From patchwork Mon Aug 7 16:26:33 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sam Voss X-Patchwork-Id: 798779 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="BHQQ2AT4"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3xR2y40tv2z9s83 for ; Tue, 8 Aug 2017 02:27:54 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=Rp84+dk+6GO1bTMOyTOy9cck3LmticCeiGyN+4GgLtU=; b=BHQ Q2AT4BtZO2/0vBE7cs0P6k0A+KMFvLi7lRUh0F6aTgmqxhZr8CjNRBkB+3OIEJbkPB1LEbj8x9HYo wuP9LB7PrwqRQXt1MEGd+iR2Ky3vW8i6s2H0P1Z5fbptkpw0m7caGJt3Xp1tz9V+5u6QtQUCmT0A4 nneu7DYqsMSO6LtmPkbD2MQUIqTQm51/3GhkJiG6f54R0Z/otrCDZyYiqWVPUBl9ITNcdeJsc+z92 ZpdQRz6Ix8wQALFfMlUsoHBIJPddalSy1bLjhvKrEx1opU9/33XDo2HsBFCcB4Q9Ozs5cW5vOxmag kKXKcdZxySJLuRXPsXv8ZBSF+oLU/EQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1deksI-0005J4-7N; Mon, 07 Aug 2017 16:27:26 +0000 Received: from da1vs02.rockwellcollins.com ([205.175.227.29]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1dekrs-0005DI-RH for hostap@lists.infradead.org; Mon, 07 Aug 2017 16:27:02 +0000 Received: from ofwda1n02.rockwellcollins.com (HELO ciulimr01.rockwellcollins.com) ([205.175.227.14]) by da1vs02.rockwellcollins.com with ESMTP; 07 Aug 2017 11:26:39 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by ciulimr01.rockwellcollins.com (Postfix) with ESMTP id 405786010D; Mon, 7 Aug 2017 11:26:38 -0500 (CDT) From: Sam Voss To: hostap@lists.infradead.org Subject: [PATCH 1/1] hostapd: Add option "check_crl_strict" Date: Mon, 7 Aug 2017 11:26:33 -0500 Message-Id: <1502123193-30049-1-git-send-email-sam.voss@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170807_092701_000141_D9C38A89 X-CRM114-Status: GOOD ( 15.23 ) X-Spam-Score: -6.9 (------) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-6.9 points) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [205.175.227.29 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sam Voss , David.Graziano@rockwellcollins.com MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add the ability to ignore time-based errors from openssl by specifying a new configuration parameter, "check_crl_strict". This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 8 ++++++++ src/ap/ap_config.c | 4 ++++ src/ap/ap_config.h | 1 + src/ap/authsrv.c | 3 ++- src/crypto/tls.h | 3 ++- src/crypto/tls_openssl.c | 21 ++++++++++++++++++++- 7 files changed, 39 insertions(+), 3 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index a398bb1..a0b5b5d 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2210,6 +2210,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->private_key_passwd = os_strdup(pos); } else if (os_strcmp(buf, "check_crl") == 0) { bss->check_crl = atoi(pos); + } else if (os_strcmp(buf, "check_crl_strict") == 0) { + bss->check_crl_strict = atoi(pos); } else if (os_strcmp(buf, "tls_session_lifetime") == 0) { bss->tls_session_lifetime = atoi(pos); } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 7ad3206..0102226 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -891,6 +891,14 @@ eap_server=0 # 2 = check all CRLs in the certificate path #check_crl=1 +# Specifiy whether or not to ignore certificate validity time missmatches with +# errors X509_V_ERR_CERT_HAS_EXPIRED and X509_V_ERR_CERT_NOT_YET_VALID +# +# 0 = ignore errors +# 1 = do not ignore errors (default) +#check_crl_strict=0 + + # TLS Session Lifetime in seconds # This can be used to allow TLS sessions to be cached and resumed with an # abbreviated handshake when using EAP-TLS/TTLS/PEAP. diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 07a13f8..e46cfcd 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -117,6 +117,10 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) #ifdef CONFIG_MBO bss->mbo_cell_data_conn_pref = -1; #endif /* CONFIG_MBO */ + + /* Default to strict crl checking. */ + bss->check_crl_strict = 1; + } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 8e5ff52..15a6f53 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -366,6 +366,7 @@ struct hostapd_bss_config { char *private_key; char *private_key_passwd; int check_crl; + int check_crl_strict; unsigned int tls_session_lifetime; char *ocsp_stapling_response; char *ocsp_stapling_response_multi; diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index 8a65824..eb3c650 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -182,7 +182,8 @@ int authsrv_init(struct hostapd_data *hapd) } if (tls_global_set_verify(hapd->ssl_ctx, - hapd->conf->check_crl)) { + hapd->conf->check_crl, + hapd->conf->check_crl_strict)) { wpa_printf(MSG_ERROR, "Failed to enable check_crl"); authsrv_deinit(hapd); return -1; diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 11d504a..bb497ce 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -303,9 +303,10 @@ int __must_check tls_global_set_params( * @tls_ctx: TLS context data from tls_init() * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, * 2 = verify CRL for all certificates + * @strict: 0 = allow time errors, 1 = do not allow time errors * Returns: 0 on success, -1 on failure */ -int __must_check tls_global_set_verify(void *tls_ctx, int check_crl); +int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, int strict); /** * tls_connection_set_verify - Set certificate verification options diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 903c38c..63d0eae 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -188,6 +188,7 @@ struct tls_context { void *cb_ctx; int cert_in_cb; char *ocsp_stapling_response; + int check_crl_strict; }; static struct tls_context *tls_global = NULL; @@ -227,6 +228,7 @@ struct tls_connection { unsigned int flags; + X509 *peer_cert; X509 *peer_issuer; X509 *peer_issuer_issuer; @@ -1828,6 +1830,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) "time mismatch"); preverify_ok = 1; } + if (!preverify_ok && (!tls_global->check_crl_strict) && + (err == X509_V_ERR_CRL_HAS_EXPIRED || + err == X509_V_ERR_CRL_NOT_YET_VALID)) { + wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity " + "crl time mismatch"); + preverify_ok = 1; + } err_str = X509_verify_cert_error_string(err); @@ -2193,9 +2202,11 @@ static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert) } -int tls_global_set_verify(void *ssl_ctx, int check_crl) +int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict) { int flags; + SSL *ssl; + struct tls_connection *conn; if (check_crl) { struct tls_data *data = ssl_ctx; @@ -2210,6 +2221,14 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl) if (check_crl == 2) flags |= X509_V_FLAG_CRL_CHECK_ALL; X509_STORE_set_flags(cs, flags); + + if (NULL == tls_global) { + tls_show_errors(MSG_INFO, __func__, "Failed setting " + "strict mode in tls_global context."); + } else { + tls_global->check_crl_strict = strict; + } + } return 0; }