diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index feb130118..ae1de914a 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -284,6 +284,15 @@ struct eap_peer_cert_config { * This is used if the CA certificate for EAP-TLS is on a smartcard. */ char *ca_cert_id; + + /** + * ocsp - Whether to use/require OCSP to check server certificate + * + * 0 = do not use OCSP stapling (TLS certificate status extension) + * 1 = try to use OCSP stapling, but not require response + * 2 = require valid OCSP stapling response + */ + int ocsp; }; /** @@ -633,15 +642,6 @@ struct eap_peer_config { */ u32 flags; - /** - * ocsp - Whether to use/require OCSP to check server certificate - * - * 0 = do not use OCSP stapling (TLS certificate status extension) - * 1 = try to use OCSP stapling, but not require response - * 2 = require valid OCSP stapling response - */ - int ocsp; - /** * external_sim_resp - Response from external SIM processing * diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index ce8a1c780..a59c3a0ee 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -125,6 +125,12 @@ static void eap_tls_cert_params_from_conf(struct tls_connection_params *params, params->key_id = config->key_id; params->cert_id = config->cert_id; params->ca_cert_id = config->ca_cert_id; + if (config->ocsp) + params->flags |= TLS_CONN_REQUEST_OCSP; + if (config->ocsp >= 2) + params->flags |= TLS_CONN_REQUIRE_OCSP; + if (config->ocsp == 3) + params->flags |= TLS_CONN_REQUIRE_OCSP_ALL; } @@ -233,12 +239,6 @@ static int eap_tls_init_connection(struct eap_sm *sm, { int res; - if (config->ocsp) - params->flags |= TLS_CONN_REQUEST_OCSP; - if (config->ocsp >= 2) - params->flags |= TLS_CONN_REQUIRE_OCSP; - if (config->ocsp == 3) - params->flags |= TLS_CONN_REQUIRE_OCSP_ALL; data->conn = tls_connection_init(data->ssl_ctx); if (data->conn == NULL) { wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS " diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 00d829be1..067585b81 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2443,7 +2443,8 @@ static const struct parse_data ssid_fields[] = { { INT(eap_workaround) }, { STRe(pac_file, pac_file) }, { INTe(fragment_size, fragment_size) }, - { INTe(ocsp, ocsp) }, + { INTe(ocsp, cert.ocsp) }, + { INTe(ocsp2, phase2_cert.ocsp) }, #endif /* IEEE8021X_EAPOL */ #ifdef CONFIG_MESH { INT_RANGE(mode, 0, 5) }, diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 7dd7b1786..c47300b1a 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -826,7 +826,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND); STR(pac_file); INT_DEFe(fragment_size, fragment_size, DEFAULT_FRAGMENT_SIZE); - INTe(ocsp, ocsp); + INTe(ocsp, cert.ocsp); + INTe(ocsp2, phase2_cert.ocsp); INT_DEFe(sim_num, sim_num, DEFAULT_USER_SELECTED_SIM); #endif /* IEEE8021X_EAPOL */ INT(mode); diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c index 2c2ff9ccb..0261bb7b8 100644 --- a/wpa_supplicant/interworking.c +++ b/wpa_supplicant/interworking.c @@ -1554,7 +1554,7 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid, cred->domain_suffix_match) < 0) return -1; - ssid->eap.ocsp = cred->ocsp; + ssid->eap.cert.ocsp = cred->ocsp; return 0; } diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 1159bdcdc..f7a365267 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -1323,6 +1323,7 @@ fast_reauth=1 # certificate. See altsubject_match documentation for more details. # domain_suffix_match2: Constraint for server domain name. See # domain_suffix_match for more details. +# ocsp2: See ocsp for more details. # # fragment_size: Maximum EAP fragment size in bytes (default 1398). # This value limits the fragment size for EAP methods that support