DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

hostapd: Add configuration option check_crl_strict

Browse source 
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not
  be ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
  errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
This commit is contained in:
Sam Voss 2017-08-07 11:26:33 -05:00 committed by Jouni Malinen
parent 3518e3623f
commit dd5d325b0a
12 changed files with 36 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/crypto/tls.h
View file

@ -324,9 +324,11 @@ int __must_check tls_global_set_params(
* @tls_ctx: TLS context data from tls_init()
* @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
* 2 = verify CRL for all certificates
* @strict: 0 = allow CRL time errors, 1 = do not allow CRL time errors
* Returns: 0 on success, -1 on failure
*/
int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
int __must_check tls_global_set_verify(void *tls_ctx, int check_crl,
int strict);
/**
* tls_connection_set_verify - Set certificate verification options

2
src/crypto/tls_gnutls.c
View file

@ -848,7 +848,7 @@ fail:
}
int tls_global_set_verify(void *ssl_ctx, int check_crl)
int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
{
/* TODO */
return 0;

2
src/crypto/tls_internal.c
View file

@ -359,7 +359,7 @@ int tls_global_set_params(void *tls_ctx,
}
int tls_global_set_verify(void *tls_ctx, int check_crl)
int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
{
struct tls_global *global = tls_ctx;
global->check_crl = check_crl;

2
src/crypto/tls_none.c
View file

@ -72,7 +72,7 @@ int tls_global_set_params(void *tls_ctx,
}
int tls_global_set_verify(void *tls_ctx, int check_crl)
int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
{
return -1;
}

14
src/crypto/tls_openssl.c
View file

@ -214,10 +214,12 @@ static struct tls_context *tls_global = NULL;
struct tls_data {
SSL_CTX *ssl;
unsigned int tls_session_lifetime;
int check_crl_strict;
};
struct tls_connection {
struct tls_context *context;
struct tls_data *data;
SSL_CTX *ssl_ctx;
SSL *ssl;
BIO *ssl_in, *ssl_out;
@ -1474,6 +1476,7 @@ struct tls_connection * tls_connection_init(void *ssl_ctx)
conn = os_zalloc(sizeof(*conn));
if (conn == NULL)
return NULL;
conn->data = data;
conn->ssl_ctx = ssl;
conn->ssl = SSL_new(ssl);
if (conn->ssl == NULL) {
@ -1993,6 +1996,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
"time mismatch");
preverify_ok = 1;
}
if (!preverify_ok && !conn->data->check_crl_strict &&
(err == X509_V_ERR_CRL_HAS_EXPIRED ||
err == X509_V_ERR_CRL_NOT_YET_VALID)) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Ignore certificate validity CRL time mismatch");
preverify_ok = 1;
}
err_str = X509_verify_cert_error_string(err);
@ -2389,7 +2399,7 @@ static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
}
int tls_global_set_verify(void *ssl_ctx, int check_crl)
int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
{
int flags;
@ -2406,6 +2416,8 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl)
if (check_crl == 2)
flags |= X509_V_FLAG_CRL_CHECK_ALL;
X509_STORE_set_flags(cs, flags);
data->check_crl_strict = strict;
}
return 0;
}

2
src/crypto/tls_wolfssl.c
View file

@ -1549,7 +1549,7 @@ int tls_global_set_params(void *tls_ctx,
}
int tls_global_set_verify(void *tls_ctx, int check_crl)
int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
{
wpa_printf(MSG_DEBUG, "SSL: global set verify: %d", check_crl);