HS 2.0R2: Do not mandate OCSP response for EST operations
OCSP validation is required only for the OSU operations and since the EST server may use a different server certificate, it may not necessarily support OCSP. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
8f60293d3f
commit
48408fce2f
2 changed files with 12 additions and 0 deletions
|
@ -109,8 +109,11 @@ int est_load_cacerts(struct hs20_osu_client *ctx, const char *url)
|
||||||
wpa_printf(MSG_INFO, "Download EST cacerts from %s", buf);
|
wpa_printf(MSG_INFO, "Download EST cacerts from %s", buf);
|
||||||
write_summary(ctx, "Download EST cacerts from %s", buf);
|
write_summary(ctx, "Download EST cacerts from %s", buf);
|
||||||
ctx->no_osu_cert_validation = 1;
|
ctx->no_osu_cert_validation = 1;
|
||||||
|
http_ocsp_set(ctx->http, 1);
|
||||||
res = http_download_file(ctx->http, buf, "Cert/est-cacerts.txt",
|
res = http_download_file(ctx->http, buf, "Cert/est-cacerts.txt",
|
||||||
ctx->ca_fname);
|
ctx->ca_fname);
|
||||||
|
http_ocsp_set(ctx->http,
|
||||||
|
(ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
|
||||||
ctx->no_osu_cert_validation = 0;
|
ctx->no_osu_cert_validation = 0;
|
||||||
if (res < 0) {
|
if (res < 0) {
|
||||||
wpa_printf(MSG_INFO, "Failed to download EST cacerts from %s",
|
wpa_printf(MSG_INFO, "Failed to download EST cacerts from %s",
|
||||||
|
@ -553,8 +556,11 @@ int est_build_csr(struct hs20_osu_client *ctx, const char *url)
|
||||||
wpa_printf(MSG_INFO, "Download csrattrs from %s", buf);
|
wpa_printf(MSG_INFO, "Download csrattrs from %s", buf);
|
||||||
write_summary(ctx, "Download EST csrattrs from %s", buf);
|
write_summary(ctx, "Download EST csrattrs from %s", buf);
|
||||||
ctx->no_osu_cert_validation = 1;
|
ctx->no_osu_cert_validation = 1;
|
||||||
|
http_ocsp_set(ctx->http, 1);
|
||||||
res = http_download_file(ctx->http, buf, "Cert/est-csrattrs.txt",
|
res = http_download_file(ctx->http, buf, "Cert/est-csrattrs.txt",
|
||||||
ctx->ca_fname);
|
ctx->ca_fname);
|
||||||
|
http_ocsp_set(ctx->http,
|
||||||
|
(ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
|
||||||
ctx->no_osu_cert_validation = 0;
|
ctx->no_osu_cert_validation = 0;
|
||||||
os_free(buf);
|
os_free(buf);
|
||||||
if (res < 0) {
|
if (res < 0) {
|
||||||
|
@ -652,10 +658,13 @@ int est_simple_enroll(struct hs20_osu_client *ctx, const char *url,
|
||||||
wpa_printf(MSG_INFO, "EST simpleenroll URL: %s", buf);
|
wpa_printf(MSG_INFO, "EST simpleenroll URL: %s", buf);
|
||||||
write_summary(ctx, "EST simpleenroll URL: %s", buf);
|
write_summary(ctx, "EST simpleenroll URL: %s", buf);
|
||||||
ctx->no_osu_cert_validation = 1;
|
ctx->no_osu_cert_validation = 1;
|
||||||
|
http_ocsp_set(ctx->http, 1);
|
||||||
resp = http_post(ctx->http, buf, req, "application/pkcs10",
|
resp = http_post(ctx->http, buf, req, "application/pkcs10",
|
||||||
"Content-Transfer-Encoding: base64",
|
"Content-Transfer-Encoding: base64",
|
||||||
ctx->ca_fname, user, pw, client_cert, client_key,
|
ctx->ca_fname, user, pw, client_cert, client_key,
|
||||||
&resp_len);
|
&resp_len);
|
||||||
|
http_ocsp_set(ctx->http,
|
||||||
|
(ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
|
||||||
ctx->no_osu_cert_validation = 0;
|
ctx->no_osu_cert_validation = 0;
|
||||||
os_free(buf);
|
os_free(buf);
|
||||||
if (resp == NULL) {
|
if (resp == NULL) {
|
||||||
|
|
|
@ -303,7 +303,10 @@ static int download_cert(struct hs20_osu_client *ctx, xml_node_t *params,
|
||||||
|
|
||||||
write_summary(ctx, "Download certificate from %s", url);
|
write_summary(ctx, "Download certificate from %s", url);
|
||||||
ctx->no_osu_cert_validation = 1;
|
ctx->no_osu_cert_validation = 1;
|
||||||
|
http_ocsp_set(ctx->http, 1);
|
||||||
res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL);
|
res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL);
|
||||||
|
http_ocsp_set(ctx->http,
|
||||||
|
(ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
|
||||||
ctx->no_osu_cert_validation = 0;
|
ctx->no_osu_cert_validation = 0;
|
||||||
xml_node_get_text_free(ctx->xml, url);
|
xml_node_get_text_free(ctx->xml, url);
|
||||||
if (res < 0)
|
if (res < 0)
|
||||||
|
|
Loading…
Reference in a new issue