GnuTLS: OCSP stapling on the server side
This adds support for hostapd-as-authentication-server to be build against GnuTLS with OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
6241766709
commit
9532bd2b44
1 changed files with 52 additions and 0 deletions
|
|
@ -37,6 +37,8 @@ struct tls_global {
|
|||
union tls_event_data *data);
|
||||
void *cb_ctx;
|
||||
int cert_in_cb;
|
||||
|
||||
char *ocsp_stapling_response;
|
||||
};
|
||||
|
||||
struct tls_connection {
|
||||
|
|
@ -133,6 +135,7 @@ void tls_deinit(void *ssl_ctx)
|
|||
if (global->params_set)
|
||||
gnutls_certificate_free_credentials(global->xcred);
|
||||
os_free(global->session_data);
|
||||
os_free(global->ocsp_stapling_response);
|
||||
os_free(global);
|
||||
}
|
||||
|
||||
|
|
@ -602,6 +605,44 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
}
|
||||
|
||||
|
||||
#if GNUTLS_VERSION_NUMBER >= 0x030103
|
||||
static int server_ocsp_status_req(gnutls_session_t session, void *ptr,
|
||||
gnutls_datum_t *resp)
|
||||
{
|
||||
struct tls_global *global = ptr;
|
||||
char *cached;
|
||||
size_t len;
|
||||
|
||||
if (!global->ocsp_stapling_response) {
|
||||
wpa_printf(MSG_DEBUG, "GnuTLS: OCSP status callback - no response configured");
|
||||
return GNUTLS_E_NO_CERTIFICATE_STATUS;
|
||||
}
|
||||
|
||||
cached = os_readfile(global->ocsp_stapling_response, &len);
|
||||
if (!cached) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"GnuTLS: OCSP status callback - could not read response file (%s)",
|
||||
global->ocsp_stapling_response);
|
||||
return GNUTLS_E_NO_CERTIFICATE_STATUS;
|
||||
}
|
||||
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"GnuTLS: OCSP status callback - send cached response");
|
||||
resp->data = gnutls_malloc(len);
|
||||
if (!resp->data) {
|
||||
os_free(resp);
|
||||
return GNUTLS_E_MEMORY_ERROR;
|
||||
}
|
||||
|
||||
os_memcpy(resp->data, cached, len);
|
||||
resp->size = len;
|
||||
os_free(cached);
|
||||
|
||||
return GNUTLS_E_SUCCESS;
|
||||
}
|
||||
#endif /* 3.1.3 */
|
||||
|
||||
|
||||
int tls_global_set_params(void *tls_ctx,
|
||||
const struct tls_connection_params *params)
|
||||
{
|
||||
|
|
@ -696,6 +737,17 @@ int tls_global_set_params(void *tls_ctx,
|
|||
}
|
||||
}
|
||||
|
||||
#if GNUTLS_VERSION_NUMBER >= 0x030103
|
||||
os_free(global->ocsp_stapling_response);
|
||||
if (params->ocsp_stapling_response)
|
||||
global->ocsp_stapling_response =
|
||||
os_strdup(params->ocsp_stapling_response);
|
||||
else
|
||||
global->ocsp_stapling_response = NULL;
|
||||
gnutls_certificate_set_ocsp_status_request_function(
|
||||
global->xcred, server_ocsp_status_req, global);
|
||||
#endif /* 3.1.3 */
|
||||
|
||||
global->params_set = 1;
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
Loading…
Reference in a new issue