_context.c | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/libeap/src/crypto/tls_openssl.c b/libeap/src/crypto/tls_openssl.c index 491182b..fab1865 100644 --- a/libeap/src/crypto/tls_openssl.c +++ b/libeap/src/crypto/tls_openssl.c @@ -1627,12 +1627,12 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) err_str = X509_verify_cert_error_string(err); #ifdef CONFIG_SHA256 - if (depth == 0 && conn->server_cert_only) { - if (depth == 0 && conn->server_cert_cb) { + if (depth == 0) { + if (conn->server_cert_cb) { preverify_ok = conn->server_cert_cb(preverify_ok, err_cert, conn->server_cert_ctx); wpa_printf(MSG_DEBUG, "TLS: tls_verify_cb: server_cert_cb returned %d", preverify_ok); } - else { + if (conn->server_cert_only) { /* * Do not require preverify_ok so we can explicity allow otherwise * invalid pinned server certificates. diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index c4769d7..2a1d3e0 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -419,7 +419,7 @@ static int sha256(unsigned char *bytes, int len, unsigned char *hash) } -static int peerValidateCA(int ok_so_far, X509* cert, void *ca_ctx) +static int peerValidateServer(int ok_so_far, X509* cert, void *ca_ctx) { const char *realm = NULL; unsigned char *cert_bytes = NULL; @@ -441,7 +441,7 @@ static int peerValidateCA(int ok_so_far, X509* cert, void *ca_ctx) GSSEAP_FREE(cert_bytes); if (hash_len != 32) { - printf("peerValidateCA: Error: hash_len=%d, not 32!\n", hash_len); + printf("peerValidateServer: Error: hash_len=%d, not 32!\n", hash_len); return FALSE; } @@ -453,7 +453,7 @@ static int peerValidateCA(int ok_so_far, X509* cert, void *ca_ctx) ok_so_far = moonshot_confirm_ca_certificate(identity, realm, hash, 32, &error); free(identity); - printf("peerValidateCA: Returning %d\n", ok_so_far); + printf("peerValidateServer: Returning %d\n", ok_so_far); return ok_so_far; } @@ -566,7 +566,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx) eapPeerConfig->private_key_passwd = (char *)cred->password.value; } - eapPeerConfig->server_cert_cb = peerValidateCA; + eapPeerConfig->server_cert_cb = peerValidateServer; eapPeerConfig->server_cert_ctx = eapPeerConfig; *minor = 0; -- 2.1.4