diff --git a/hostapd/config_file.c b/hostapd/config_file.c index f2163b83f..503d47979 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2132,6 +2132,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) { os_free(bss->ocsp_stapling_response); bss->ocsp_stapling_response = os_strdup(pos); + } else if (os_strcmp(buf, "ocsp_stapling_response_multi") == 0) { + os_free(bss->ocsp_stapling_response_multi); + bss->ocsp_stapling_response_multi = os_strdup(pos); } else if (os_strcmp(buf, "dh_file") == 0) { os_free(bss->dh_file); bss->dh_file = os_strdup(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 4f51140b5..ecd4328ca 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -795,6 +795,11 @@ eap_server=0 # -respout /tmp/ocsp-cache.der #ocsp_stapling_response=/tmp/ocsp-cache.der +# Cached OCSP stapling response list (DER encoded OCSPResponseList) +# This is similar to ocsp_stapling_response, but the extended version defined in +# RFC 6961 to allow multiple OCSP responses to be provided. +#ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der + # dh_file: File path to DH/DSA parameters file (in PEM format) # This is an optional configuration file for setting parameters for an # ephemeral DH key exchange. In most cases, the default RSA authentication does diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index cf9b2ceba..88074f2e6 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -471,6 +471,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf) os_free(conf->private_key); os_free(conf->private_key_passwd); os_free(conf->ocsp_stapling_response); + os_free(conf->ocsp_stapling_response_multi); os_free(conf->dh_file); os_free(conf->openssl_ciphers); os_free(conf->pac_opaque_encr_key); diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index ff9dcb05d..44bccccb8 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -341,6 +341,7 @@ struct hostapd_bss_config { int check_crl; unsigned int tls_session_lifetime; char *ocsp_stapling_response; + char *ocsp_stapling_response_multi; char *dh_file; char *openssl_ciphers; u8 *pac_opaque_encr_key; diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index c9111f6ca..cdb49cdd9 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -173,6 +173,8 @@ int authsrv_init(struct hostapd_data *hapd) params.openssl_ciphers = hapd->conf->openssl_ciphers; params.ocsp_stapling_response = hapd->conf->ocsp_stapling_response; + params.ocsp_stapling_response_multi = + hapd->conf->ocsp_stapling_response_multi; if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); diff --git a/src/crypto/tls.h b/src/crypto/tls.h index bca94d67d..aa90a55cc 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -140,6 +140,9 @@ struct tls_config { * @flags: Parameter options (TLS_CONN_*) * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response * or %NULL if OCSP is not enabled + * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling + * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if + * ocsp_multi is not enabled * * TLS connection parameters to be configured with tls_connection_set_params() * and tls_global_set_params(). @@ -180,6 +183,7 @@ struct tls_connection_params { unsigned int flags; const char *ocsp_stapling_response; + const char *ocsp_stapling_response_multi; };