EAP peer config: Move ocsp param to phase1/phase2

OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 16:07:58 +03:00 · 2019-09-01 16:07:58 +03:00 · 043de65f1c
parent e0ee87c706
commit 043de65f1c
6 changed files with 21 additions and 18 deletions
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@ -284,6 +284,15 @@ struct eap_peer_cert_config {
 	 * This is used if the CA certificate for EAP-TLS is on a smartcard.
 	 */
 	char *ca_cert_id;
+
+	/**
+	 * ocsp - Whether to use/require OCSP to check server certificate
+	 *
+	 * 0 = do not use OCSP stapling (TLS certificate status extension)
+	 * 1 = try to use OCSP stapling, but not require response
+	 * 2 = require valid OCSP stapling response
+	 */
+	int ocsp;
 };

 /**
@ -633,15 +642,6 @@ struct eap_peer_config {
 	 */
 	u32 flags;

-	/**
-	 * ocsp - Whether to use/require OCSP to check server certificate
-	 *
-	 * 0 = do not use OCSP stapling (TLS certificate status extension)
-	 * 1 = try to use OCSP stapling, but not require response
-	 * 2 = require valid OCSP stapling response
-	 */
-	int ocsp;
-
 	/**
 	 * external_sim_resp - Response from external SIM processing
 	 *
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@ -125,6 +125,12 @@ static void eap_tls_cert_params_from_conf(struct tls_connection_params *params,
 	params->key_id = config->key_id;
 	params->cert_id = config->cert_id;
 	params->ca_cert_id = config->ca_cert_id;
+	if (config->ocsp)
+		params->flags |= TLS_CONN_REQUEST_OCSP;
+	if (config->ocsp >= 2)
+		params->flags |= TLS_CONN_REQUIRE_OCSP;
+	if (config->ocsp == 3)
+		params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
 }


@ -233,12 +239,6 @@ static int eap_tls_init_connection(struct eap_sm *sm,
 {
 	int res;

-	if (config->ocsp)
-		params->flags |= TLS_CONN_REQUEST_OCSP;
-	if (config->ocsp >= 2)
-		params->flags |= TLS_CONN_REQUIRE_OCSP;
-	if (config->ocsp == 3)
-		params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
 	data->conn = tls_connection_init(data->ssl_ctx);
 	if (data->conn == NULL) {
 		wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@ -2443,7 +2443,8 @@ static const struct parse_data ssid_fields[] = {
 	{ INT(eap_workaround) },
 	{ STRe(pac_file, pac_file) },
 	{ INTe(fragment_size, fragment_size) },
-	{ INTe(ocsp, ocsp) },
+	{ INTe(ocsp, cert.ocsp) },
+	{ INTe(ocsp2, phase2_cert.ocsp) },
 #endif /* IEEE8021X_EAPOL */
 #ifdef CONFIG_MESH
 	{ INT_RANGE(mode, 0, 5) },
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@ -826,7 +826,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND);
 	STR(pac_file);
 	INT_DEFe(fragment_size, fragment_size, DEFAULT_FRAGMENT_SIZE);
-	INTe(ocsp, ocsp);
+	INTe(ocsp, cert.ocsp);
+	INTe(ocsp2, phase2_cert.ocsp);
 	INT_DEFe(sim_num, sim_num, DEFAULT_USER_SELECTED_SIM);
 #endif /* IEEE8021X_EAPOL */
 	INT(mode);
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@ -1554,7 +1554,7 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
 				  cred->domain_suffix_match) < 0)
 		return -1;

-	ssid->eap.ocsp = cred->ocsp;
+	ssid->eap.cert.ocsp = cred->ocsp;

 	return 0;
 }
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@ -1323,6 +1323,7 @@ fast_reauth=1
 #	certificate. See altsubject_match documentation for more details.
 # domain_suffix_match2: Constraint for server domain name. See
 #	domain_suffix_match for more details.
+# ocsp2: See ocsp for more details.
 #
 # fragment_size: Maximum EAP fragment size in bytes (default 1398).
 #	This value limits the fragment size for EAP methods that support