Add the ability to ignore time-based errors from openssl by specifying a new configuration parameter, "check_crl_strict". This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@xxxxxxxxxxxxxxxxxxx> --- hostapd/config_file.c | 2 ++ hostapd/hostapd.conf | 8 ++++++++ src/ap/ap_config.c | 4 ++++ src/ap/ap_config.h | 1 + src/ap/authsrv.c | 3 ++- src/crypto/tls.h | 3 ++- src/crypto/tls_openssl.c | 21 ++++++++++++++++++++- 7 files changed, 39 insertions(+), 3 deletions(-) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index a398bb1..a0b5b5d 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2210,6 +2210,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->private_key_passwd = os_strdup(pos); } else if (os_strcmp(buf, "check_crl") == 0) { bss->check_crl = atoi(pos); + } else if (os_strcmp(buf, "check_crl_strict") == 0) { + bss->check_crl_strict = atoi(pos); } else if (os_strcmp(buf, "tls_session_lifetime") == 0) { bss->tls_session_lifetime = atoi(pos); } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 7ad3206..0102226 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -891,6 +891,14 @@ eap_server=0 # 2 = check all CRLs in the certificate path #check_crl=1 +# Specifiy whether or not to ignore certificate validity time missmatches with +# errors X509_V_ERR_CERT_HAS_EXPIRED and X509_V_ERR_CERT_NOT_YET_VALID +# +# 0 = ignore errors +# 1 = do not ignore errors (default) +#check_crl_strict=0 + + # TLS Session Lifetime in seconds # This can be used to allow TLS sessions to be cached and resumed with an # abbreviated handshake when using EAP-TLS/TTLS/PEAP. diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index 07a13f8..e46cfcd 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -117,6 +117,10 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) #ifdef CONFIG_MBO bss->mbo_cell_data_conn_pref = -1; #endif /* CONFIG_MBO */ + + /* Default to strict crl checking. */ + bss->check_crl_strict = 1; + } diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index 8e5ff52..15a6f53 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -366,6 +366,7 @@ struct hostapd_bss_config { char *private_key; char *private_key_passwd; int check_crl; + int check_crl_strict; unsigned int tls_session_lifetime; char *ocsp_stapling_response; char *ocsp_stapling_response_multi; diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index 8a65824..eb3c650 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -182,7 +182,8 @@ int authsrv_init(struct hostapd_data *hapd) } if (tls_global_set_verify(hapd->ssl_ctx, - hapd->conf->check_crl)) { + hapd->conf->check_crl, + hapd->conf->check_crl_strict)) { wpa_printf(MSG_ERROR, "Failed to enable check_crl"); authsrv_deinit(hapd); return -1; diff --git a/src/crypto/tls.h b/src/crypto/tls.h index 11d504a..bb497ce 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -303,9 +303,10 @@ int __must_check tls_global_set_params( * @tls_ctx: TLS context data from tls_init() * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate, * 2 = verify CRL for all certificates + * @strict: 0 = allow time errors, 1 = do not allow time errors * Returns: 0 on success, -1 on failure */ -int __must_check tls_global_set_verify(void *tls_ctx, int check_crl); +int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, int strict); /** * tls_connection_set_verify - Set certificate verification options diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 903c38c..63d0eae 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -188,6 +188,7 @@ struct tls_context { void *cb_ctx; int cert_in_cb; char *ocsp_stapling_response; + int check_crl_strict; }; static struct tls_context *tls_global = NULL; @@ -227,6 +228,7 @@ struct tls_connection { unsigned int flags; + X509 *peer_cert; X509 *peer_issuer; X509 *peer_issuer_issuer; @@ -1828,6 +1830,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx) "time mismatch"); preverify_ok = 1; } + if (!preverify_ok && (!tls_global->check_crl_strict) && + (err == X509_V_ERR_CRL_HAS_EXPIRED || + err == X509_V_ERR_CRL_NOT_YET_VALID)) { + wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity " + "crl time mismatch"); + preverify_ok = 1; + } err_str = X509_verify_cert_error_string(err); @@ -2193,9 +2202,11 @@ static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert) } -int tls_global_set_verify(void *ssl_ctx, int check_crl) +int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict) { int flags; + SSL *ssl; + struct tls_connection *conn; if (check_crl) { struct tls_data *data = ssl_ctx; @@ -2210,6 +2221,14 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl) if (check_crl == 2) flags |= X509_V_FLAG_CRL_CHECK_ALL; X509_STORE_set_flags(cs, flags); + + if (NULL == tls_global) { + tls_show_errors(MSG_INFO, __func__, "Failed setting " + "strict mode in tls_global context."); + } else { + tls_global->check_crl_strict = strict; + } + } return 0; } -- 1.9.1 _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap