OpenSSL: Do not accept SSL Client certificate for server
If the extended key usage of the AAA server certificate indicates that the certificate is for client use, reject the TLS handshake. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
6bf61fb288
commit
51e3eafb68
2 changed files with 15 additions and 1 deletions
|
@ -41,7 +41,8 @@ enum tls_fail_reason {
|
||||||
TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
|
TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
|
||||||
TLS_FAIL_BAD_CERTIFICATE = 7,
|
TLS_FAIL_BAD_CERTIFICATE = 7,
|
||||||
TLS_FAIL_SERVER_CHAIN_PROBE = 8,
|
TLS_FAIL_SERVER_CHAIN_PROBE = 8,
|
||||||
TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
|
TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
|
||||||
|
TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
|
||||||
};
|
};
|
||||||
|
|
||||||
union tls_event_data {
|
union tls_event_data {
|
||||||
|
|
|
@ -105,6 +105,7 @@ struct tls_connection {
|
||||||
unsigned int ca_cert_verify:1;
|
unsigned int ca_cert_verify:1;
|
||||||
unsigned int cert_probe:1;
|
unsigned int cert_probe:1;
|
||||||
unsigned int server_cert_only:1;
|
unsigned int server_cert_only:1;
|
||||||
|
unsigned int server:1;
|
||||||
|
|
||||||
u8 srv_cert_hash[32];
|
u8 srv_cert_hash[32];
|
||||||
|
|
||||||
|
@ -1476,6 +1477,16 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||||
TLS_FAIL_SERVER_CHAIN_PROBE);
|
TLS_FAIL_SERVER_CHAIN_PROBE);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!conn->server && err_cert && preverify_ok && depth == 0 &&
|
||||||
|
(err_cert->ex_flags & EXFLAG_XKUSAGE) &&
|
||||||
|
(err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
|
||||||
|
wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
|
||||||
|
openssl_tls_fail_event(conn, err_cert, err, depth, buf,
|
||||||
|
"Server used client certificate",
|
||||||
|
TLS_FAIL_SERVER_USED_CLIENT_CERT);
|
||||||
|
preverify_ok = 0;
|
||||||
|
}
|
||||||
|
|
||||||
if (preverify_ok && context->event_cb != NULL)
|
if (preverify_ok && context->event_cb != NULL)
|
||||||
context->event_cb(context->cb_ctx,
|
context->event_cb(context->cb_ctx,
|
||||||
TLS_CERT_CHAIN_SUCCESS, NULL);
|
TLS_CERT_CHAIN_SUCCESS, NULL);
|
||||||
|
@ -2527,6 +2538,8 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
|
||||||
int res;
|
int res;
|
||||||
struct wpabuf *out_data;
|
struct wpabuf *out_data;
|
||||||
|
|
||||||
|
conn->server = !!server;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Give TLS handshake data from the server (if available) to OpenSSL
|
* Give TLS handshake data from the server (if available) to OpenSSL
|
||||||
* for processing.
|
* for processing.
|
||||||
|
|
Loading…
Reference in a new issue