eap-tls-common: Relax certificate chain check

Relax the pre-check for local user certificate. Before we used to check that the CA provided (if any) was used to verify both the peer identity and the local certificate chain. However, there seem to be networks that use different CAs to sign AP/Radius certificates and certificates issued to users. Drop the ca_certs argument from l_certchain_verify, but keep the call there to make sure the certificate chain is indeed a chain as a sanity check.
2019-10-23 09:51:29 -05:00 · 2019-10-23 09:51:29 -05:00 · 45bd459711
parent cdc9eb13aa
commit 45bd459711
1 changed files with 9 additions and 10 deletions
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@ -900,16 +900,15 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 			goto done;
 		}

-		if (!l_certchain_verify(cert, cacerts, &error_str)) {
-			if (cacerts)
-				l_error("Certificate chain %s is not trusted "
-					"by any CA in %s or fails verification"
-					": %s", client_cert, value, error_str);
-			else
-				l_error("Certificate chain %s fails "
-					"verification: %s",
-					client_cert, error_str);
-
+		/*
+		 * Sanity check that certchain provided is valid.  We do not
+		 * verify the certchain against the provided CA, since the
+		 * CA that issued user certificates might be different from
+		 * the one that is used to verify the peer
+		 */
+		if (!l_certchain_verify(cert, NULL, &error_str)) {
+			l_error("Certificate chain %s fails verification: %s",
+				client_cert, error_str);
 			ret = -EINVAL;
 			goto done;
 		}