- TLS: fixed - certificate not validated when allow only allowed certificate is selected and certificate is matching (LIB61850-473)

- TLS: Added option to ignore validity times in certificates and CRLs (LIB61850-474)
9 months ago · 6dbdb1636c
parent 4724658ade
commit 6dbdb1636c
3 changed files with 104 additions and 2 deletions
--- a/hal/inc/tls_config.h
+++ b/hal/inc/tls_config.h
@ -92,6 +92,10 @@ typedef enum {
 #define TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED 14
 #define TLS_EVENT_CODE_ALM_NO_CIPHER 15
 #define TLS_EVENT_CODE_INF_SESSION_ESTABLISHED 16
+#define TLS_EVENT_CODE_WRN_CERT_EXPIRED 17
+#define TLS_EVENT_CODE_WRN_CERT_NOT_YET_VALID 18
+#define TLS_EVENT_CODE_WRN_CRL_EXPIRED 19
+#define TLS_EVENT_CODE_WRN_CRL_NOT_YET_VALID 20

 typedef struct sTLSConnection* TLSConnection;

@ -165,6 +169,14 @@ TLSConfiguration_setSessionResumptionInterval(TLSConfiguration self, int interva
 PAL_API void
 TLSConfiguration_setChainValidation(TLSConfiguration self, bool value);

+/**
+ * \brief Enabled or disables the verification of validity times for certificates and CRLs
+ *
+ * \param value true to enable time validation, false to disable (enabled by default)
+ */
+PAL_API void
+TLSConfiguration_setTimeValidation(TLSConfiguration self, bool value);
+
 /**
 * \brief Set if only known certificates are accepted.
 *
--- a/hal/tls/mbedtls/tls_mbedtls.c
+++ b/hal/tls/mbedtls/tls_mbedtls.c
@ -65,6 +65,7 @@ struct sTLSConfiguration {

    bool chainValidation;
    bool allowOnlyKnownCertificates;
+    bool timeValidation;

    /* TLS session renegotiation interval in milliseconds */
    int renegotiationTimeInMs;
@ -179,7 +180,10 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
            }

            if (certMatches)
-                *flags = 0;
+            {
+                if (self->tlsConfig->chainValidation == false)
+                    *flags = 0;
+            }
            else
            {
                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Alarm: certificate validation: trusted individual certificate not available", self);
@ -189,6 +193,37 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
            }
        }

+        if (self->tlsConfig->timeValidation == false)
+        {
+            if (*flags & MBEDTLS_X509_BADCERT_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_EXPIRED, "Warning: certificate validation: using expired certificate", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_EXPIRED, "Warning: certificate validation: using expired CRL", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCERT_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_NOT_YET_VALID, "Warning: certificate validation: using certificate with validity in future", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_NOT_YET_VALID, "Warning: certificate validation: using CRL with validity in future", self);
+            }
+        }
+
        if (self->storePeerCert)
        {
            if (*flags == 0)
@ -205,6 +240,8 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
        }
    }

+    printf(" flags: %u\n", *flags);
+
    return 0;
 }

@ -341,6 +378,9 @@ TLSConfiguration_create()
        /* default behavior is to allow all certificates that are signed by the CA */
        self->chainValidation = true;
        self->allowOnlyKnownCertificates = false;
+
+        /* default behaviour is to check for valid-from and expiration times */
+        self->timeValidation = true;
        self->setupComplete = false;

        self->eventHandler = NULL;
@ -423,6 +463,12 @@ TLSConfiguration_setChainValidation(TLSConfiguration self, bool value)
    self->chainValidation = value;
 }

+void
+TLSConfiguration_setTimeValidation(TLSConfiguration self, bool value)
+{
+    self->timeValidation = value;
+}
+
 void
 TLSConfiguration_setAllowOnlyKnownCertificates(TLSConfiguration self, bool value)
 {
--- a/hal/tls/mbedtls3/tls_mbedtls.c
+++ b/hal/tls/mbedtls3/tls_mbedtls.c
@ -68,6 +68,7 @@ struct sTLSConfiguration {

    bool chainValidation;
    bool allowOnlyKnownCertificates;
+    bool timeValidation;

    /* TLS session renegotiation interval in milliseconds */
    int renegotiationTimeInMs;
@ -181,7 +182,10 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
            }

            if (certMatches)
-                *flags = 0;
+            {
+                if (self->tlsConfig->chainValidation == false)
+                    *flags = 0;
+            }
            else
            {
                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_INCIDENT, TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED, "Alarm: certificate validation: trusted individual certificate not available", self);
@ -191,6 +195,37 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
            }
        }

+        if (self->tlsConfig->timeValidation == false)
+        {
+            if (*flags & MBEDTLS_X509_BADCERT_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_EXPIRED, "Warning: certificate validation: using expired certificate", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_EXPIRED)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_EXPIRED;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_EXPIRED, "Warning: certificate validation: using expired CRL", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCERT_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCERT_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CERT_NOT_YET_VALID, "Warning: certificate validation: using certificate with validity in future", self);
+            }
+
+            if (*flags & MBEDTLS_X509_BADCRL_FUTURE)
+            {
+                *flags = *flags - MBEDTLS_X509_BADCRL_FUTURE;
+
+                raiseSecurityEvent(self->tlsConfig, TLS_SEC_EVT_WARNING, TLS_EVENT_CODE_WRN_CRL_NOT_YET_VALID, "Warning: certificate validation: using CRL with validity in future", self);
+            }
+        }
+
        if (self->storePeerCert)
        {
            if (*flags == 0)
@ -349,6 +384,9 @@ TLSConfiguration_create()
        /* default behavior is to allow all certificates that are signed by the CA */
        self->chainValidation = true;
        self->allowOnlyKnownCertificates = false;
+
+        /* default behaviour is to check for valid-from and expiration times */
+        self->timeValidation = true;
        self->setupComplete = false;

        self->eventHandler = NULL;
@ -441,6 +479,12 @@ TLSConfiguration_setChainValidation(TLSConfiguration self, bool value)
    self->chainValidation = value;
 }

+void
+TLSConfiguration_setTimeValidation(TLSConfiguration self, bool value)
+{
+    self->timeValidation = value;
+}
+
 void
 TLSConfiguration_setAllowOnlyKnownCertificates(TLSConfiguration self, bool value)
 {