3
0
mirror of https://git.kernel.org/pub/scm/network/wireless/iwd.git synced 2024-12-22 13:02:44 +01:00

eap-tls-common: Relax certificate chain check

Relax the pre-check for local user certificate.  Before we used to check
that the CA provided (if any) was used to verify both the peer identity
and the local certificate chain.  However, there seem to be networks
that use different CAs to sign AP/Radius certificates and certificates
issued to users.

Drop the ca_certs argument from l_certchain_verify, but keep the call
there to make sure the certificate chain is indeed a chain as a sanity
check.
This commit is contained in:
Denis Kenzior 2019-10-23 09:51:29 -05:00
parent cdc9eb13aa
commit 45bd459711

View File

@ -900,16 +900,15 @@ int eap_tls_common_settings_check(struct l_settings *settings,
goto done;
}
if (!l_certchain_verify(cert, cacerts, &error_str)) {
if (cacerts)
l_error("Certificate chain %s is not trusted "
"by any CA in %s or fails verification"
": %s", client_cert, value, error_str);
else
l_error("Certificate chain %s fails "
"verification: %s",
client_cert, error_str);
/*
* Sanity check that certchain provided is valid. We do not
* verify the certchain against the provided CA, since the
* CA that issued user certificates might be different from
* the one that is used to verify the peer
*/
if (!l_certchain_verify(cert, NULL, &error_str)) {
l_error("Certificate chain %s fails verification: %s",
client_cert, error_str);
ret = -EINVAL;
goto done;
}