From 45bd459711c4aa754142eb02069497716fcbe9dc Mon Sep 17 00:00:00 2001
From: Denis Kenzior <denkenz@gmail.com>
Date: Wed, 23 Oct 2019 09:51:29 -0500
Subject: [PATCH] eap-tls-common: Relax certificate chain check

Relax the pre-check for local user certificate.  Before we used to check
that the CA provided (if any) was used to verify both the peer identity
and the local certificate chain.  However, there seem to be networks
that use different CAs to sign AP/Radius certificates and certificates
issued to users.

Drop the ca_certs argument from l_certchain_verify, but keep the call
there to make sure the certificate chain is indeed a chain as a sanity
check.
---
 src/eap-tls-common.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/eap-tls-common.c b/src/eap-tls-common.c
index b76770ce..174da91d 100644
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@@ -900,16 +900,15 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 			goto done;
 		}
 
-		if (!l_certchain_verify(cert, cacerts, &error_str)) {
-			if (cacerts)
-				l_error("Certificate chain %s is not trusted "
-					"by any CA in %s or fails verification"
-					": %s", client_cert, value, error_str);
-			else
-				l_error("Certificate chain %s fails "
-					"verification: %s",
-					client_cert, error_str);
-
+		/*
+		 * Sanity check that certchain provided is valid.  We do not
+		 * verify the certchain against the provided CA, since the
+		 * CA that issued user certificates might be different from
+		 * the one that is used to verify the peer
+		 */
+		if (!l_certchain_verify(cert, NULL, &error_str)) {
+			l_error("Certificate chain %s fails verification: %s",
+				client_cert, error_str);
 			ret = -EINVAL;
 			goto done;
 		}