DigitalBrains1/wpa_supplicant-dont-fail-client-cert.patch

## wpa_supplicant-dont-fail-client-cert.patch
diff -Npru wpa_supplicant-2.1.orig/hostap/src/crypto/tls.h wpa_supplicant-2.1/hostap/src/crypto/tls.h
--- wpa_supplicant-2.1.orig/hostap/src/crypto/tls.h     2014-03-13 08:53:26.000000000 +0100
+++ wpa_supplicant-2.1/hostap/src/crypto/tls.h  2014-04-11 21:50:52.159397490 +0200
@@ -41,8 +41,7 @@ enum tls_fail_reason {
        TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
        TLS_FAIL_BAD_CERTIFICATE = 7,
        TLS_FAIL_SERVER_CHAIN_PROBE = 8,
-       TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
-       TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
+       TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
 };

 union tls_event_data {
diff -Npru wpa_supplicant-2.1.orig/hostap/src/crypto/tls_openssl.c wpa_supplicant-2.1/hostap/src/crypto/tls_openssl.c
--- wpa_supplicant-2.1.orig/hostap/src/crypto/tls_openssl.c     2014-04-11 21:44:13.163639000 +0200
+++ wpa_supplicant-2.1/hostap/src/crypto/tls_openssl.c  2014-04-11 21:50:52.179418854 +0200
@@ -105,7 +105,6 @@ struct tls_connection {
        unsigned int ca_cert_verify:1;
        unsigned int cert_probe:1;
        unsigned int server_cert_only:1;
-       unsigned int server:1;

        u8 srv_cert_hash[32];

@@ -1482,16 +1481,6 @@ static int tls_verify_cb(int preverify_o
                                       TLS_FAIL_SERVER_CHAIN_PROBE);
        }

-       if (!conn->server && err_cert && preverify_ok && depth == 0 &&
-           (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
-           (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
-               wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
-               openssl_tls_fail_event(conn, err_cert, err, depth, buf,
-                                      "Server used client certificate",
-                                      TLS_FAIL_SERVER_USED_CLIENT_CERT);
-               preverify_ok = 0;
-       }
-
        if (preverify_ok && context->event_cb != NULL)
                context->event_cb(context->cb_ctx,
                                  TLS_CERT_CHAIN_SUCCESS, NULL);
@@ -2543,8 +2532,6 @@ openssl_handshake(struct tls_connection
        int res;
        struct wpabuf *out_data;

-       conn->server = !!server;
-
        /*
         * Give TLS handshake data from the server (if available) to OpenSSL
         * for processing.
	diff -Npru wpa_supplicant-2.1.orig/hostap/src/crypto/tls.h wpa_supplicant-2.1/hostap/src/crypto/tls.h
	--- wpa_supplicant-2.1.orig/hostap/src/crypto/tls.h 2014-03-13 08:53:26.000000000 +0100
	+++ wpa_supplicant-2.1/hostap/src/crypto/tls.h 2014-04-11 21:50:52.159397490 +0200
	@@ -41,8 +41,7 @@ enum tls_fail_reason {
	TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
	TLS_FAIL_BAD_CERTIFICATE = 7,
	TLS_FAIL_SERVER_CHAIN_PROBE = 8,
	- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
	- TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
	+ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
	};

	union tls_event_data {
	diff -Npru wpa_supplicant-2.1.orig/hostap/src/crypto/tls_openssl.c wpa_supplicant-2.1/hostap/src/crypto/tls_openssl.c
	--- wpa_supplicant-2.1.orig/hostap/src/crypto/tls_openssl.c 2014-04-11 21:44:13.163639000 +0200
	+++ wpa_supplicant-2.1/hostap/src/crypto/tls_openssl.c 2014-04-11 21:50:52.179418854 +0200
	@@ -105,7 +105,6 @@ struct tls_connection {
	unsigned int ca_cert_verify:1;
	unsigned int cert_probe:1;
	unsigned int server_cert_only:1;
	- unsigned int server:1;

	u8 srv_cert_hash[32];

	@@ -1482,16 +1481,6 @@ static int tls_verify_cb(int preverify_o
	TLS_FAIL_SERVER_CHAIN_PROBE);
	}

	- if (!conn->server && err_cert && preverify_ok && depth == 0 &&
	- (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
	- (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
	- wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
	- openssl_tls_fail_event(conn, err_cert, err, depth, buf,
	- "Server used client certificate",
	- TLS_FAIL_SERVER_USED_CLIENT_CERT);
	- preverify_ok = 0;
	- }
	-
	if (preverify_ok && context->event_cb != NULL)
	context->event_cb(context->cb_ctx,
	TLS_CERT_CHAIN_SUCCESS, NULL);
	@@ -2543,8 +2532,6 @@ openssl_handshake(struct tls_connection
	int res;
	struct wpabuf *out_data;

	- conn->server = !!server;
	-
	/*
	* Give TLS handshake data from the server (if available) to OpenSSL
	* for processing.