[PATCH 1/1] hostapd: Add option "check_crl_strict"

Sam Voss sam.voss at rockwellcollins.com
Mon Aug 7 09:26:33 PDT 2017 

Add the ability to ignore time-based errors from openssl by specifying a
new configuration parameter, "check_crl_strict".

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not be
ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss at rockwellcollins.com>
---
 hostapd/config_file.c    |  2 ++
 hostapd/hostapd.conf     |  8 ++++++++
 src/ap/ap_config.c       |  4 ++++
 src/ap/ap_config.h       |  1 +
 src/ap/authsrv.c         |  3 ++-
 src/crypto/tls.h         |  3 ++-
 src/crypto/tls_openssl.c | 21 ++++++++++++++++++++-
 7 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index a398bb1..a0b5b5d 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2210,6 +2210,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
 		bss->private_key_passwd = os_strdup(pos);
 	} else if (os_strcmp(buf, "check_crl") == 0) {
 		bss->check_crl = atoi(pos);
+	} else if (os_strcmp(buf, "check_crl_strict") == 0) {
+		bss->check_crl_strict = atoi(pos);
 	} else if (os_strcmp(buf, "tls_session_lifetime") == 0) {
 		bss->tls_session_lifetime = atoi(pos);
 	} else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 7ad3206..0102226 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -891,6 +891,14 @@ eap_server=0
 # 2 = check all CRLs in the certificate path
 #check_crl=1
 
+# Specifiy whether or not to ignore certificate validity time missmatches with
+#   errors X509_V_ERR_CERT_HAS_EXPIRED and X509_V_ERR_CERT_NOT_YET_VALID
+#
+# 0 = ignore errors
+# 1 = do not ignore errors (default)
+#check_crl_strict=0
+
+
 # TLS Session Lifetime in seconds
 # This can be used to allow TLS sessions to be cached and resumed with an
 # abbreviated handshake when using EAP-TLS/TTLS/PEAP.
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 07a13f8..e46cfcd 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -117,6 +117,10 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #ifdef CONFIG_MBO
 	bss->mbo_cell_data_conn_pref = -1;
 #endif /* CONFIG_MBO */
+
+	/* Default to strict crl checking. */
+	bss->check_crl_strict = 1;
+
 }
 
 
diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 8e5ff52..15a6f53 100644
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -366,6 +366,7 @@ struct hostapd_bss_config {
 	char *private_key;
 	char *private_key_passwd;
 	int check_crl;
+	int check_crl_strict;
 	unsigned int tls_session_lifetime;
 	char *ocsp_stapling_response;
 	char *ocsp_stapling_response_multi;
diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 8a65824..eb3c650 100644
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -182,7 +182,8 @@ int authsrv_init(struct hostapd_data *hapd)
 		}
 
 		if (tls_global_set_verify(hapd->ssl_ctx,
-					  hapd->conf->check_crl)) {
+					  hapd->conf->check_crl,
+					  hapd->conf->check_crl_strict)) {
 			wpa_printf(MSG_ERROR, "Failed to enable check_crl");
 			authsrv_deinit(hapd);
 			return -1;
diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 11d504a..bb497ce 100644
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -303,9 +303,10 @@ int __must_check tls_global_set_params(
  * @tls_ctx: TLS context data from tls_init()
  * @check_crl: 0 = do not verify CRLs, 1 = verify CRL for the user certificate,
  * 2 = verify CRL for all certificates
+ * @strict: 0 = allow time errors, 1 = do not allow time errors
  * Returns: 0 on success, -1 on failure
  */
-int __must_check tls_global_set_verify(void *tls_ctx, int check_crl);
+int __must_check tls_global_set_verify(void *tls_ctx, int check_crl, int strict);
 
 /**
  * tls_connection_set_verify - Set certificate verification options
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 903c38c..63d0eae 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -188,6 +188,7 @@ struct tls_context {
 	void *cb_ctx;
 	int cert_in_cb;
 	char *ocsp_stapling_response;
+	int check_crl_strict;
 };
 
 static struct tls_context *tls_global = NULL;
@@ -227,6 +228,7 @@ struct tls_connection {
 
 	unsigned int flags;
 
+
 	X509 *peer_cert;
 	X509 *peer_issuer;
 	X509 *peer_issuer_issuer;
@@ -1828,6 +1830,13 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 			   "time mismatch");
 		preverify_ok = 1;
 	}
+	if (!preverify_ok && (!tls_global->check_crl_strict) &&
+	    (err == X509_V_ERR_CRL_HAS_EXPIRED ||
+	    err == X509_V_ERR_CRL_NOT_YET_VALID)) {
+		wpa_printf(MSG_DEBUG, "OpenSSL: Ignore certificate validity "
+		   "crl time mismatch");
+		preverify_ok = 1;
+	}
 
 	err_str = X509_verify_cert_error_string(err);
 
@@ -2193,9 +2202,11 @@ static int tls_global_ca_cert(struct tls_data *data, const char *ca_cert)
 }
 
 
-int tls_global_set_verify(void *ssl_ctx, int check_crl)
+int tls_global_set_verify(void *ssl_ctx, int check_crl, int strict)
 {
 	int flags;
+	SSL *ssl;
+	struct tls_connection *conn;
 
 	if (check_crl) {
 		struct tls_data *data = ssl_ctx;
@@ -2210,6 +2221,14 @@ int tls_global_set_verify(void *ssl_ctx, int check_crl)
 		if (check_crl == 2)
 			flags |= X509_V_FLAG_CRL_CHECK_ALL;
 		X509_STORE_set_flags(cs, flags);
+
+		if (NULL == tls_global) {
+			tls_show_errors(MSG_INFO, __func__, "Failed setting "
+					"strict mode in tls_global context.");
+		} else {
+			tls_global->check_crl_strict = strict;
+		}
+
 	}
 	return 0;
 }
-- 
1.9.1

More information about the Hostap mailing list