Allow TLS flags to be configured (allow MD5, disable time checks)

Undocumented (at least for the time being) TLS parameters can now
be provided in wpa_supplicant configuration to enable some workarounds
for being able to connect insecurely to some networks. phase1 and
phase2 network parameters can use following options:
tls_allow_md5=1
- allow MD5 signature to be used (disabled by default with GnuTLS)
tls_disable_time_checks=1
- ignore certificate expiration time

For now, only the GnuTLS TLS wrapper implements support for these.

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index 89dea3aa325c80f70224fc2b84dd8c4b64454440..b1d8ca5c8ca84d213834be2279976056b3b1b2db 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -35,6 +35,9 @@ struct tls_config {
        int fips_mode;
 };
 
+#define TLS_CONN_ALLOW_SIGN_RSA_MD5 BIT(0)
+#define TLS_CONN_DISABLE_TIME_CHECKS BIT(1)
+
 /**
  * struct tls_connection_params - Parameters for TLS connection
  * @ca_cert: File or reference name for CA X.509 certificate in PEM or DER
@@ -69,6 +72,7 @@ struct tls_config {
  * @cert_id: the certificate's id when using engine
  * @ca_cert_id: the CA certificate's id when using engine
  * @tls_ia: Whether to enable TLS/IA (for EAP-TTLSv1)
+ * @flags: Parameter options (TLS_CONN_*)
  *
  * TLS connection parameters to be configured with tls_connection_set_params()
  * and tls_global_set_params().
@@ -104,6 +108,8 @@ struct tls_connection_params {
        const char *key_id;
        const char *cert_id;
        const char *ca_cert_id;
+
+       unsigned int flags;
 };
 
 

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index 8dbbc1161d6dcc289179252acb24efb310cd15a3..ed85d15c0fea28cbaf9fcea9ec0e14b0e94cdc70 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -591,6 +591,17 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
                                return -1;
                        }
                }
+
+               if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
+                       gnutls_certificate_set_verify_flags(
+                               conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+               }
+
+               if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
+                       gnutls_certificate_set_verify_flags(
+                               conn->xcred,
+                               GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
+               }
        }
 
        if (params->client_cert && params->private_key) {
@@ -711,6 +722,18 @@ int tls_global_set_params(void *tls_ctx,
                                goto fail;
                        }
                }
+
+               if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) {
+                       gnutls_certificate_set_verify_flags(
+                               global->xcred,
+                               GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+               }
+
+               if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) {
+                       gnutls_certificate_set_verify_flags(
+                               global->xcred,
+                               GNUTLS_VERIFY_DISABLE_TIME_CHECKS);
+               }
        }
 
        if (params->client_cert && params->private_key) {

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 956dda2b0a6e42774a2e605b2fa3d5a3e7d9bac3..49f61b364b170715060ec66ff24ea61da14465d3 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -45,6 +45,18 @@ static int eap_tls_check_blob(struct eap_sm *sm, const char **name,
 }
 
 
+static void eap_tls_params_flags(struct tls_connection_params *params,
+                                const char *txt)
+{
+       if (txt == NULL)
+               return;
+       if (os_strstr(txt, "tls_allow_md5=1"))
+               params->flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
+       if (os_strstr(txt, "tls_disable_time_checks=1"))
+               params->flags |= TLS_CONN_DISABLE_TIME_CHECKS;
+}
+
+
 static void eap_tls_params_from_conf1(struct tls_connection_params *params,
                                      struct eap_peer_config *config)
 {
@@ -62,6 +74,7 @@ static void eap_tls_params_from_conf1(struct tls_connection_params *params,
        params->key_id = config->key_id;
        params->cert_id = config->cert_id;
        params->ca_cert_id = config->ca_cert_id;
+       eap_tls_params_flags(params, config->phase1);
 }
 
 
@@ -82,6 +95,7 @@ static void eap_tls_params_from_conf2(struct tls_connection_params *params,
        params->key_id = config->key2_id;
        params->cert_id = config->cert2_id;
        params->ca_cert_id = config->ca_cert2_id;
+       eap_tls_params_flags(params, config->phase2);
 }