commit 00033a0903f69b2f0e0c048840bff059f5a3eab9
author Rohit Agrawal <rohit.agrawal.mn@gmail.com> Wed Mar 04 09:24:18 2015 -0600
committer Jouni Malinen <j@w1.fi> Sat Mar 07 21:26:26 2015 +0200
tree 43566f9dacf8f6eafe3b0ed7c2b563c107b48722
parent b2329e4ad5da46114acc2b1bf4640d14014aa196

OpenSSL: Always accept pinned certificates

If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>

src/crypto/tls_openssl.c

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 46c4a46..52db8fc 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1516,7 +1516,11 @@
 	err_str = X509_verify_cert_error_string(err);
 
 #ifdef CONFIG_SHA256
-	if (preverify_ok && depth == 0 && conn->server_cert_only) {
+	/*
+	 * Do not require preverify_ok so we can explicity allow otherwise
+	 * invalid pinned server certificates.
+	 */
+	if (depth == 0 && conn->server_cert_only) {
 		struct wpabuf *cert;
 		cert = get_x509_cert(err_cert);
 		if (!cert) {
@@ -1534,6 +1538,14 @@
 				err_str = "Server certificate mismatch";
 				err = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
 				preverify_ok = 0;
+			} else if (!preverify_ok) {
+				/*
+				 * Certificate matches pinned certificate, allow
+				 * regardless of other problems.
+				 */
+				wpa_printf(MSG_DEBUG,
+					   "OpenSSL: Ignore validation issues for a pinned server certificate");
+				preverify_ok = 1;
 			}
 			wpabuf_free(cert);
 		}