From: Youfu Zhang <1315097+zhangyoufu@users.noreply.github.com>
Date: Thu, 21 Oct 2021 14:13:32 +0000 (+0800)
Subject: tls/verify: implement allow_not_yet_valid_crl (#4181)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09b5df5d771048f6113d571c3d9254702e53b5a8;p=thirdparty%2Ffreeradius-server.git

tls/verify: implement allow_not_yet_valid_crl (#4181)
---

diff --git a/doc/antora/modules/raddb/pages/mods-available/eap.adoc b/doc/antora/modules/raddb/pages/mods-available/eap.adoc
index 4ce6f856d27..4888d809d6e 100644
--- a/doc/antora/modules/raddb/pages/mods-available/eap.adoc
+++ b/doc/antora/modules/raddb/pages/mods-available/eap.adoc
@@ -617,6 +617,11 @@ Will check CRLs for all certificates in the certificate chain.
 allow_expired_crl:: Accept an expired Certificate Revocation List.
 
 
+
+allow_not_yet_valid_crl:: Accept a not-yet-valid Certificate Revocation List.
+
+
+
 ### TLS Session resumption
 
 Once authentication has completed the TLS client may be
@@ -1345,6 +1350,7 @@ eap {
 #			attribute_mode = client-and-issuer
 #			check_crl = yes
 #			allow_expired_crl = no
+#			allow_not_yet_valid_crl = no
 		}
 		cache {
 #			mode = auto
diff --git a/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc b/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc
index bb8c7122d8c..c42a589fef1 100644
--- a/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc
+++ b/doc/antora/modules/raddb/pages/mods-available/eap_inner.adoc
@@ -111,6 +111,10 @@ allow_expired_crl:: See the `eap` module for common configuration explanation.
 
 
 
+allow_not_yet_valid_crl:: See the `eap` module for common configuration explanation.
+
+
+
 ## tls { ... }
 
 You SHOULD use different certificates than are used
@@ -161,6 +165,7 @@ eap inner-eap {
 #		check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
 #		check_cert_cn = %{User-Name}
 #		allow_expired_crl = no
+#		allow_not_yet_valid_crl = no
 	}
 	tls {
 		tls = tls-peer
diff --git a/doc/antora/modules/raddb/pages/sites-available/tls.adoc b/doc/antora/modules/raddb/pages/sites-available/tls.adoc
index 179ffa5fbab..a8a4602e666 100644
--- a/doc/antora/modules/raddb/pages/sites-available/tls.adoc
+++ b/doc/antora/modules/raddb/pages/sites-available/tls.adoc
@@ -111,6 +111,10 @@ Accept an expired Certificate Revocation List
 
 allow_expired_crl = no
 
+Accept a not-yet-valid Certificate Revocation List
+
+allow_not_yet_valid_crl = no
+
 
 If check_cert_issuer is set, the value will
 be checked against the DN of the issuer in
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index ba3538497b6..b40f5f85381 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -695,6 +695,11 @@ eap {
 			#  allow_expired_crl:: Accept an expired Certificate Revocation List.
 			#
 #			allow_expired_crl = no
+
+			#
+			#  allow_not_yet_valid_crl:: Accept a not-yet-valid Certificate Revocation List.
+			#
+#			allow_not_yet_valid_crl = no
 		}
 		#
 		#  ### TLS Session resumption
diff --git a/raddb/mods-available/eap_inner b/raddb/mods-available/eap_inner
index aeb40682b4a..f604c117d5e 100644
--- a/raddb/mods-available/eap_inner
+++ b/raddb/mods-available/eap_inner
@@ -144,6 +144,11 @@ eap inner-eap {
 		#  allow_expired_crl:: See the `eap` module for common configuration explanation.
 		#
 #		allow_expired_crl = no
+
+		#
+		#  allow_not_yet_valid_crl:: See the `eap` module for common configuration explanation.
+		#
+#		allow_not_yet_valid_crl = no
 	}
 
 	#
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index 003a7f5849a..3e519c8dc61 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -133,6 +133,10 @@ server radsec {
 			#
 		#	allow_expired_crl = no
 
+			#  Accept a not-yet-valid Certificate Revocation List
+			#
+		#	allow_not_yet_valid_crl = no
+
 			#
 			#  If check_cert_issuer is set, the value will
 			#  be checked against the DN of the issuer in
diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h
index a1176c2c6be..f52a32b6540 100644
--- a/src/lib/tls/conf-h
+++ b/src/lib/tls/conf-h
@@ -122,6 +122,7 @@ typedef struct {
 
 	bool		check_crl;			//!< Check certificate revocation lists.
 	bool		allow_expired_crl;		//!< Don't error out if CRL is expired.
+	bool		allow_not_yet_valid_crl;	//!< Don't error out if CRL is not-yet-valid.
 } fr_tls_verify_conf_t;
 
 /* configured values goes right here */
diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c
index 56c3cf093c5..c78a0516834 100644
--- a/src/lib/tls/conf.c
+++ b/src/lib/tls/conf.c
@@ -146,6 +146,7 @@ static CONF_PARSER tls_verify_config[] = {
 			 .dflt = "client-and-issuer" },
 	{ FR_CONF_OFFSET("check_crl", FR_TYPE_BOOL, fr_tls_verify_conf_t, check_crl), .dflt = "no" },
 	{ FR_CONF_OFFSET("allow_expired_crl", FR_TYPE_BOOL, fr_tls_verify_conf_t, allow_expired_crl) },
+	{ FR_CONF_OFFSET("allow_not_yet_valid_crl", FR_TYPE_BOOL, fr_tls_verify_conf_t, allow_not_yet_valid_crl) },
 	CONF_PARSER_TERMINATOR
 };
 
diff --git a/src/lib/tls/verify.c b/src/lib/tls/verify.c
index 55174b0698b..e37f3d379e9 100644
--- a/src/lib/tls/verify.c
+++ b/src/lib/tls/verify.c
@@ -196,7 +196,8 @@ int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *x509_ctx)
 	if (!my_ok) {
 		char const *p = X509_verify_cert_error_string(err);
 		if (!verify_applies(conf->verify.mode, depth, untrusted) ||
-		    ((conf->verify.allow_expired_crl) && (err == X509_V_ERR_CRL_HAS_EXPIRED))) {
+		    ((conf->verify.allow_expired_crl) && (err == X509_V_ERR_CRL_HAS_EXPIRED)) ||
+		    ((conf->verify.allow_not_yet_valid_crl) && (err == X509_V_ERR_CRL_NOT_YET_VALID))) {
 			RDEBUG2("Ignoring verification error - %s (%i)", p, err);
 			tls_verify_error_detail(request, ssl_ctx, err);