From patchwork Sat Feb 15 10:28:27 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Kaseorg X-Patchwork-Id: 320623 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from maxx.maxx.shmoo.com (maxx.shmoo.com [205.134.188.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id BD8292C009F for ; Sat, 15 Feb 2014 21:28:46 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id E6CB39C14F; Sat, 15 Feb 2014 05:28:44 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stZ-CDcvesNb; Sat, 15 Feb 2014 05:28:44 -0500 (EST) Received: from maxx.shmoo.com (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id D6D809C17A; Sat, 15 Feb 2014 05:28:38 -0500 (EST) X-Original-To: mailman-post+hostap@maxx.shmoo.com Delivered-To: mailman-post+hostap@maxx.shmoo.com Received: from localhost (localhost [127.0.0.1]) by maxx.maxx.shmoo.com (Postfix) with ESMTP id 3B3C59C14F for ; Sat, 15 Feb 2014 05:28:37 -0500 (EST) X-Virus-Scanned: amavisd-new at maxx.shmoo.com Received: from maxx.maxx.shmoo.com ([127.0.0.1]) by localhost (maxx.shmoo.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id reZISn9ETuGd for ; Sat, 15 Feb 2014 05:28:30 -0500 (EST) Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by maxx.maxx.shmoo.com (Postfix) with ESMTPS id B1C699C17A for ; Sat, 15 Feb 2014 05:28:30 -0500 (EST) X-AuditID: 12074423-f79726d000000cc9-b8-52ff414d9cf5 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id A3.A6.03273.D414FF25; Sat, 15 Feb 2014 05:28:29 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id s1FASTTV013472; Sat, 15 Feb 2014 05:28:29 -0500 Received: from localhost (department-of-alchemy.mit.edu [18.9.64.20]) (authenticated bits=0) (User authenticated as andersk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s1FASRmw005091 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 15 Feb 2014 05:28:28 -0500 Date: Sat, 15 Feb 2014 05:28:27 -0500 (EST) From: Anders Kaseorg To: Jouni Malinen Subject: [PATCH v2] OpenSSL: Accept certificates marked for both server and client use In-Reply-To: <52FF4066.8090104@mit.edu> Message-ID: References: <20140215074831.GA4045@w1.fi> <52FF4066.8090104@mit.edu> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrIIsWRmVeSWpSXmKPExsUixCmqrOvr+D/IYGuDtcWipgdMFhvOxzgw eew+tY/Fo3HtE+YApigum5TUnMyy1CJ9uwSujBfd+5gLpvBX3Du3mrWBcQZPFyMnh4SAicSZ T7cYIWwxiQv31rN1MXJxCAnMZpI4/OA4O4SzkVHi/d2ZLBDOISaJ/Ve3grWwCGhLPF+1gg3E ZhNQk5i7YTI7iC0iIC3xc3EjmM0sICVxeMNcMFtYIELi9I0vYL2cAuoSve3dTCA2r4C/xJ2b jxghFnQwSqzf/YsFJCEqoCuxuXspG0SRoMTJmU9YIIZqSSyfvo1lAqPALCSpWUhSCxiZVjHK puRW6eYmZuYUpybrFicn5uWlFuma6eVmluilppRuYgSFJLuL8g7GPweVDjEKcDAq8fBK6P4L EmJNLCuuzD3EKMnBpCTK22HyP0iILyk/pTIjsTgjvqg0J7X4EKMEB7OSCK++KlCONyWxsiq1 KB8mJc3BoiTOW2vxK0hIID2xJDU7NbUgtQgmK8PBoSTBO8EBqFGwKDU9tSItM6cEIc3EwQky nAdo+ENbkOHFBYm5xZnpEPlTjIpS4rxVIM0CIImM0jy4XljKeMUoDvSKMG8lSBUPMN3Adb8C GswENHjV6b8gg0sSEVJSDYzlfTu5xTJftR7fLl+dW/Us3DPkMic7i2L29wWKHyu+vvK/Y5fy 4g3DazbpF8+mHQ5KueFkPMv14nI9uZypS0M9tuqm/n0QMlNcN/Ygn9IZ8V3BZ5KaVh+sM71y MuBlDWvsdIU5QXFTfghr2892dxRZqiewIE6+pdbk0sel/rasf+Iq/e6xSSixFGckGmoxFxUn AgBo5Onp9AIAAA== Cc: hostap@lists.shmoo.com X-BeenThere: hostap@lists.shmoo.com X-Mailman-Version: 2.1.11 Precedence: list List-Id: HostAP Project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com Commit 51e3eafb68e15e78e98ca955704be8a6c3a7b304 was too strict in forbidding certificates marked for client use. For example, this broke the MIT SECURE wireless network. The extended key usage is a _list_ of allowed uses, and rather than checking that client use is not in the list, we should check that server use is in the list. Signed-off-by: Anders Kaseorg --- (Change from v1: accept XKU_ANYEKU.) src/crypto/tls.h | 2 +- src/crypto/tls_openssl.c | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 287fd33..3f07600 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -42,7 +42,7 @@ enum tls_fail_reason { TLS_FAIL_BAD_CERTIFICATE = 7, TLS_FAIL_SERVER_CHAIN_PROBE = 8, TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9, - TLS_FAIL_SERVER_USED_CLIENT_CERT = 10 + TLS_FAIL_NON_SERVER_KEY_USAGE = 10, }; union tls_event_data { diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index d025ae0..a935e4b 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1479,11 +1479,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) if (!conn->server && err_cert && preverify_ok && depth == 0 && (err_cert->ex_flags & EXFLAG_XKUSAGE) && - (err_cert->ex_xkusage & XKU_SSL_CLIENT)) { - wpa_printf(MSG_WARNING, "TLS: Server used client certificate"); + !(err_cert->ex_xkusage & (XKU_SSL_SERVER | XKU_ANYEKU))) { + wpa_printf(MSG_WARNING, "TLS: Server certificate marked for " + "non-server key usage"); openssl_tls_fail_event(conn, err_cert, err, depth, buf, - "Server used client certificate", - TLS_FAIL_SERVER_USED_CLIENT_CERT); + "Server certificate marked for " + "non-server key usage", + TLS_FAIL_NON_SERVER_KEY_USAGE); preverify_ok = 0; }