From patchwork Mon Oct 1 18:12:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jared Bents X-Patchwork-Id: 977362 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=rockwellcollins.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="hKMIPhkf"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=infradead.org header.i=@infradead.org header.b="T8rqvtDj"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42P9Vl13N1z9s3x for ; Tue, 2 Oct 2018 04:17:35 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=2OtCZheGGi4EOazqjzfRWRVUHftsZtTQWBDGWUKZV1M=; b=hKM IPhkfpxItbmUEWZToWA2oTTOXPv/2z7znT4XFqARa0ussiIkA2xiv04ESyl9c2x83YEWSWVbIIMDH GcQi9Ra6E6R5nL3yEhgzjH72HEYXuQw/4Ut48pHCTEoU+xUfpECQsHCYxgANYIfV1D1TH8ncknVOl anywSNsAHSCpFh1VoRww1ADmYCG+yEXkkVYN2H9EzH6DfmAM14nd1+V2Vn8AoUdjGJvJkwYaR8Qvb Yj3gxDD8gKhhkXYqRkXyWIRKhwUgnbhQxFLBryeEk/70NTKYv7OH65IG1IS+6BDSEAI7wzQtIjBEE lp8QJHVytv9v/xP1/5u9mH10KINPEYw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1g72kl-00085E-S6; Mon, 01 Oct 2018 18:17:07 +0000 Received: from casper.infradead.org ([2001:8b0:10b:1236::1]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1g72jj-0007UJ-Gc for hostap@bombadil.infradead.org; Mon, 01 Oct 2018 18:16:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TcXCVfQaHKSJAlUmfrLXMzOJuR5jrGdstTys9SrSuI0=; b=T8rqvtDjxKBz9RwA1dHpUxczx 3xik1zu4ZDMnt9wDpJ1XZB6PsAph/pP6ALi4kY44k6OW/ug7geF+sh8/f0fHIscLMg9yzr0oI8o0y fIXuyGc5byanSEcbeYYABrdEKPrNppbsIN9ifrXo5ceCIiEshoRqKUzv4D2khwDyNP+JLRCJKLHii C8QHzBtcd09Ow4KfcBNK4h0fabOYOs2WOXiZC/mhnixbDMwtHv8tMzl6gf16s2I8UUmPoNX4DJf0M j8Gnt6JX6+2nspTwpi5oqe6LXfiGWGtMyDYg6XkalwkBqkN9D1Z9wEioPKms4VB8uYAIGuONDGmvd SKn9M9A5A==; Received: from secvs01.rockwellcollins.com ([205.175.225.240]) by casper.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1g72h2-0006qK-6M for hostap@lists.infradead.org; Mon, 01 Oct 2018 18:13:18 +0000 Received: from ofwgwc03.rockwellcollins.com (HELO dtulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs01.rockwellcollins.com with ESMTP; 01 Oct 2018 13:12:59 -0500 X-Received: from largo.rockwellcollins.com (unknown [192.168.140.76]) by dtulimr02.rockwellcollins.com (Postfix) with ESMTP id DD99E20043; Mon, 1 Oct 2018 13:12:58 -0500 (CDT) From: Jared Bents To: hostap@lists.infradead.org Subject: [PATCH v1 1/3] HostAPD: Add option 'check_crl_strict' Date: Mon, 1 Oct 2018 13:12:53 -0500 Message-Id: <1538417575-35315-1-git-send-email-jared.bents@rockwellcollins.com> X-Mailer: git-send-email 1.9.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181001_191316_456551_1DDE30D0 X-CRM114-Status: GOOD ( 20.78 ) X-Spam-Score: -5.0 (-----) X-Spam-Report: SpamAssassin version 3.4.1 on casper.infradead.org summary: Content analysis details: (-5.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high trust [205.175.225.240 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Sam Voss , Jared Bents MIME-Version: 1.0 Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org Add the ability to ignore time-based errors from openssl by specifying a new configuration parameter, "check_crl_strict". This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss Signed-off-by: Jared Bents --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 8 ++++++++ src/ap/ap_config.c | 3 +++ src/ap/ap_config.h | 1 + src/ap/authsrv.c | 3 ++- src/crypto/tls.h | 3 ++- src/crypto/tls_openssl.c | 21 ++++++++++++++++++++- 7 files changed, 38 insertions(+), 3 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index 5079f69..7b7b33f 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2131,6 +2131,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->private_key_passwd = os_strdup(pos); } else if (os_strcmp(buf, "check_crl") == 0) { bss->check_crl = atoi(pos); + } else if (os_strcmp(buf, "check_crl_strict") == 0) { + bss->check_crl_strict = atoi(pos); } else if (os_strcmp(buf, "tls_session_lifetime") == 0) { bss->tls_session_lifetime = atoi(pos); } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index fa9a855..bc56f8d 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -795,6 +795,14 @@ eap_server=0 # 2 = check all CRLs in the certificate path #check_crl=1 +# Specifiy whether or not to ignore certificate validity time missmatches with +# errors X509_V_ERR_CERT_HAS_EXPIRED and X509_V_ERR_CERT_NOT_YET_VALID +# +# 0 = ignore errors +# 1 = do not ignore errors (default) +#check_crl_strict=0 + + # TLS Session Lifetime in seconds # This can be used to allow TLS sessions to be cached and resumed with an # abbreviated handshake when using EAP-TLS/TTLS/PEAP. diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 228de2b..2e3797b 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -95,6 +95,9 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) bss->radius_das_time_window = 300; bss->sae_anti_clogging_threshold = 5; + + /* Default to strict crl checking. */ + bss->check_crl_strict = 1; } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 8c8f7e2..6220185 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -352,6 +352,7 @@ struct hostapd_bss_config { char *private_key; char *private_key_passwd; int check_crl; + int check_crl_strict; unsigned int tls_session_lifetime; char *ocsp_stapling_response; char *ocsp_stapling_response_multi; diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index cdb49cd..62ddc87 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -183,7 +183,8 @@ int authsrv_init(struct hostapd_data *hapd) } if (tls_global_set_verify(hapd->ssl_ctx, - hapd->conf->check_crl)) { + hapd->conf->check_crl, + hapd->conf->check_crl_strict)) { wpa_printf(MSG_ERROR, "Failed to enable check_crl"); authsrv_deinit(hapd); return -1; diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 11d504a..bb497ce 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -303,9 +303,10 @@ int __must_check tls_global_set_params( * @tls_ctx: TLS context data from tls_init() * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, * 2 = verify CRL for all certificates + * @strict: 0 = allow time errors, 1 = do not allow time errors * Returns: 0 on success, -1 on failure */ -int __must_check tls_global_set_verify(void *tls_ctx, int check_crl); +int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, int strict); /** * tls_connection_set_verify - Set certificate verification options diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 23ac64b..990c938 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -188,6 +188,7 @@ struct tls_context { void *cb_ctx; int cert_in_cb; char *ocsp_stapling_response; + int check_crl_strict; }; static struct tls_context *tls_global = NULL; @@ -227,6 +228,7 @@ struct tls_connection { unsigned int flags; + X509 *peer_cert; X509 *peer_issuer; X509 *peer_issuer_issuer; @@ -1820,6 +1822,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) "time mismatch"); preverify_ok = 1; } + if (!preverify_ok && (!tls_global->check_crl_strict) && + (err == X509_V_ERR_CRL_HAS_EXPIRED || + err == X509_V_ERR_CRL_NOT_YET_VALID)) { + wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity " + "crl time mismatch"); + preverify_ok = 1; + } err_str = X509_verify_cert_error_string(err); @@ -2185,9 +2194,11 @@ static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert) } -int tls_global_set_verify(void *ssl_ctx, int check_crl) +int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict) { int flags; + SSL *ssl; + struct tls_connection *conn; if (check_crl) { struct tls_data *data = ssl_ctx; @@ -2202,6 +2213,14 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl) if (check_crl == 2) flags |= X509_V_FLAG_CRL_CHECK_ALL; X509_STORE_set_flags(cs, flags); + + if (NULL == tls_global) { + tls_show_errors(MSG_INFO, __func__, "Failed setting " + "strict mode in tls_global context."); + } else { + tls_global->check_crl_strict = strict; + } + } return 0; }