HTTP (curl): OCSP with BoringSSL

This adds experimental support for using OCSP with libcurl that is built
against BoringSSL. This needs small modifications to libcurl to allow
CURLOPT_SSL_VERIFYSTATUS to be used to call
SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2015-12-04 14:06:53 +02:00 committed by Jouni Malinen
parent 213e158ca8
commit 8d27efa814
3 changed files with 35 additions and 0 deletions

View file

@ -55,6 +55,7 @@ OBJS += ../../src/crypto/crypto_internal.c
OBJS += ../../src/crypto/md5-internal.c OBJS += ../../src/crypto/md5-internal.c
OBJS += ../../src/crypto/sha1-internal.c OBJS += ../../src/crypto/sha1-internal.c
OBJS += ../../src/crypto/sha256-internal.c OBJS += ../../src/crypto/sha256-internal.c
OBJS += ../../src/crypto/tls_openssl_ocsp.c
L_CFLAGS += -DEAP_TLS_OPENSSL L_CFLAGS += -DEAP_TLS_OPENSSL

View file

@ -76,6 +76,7 @@ LIBS += -lcurl
endif endif
CFLAGS += -DEAP_TLS_OPENSSL CFLAGS += -DEAP_TLS_OPENSSL
OBJS += ../../src/crypto/tls_openssl_ocsp.o
LIBS += -lssl -lcrypto LIBS += -lssl -lcrypto
hs20-osu-client: $(OBJS) hs20-osu-client: $(OBJS)

View file

@ -26,6 +26,9 @@
#include "common.h" #include "common.h"
#include "xml-utils.h" #include "xml-utils.h"
#include "http-utils.h" #include "http-utils.h"
#ifdef EAP_TLS_OPENSSL
#include "crypto/tls_openssl.h"
#endif /* EAP_TLS_OPENSSL */
struct http_ctx { struct http_ctx {
@ -1004,6 +1007,26 @@ static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0) if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
return 0; return 0;
#ifdef OPENSSL_IS_BORINGSSL
if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
enum ocsp_result res;
res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
ctx->peer_issuer_issuer);
if (res == OCSP_REVOKED) {
preverify_ok = 0;
wpa_printf(MSG_INFO, "OCSP: certificate revoked");
if (err == X509_V_OK)
X509_STORE_CTX_set_error(
x509_ctx, X509_V_ERR_CERT_REVOKED);
} else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
preverify_ok = 0;
wpa_printf(MSG_INFO,
"OCSP: bad certificate status response");
}
}
#endif /* OPENSSL_IS_BORINGSSL */
if (!preverify_ok) if (!preverify_ok)
ctx->last_err = "TLS validation failed"; ctx->last_err = "TLS validation failed";
@ -1296,6 +1319,16 @@ static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
#ifdef EAP_TLS_OPENSSL #ifdef EAP_TLS_OPENSSL
curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl); curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx); curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
#ifdef OPENSSL_IS_BORINGSSL
/* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
* with BoringSSL since the OpenSSL specific callback hack to
* enable OCSP is not available with BoringSSL. The OCSP
* implementation within libcurl is not sufficient for the
* Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
*/
if (ctx->ocsp != NO_OCSP)
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
#endif /* OPENSSL_IS_BORINGSSL */
#endif /* EAP_TLS_OPENSSL */ #endif /* EAP_TLS_OPENSSL */
} else { } else {
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);