From patchwork Sat Feb 15 05:21:32 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Kaseorg X-Patchwork-Id: 320617 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4A6EA2C00AB for ; Sat, 15 Feb 2014 16:21:59 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 573299C1A6; Sat, 15 Feb 2014 00:21:55 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ESj6gwJq234p; Sat, 15 Feb 2014 00:21:55 -0500 (EST) Received: from maxx.shmoo.com (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 2D9019C196; Sat, 15 Feb 2014 00:21:49 -0500 (EST) X-Original-To: mailman-post+hostap@maxx.shmoo.com Delivered-To: mailman-post+hostap@maxx.shmoo.com Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 58BB19C196 for ; Sat, 15 Feb 2014 00:21:48 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LISiejNBI22S for ; Sat, 15 Feb 2014 00:21:41 -0500 (EST) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by maxx.maxx.shmoo.com (Postfix) with ESMTPS id D0CA59C17A for ; Sat, 15 Feb 2014 00:21:41 -0500 (EST) X-AuditID: 1209190d-f79776d000000ce9-d7-52fef9602c37 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id E2.F2.03305.069FEF25; Sat, 15 Feb 2014 00:21:36 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s1F5LYk2020849; Sat, 15 Feb 2014 00:21:36 -0500 Received: from localhost (department-of-alchemy.mit.edu [18.9.64.20]) (authenticated bits=0) (User authenticated as andersk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s1F5LW6B009929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 15 Feb 2014 00:21:33 -0500 Date: Sat, 15 Feb 2014 00:21:32 -0500 (EST) From: Anders Kaseorg To: Jouni Malinen Subject: [PATCH] OpenSSL: Accept certificates marked for both server and client use Message-ID: User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrBIsWRmVeSWpSXmKPExsUixG6nrpvw81+Qwa53ohZzb/9ntPi/yNCB yePQhyOsHk/aljMFMEVx2aSk5mSWpRbp2yVwZVx4t4Gl4CFfxdNdHawNjO+5uxg5OSQETCRe N59gg7DFJC7cWw9kc3EICcxmklj0fhWUs5FR4vXNHywQziEmie4rm1lAWlgEtCXebOxjBLHZ BNQk5m6YzA5iiwhoScxtPQ5WwywgItF4rhlshbBAqMSiK1uZQWxeAX+Jhu9nwGpEBXQlNncv ZYOIC0qcnPkEqldLYvn0bSwTGPlmIUnNQpJawMi0ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdI LzezRC81pXQTIyjAOCV5dzC+O6h0iFGAg1GJh7dA/1+QEGtiWXFl7iFGSQ4mJVHe7O9AIb6k /JTKjMTijPii0pzU4kOMEhzMSiK8Oj+AcrwpiZVVqUX5MClpDhYlcd5ai19BQgLpiSWp2amp BalFMFkZDg4lCd7vIEMFi1LTUyvSMnNKENJMHJwgw3mAhs8BqeEtLkjMLc5Mh8ifYlSUEue1 A0kIgCQySvPgemEJ4BWjONArwrwfQKp4gMkDrvsV0GAmoMGrTv8FGVySiJCSamBsaZKZHjPp V+b5D5wlvMrvtvMzzdwcoW9e0TAzXk/a7tMONfMXJQHnFFj+c/tzF28+sO1YjcacK5OXZYfd Yiuuv6/K2SARt0R3yrzHf5nlF3w9efqb5RLZct2EiC1rROVmRR0KlFh8Ubn7Sf6nTC2myEvJ LFvP344R3+hgVdye3Cbz43XK9jYlluKMREMt5qLiRACzoD/i2wIAAA== Cc: hostap@shmoo.com X-BeenThere: hostap@lists.shmoo.com X-Mailman-Version: 2.1.11 Precedence: list List-Id: HostAP Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com Commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304 was too strict in forbidding certificates marked for client use. For example, this broke the MIT SECURE wireless network. The extended key usage is a _list_ of allowed uses, and rather than checking that client use is not in the list, we should check that server use is in the list. Signed-off-by: Anders Kaseorg --- src/crypto/tls.h | 2 +- src/crypto/tls_openssl.c | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 287fd33..3f07600 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -42,7 +42,7 @@ enum tls_fail_reason { TLS_FAIL_BAD_CERTIFICATE = 7, TLS_FAIL_SERVER_CHAIN_PROBE = 8, TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, - TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 + TLS_FAIL_NON_SERVER_KEY_USAGE = 10, }; union tls_event_data { diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index d025ae0..485a21e 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1479,11 +1479,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) if (!conn->server && err_cert && preverify_ok && depth == 0 && (err_cert->ex_flags & EXFLAG_XKUSAGE) && - (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { - wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); + !(err_cert->ex_xkusage & XKU_SSL_SERVER)) { + wpa_printf(MSG_WARNING, "TLS: Server certificate marked for " + "non-server key usage"); openssl_tls_fail_event(conn, err_cert, err, depth, buf, - "Server used client certificate", - TLS_FAIL_SERVER_USED_CLIENT_CERT); + "Server certificate marked for " + "non-server key usage", + TLS_FAIL_NON_SERVER_KEY_USAGE); preverify_ok = 0; }