diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2015-09-14 16:16:39 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-09-14 16:16:39 +0000 |
| commit | ab5d8644fcbd41416b2e383ee1587bb1bdfb86f3 (patch) | |
| tree | f5e1a9f0ab2b6b6afc615c10a7f238948cef3109 /lib | |
| parent | 193b3829419007863a6dd7267c2a1c82c447da24 (diff) | |
Provide tls_config_insecure_noverifytime() in order to be able to disable
certificate validity checking.
ok beck@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/Makefile | 3 | ||||
| -rw-r--r-- | lib/libtls/tls.c | 7 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 3 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c | 9 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 | 10 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 3 |
6 files changed, 29 insertions, 6 deletions
diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile index 2e6c48716cd..679aabb9eda 100644 --- a/lib/libtls/Makefile +++ b/lib/libtls/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.20 2015/09/14 14:29:30 jmc Exp $ +# $OpenBSD: Makefile,v 1.21 2015/09/14 16:16:38 jsing Exp $ CFLAGS+= -Wall -Werror -Wimplicit CFLAGS+= -DLIBRESSL_INTERNAL @@ -44,6 +44,7 @@ MLINKS+=tls_init.3 tls_config_prefer_ciphers_server.3 MLINKS+=tls_init.3 tls_config_clear_keys.3 MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3 MLINKS+=tls_init.3 tls_config_insecure_noverifyname.3 +MLINKS+=tls_init.3 tls_config_insecure_noverifytime.3 MLINKS+=tls_init.3 tls_config_verify.3 MLINKS+=tls_init.3 tls_config_verify_client.3 MLINKS+=tls_init.3 tls_config_verify_client_optional.3 diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index 236ed9185b8..ac9262a4fcb 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.31 2015/09/14 12:29:16 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.32 2015/09/14 16:16:38 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -257,6 +257,11 @@ tls_configure_ssl(struct tls *ctx) } } + if (ctx->config->verify_time == 0) { + X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param, + X509_V_FLAG_NO_CHECK_TIME); + } + return (0); err: diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 442fe350649..670ad0d7114 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.23 2015/09/13 10:32:46 beck Exp $ */ +/* $OpenBSD: tls.h,v 1.24 2015/09/14 16:16:38 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -71,6 +71,7 @@ void tls_config_prefer_ciphers_server(struct tls_config *_config); void tls_config_insecure_noverifycert(struct tls_config *_config); void tls_config_insecure_noverifyname(struct tls_config *_config); +void tls_config_insecure_noverifytime(struct tls_config *_config); void tls_config_verify(struct tls_config *_config); void tls_config_verify_client(struct tls_config *_config); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 4d536853c81..d5beb38f3ef 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.12 2015/09/10 09:10:42 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.13 2015/09/14 16:16:38 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -309,10 +309,17 @@ tls_config_insecure_noverifyname(struct tls_config *config) } void +tls_config_insecure_noverifytime(struct tls_config *config) +{ + config->verify_time = 0; +} + +void tls_config_verify(struct tls_config *config) { config->verify_cert = 1; config->verify_name = 1; + config->verify_time = 1; } void diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index feef85dcb66..12a8e4bcf74 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.47 2015/09/14 15:14:55 schwarze Exp $ +.\" $OpenBSD: tls_init.3,v 1.48 2015/09/14 16:16:38 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -40,6 +40,7 @@ .Nm tls_config_clear_keys , .Nm tls_config_insecure_noverifycert , .Nm tls_config_insecure_noverifyname , +.Nm tls_config_insecure_noverifytime , .Nm tls_config_verify , .Nm tls_config_verify_client , .Nm tls_config_verify_client_optional , @@ -114,6 +115,8 @@ .Ft "void" .Fn tls_config_insecure_noverifyname "struct tls_config *config" .Ft "void" +.Fn tls_config_insecure_noverifytime "struct tls_config *config" +.Ft "void" .Fn tls_config_verify "struct tls_config *config" .Ft "void" .Fn tls_config_verify_client "struct tls_config *config" @@ -365,6 +368,11 @@ disables server name verification. Be careful when using this option. .Em (Client) .It +.Fn tls_config_insecure_noverifytime +disables validity checking of certificate. +Be careful when using this option. +.Em (Client and server) +.It .Fn tls_config_verify reenables server name and certificate verification. .Em (Client) diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 320f1fbfaa0..8128c05dfce 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.23 2015/09/14 12:29:16 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.24 2015/09/14 16:16:38 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -46,6 +46,7 @@ struct tls_config { int verify_client; int verify_depth; int verify_name; + int verify_time; }; struct tls_conninfo { |