Interworking: Add OCSP parameter to the cred block

This new parameter can be used to configure credentials to mandate use of OCSP stapling for AAA server authentication. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-12-08 17:30:01 -08:00 · 2013-12-08 17:30:01 -08:00 · cf6d08a63f
commit cf6d08a63f
parent 6402f2fe40
6 changed files with 29 additions and 0 deletions
--- a/wpa_supplicant/README-HS20
+++ b/wpa_supplicant/README-HS20
@ -265,6 +265,11 @@ Credentials can be pre-configured for automatic network selection:
 #	req_conn_capab=17:500
 #	req_conn_capab=50
 #
+# ocsp: Whether to use/require OCSP to check server certificate
+#	0 = do not use OCSP stapling (TLS certificate status extension)
+#	1 = try to use OCSP stapling, but not require response
+#	2 = require valid OCSP stapling response
+#
 # for example:
 #
 #cred={
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@ -2556,6 +2556,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
 	if (os_strcmp(var, "req_conn_capab") == 0)
 		return wpa_config_set_cred_req_conn_capab(cred, value);

+	if (os_strcmp(var, "ocsp") == 0) {
+		cred->ocsp = atoi(value);
+		return 0;
+	}
+
 	val = wpa_config_parse_string(value, &len);
 	if (val == NULL) {
 		wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@ -279,6 +279,15 @@ struct wpa_cred {
 	unsigned int num_req_conn_capab;
 	u8 *req_conn_capab_proto;
 	int **req_conn_capab_port;
+
+	/**
+	 * ocsp - Whether to use/require OCSP to check server certificate
+	 *
+	 * 0 = do not use OCSP stapling (TLS certificate status extension)
+	 * 1 = try to use OCSP stapling, but not require response
+	 * 2 = require valid OCSP stapling response
+	 */
+	int ocsp;
 };


--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@ -828,6 +828,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
 	if (cred->max_bss_load)
 		fprintf(f, "\tmax_bss_load=%u\n",
 			cred->max_bss_load);
+
+	if (cred->ocsp)
+		fprintf(f, "\tocsp=%d\n", cred->ocsp);
 }


--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@ -1420,6 +1420,8 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
 				  cred->domain_suffix_match) < 0)
 		return -1;

+	ssid->eap.ocsp = cred->ocsp;
+
 	return 0;
 }

--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@ -478,6 +478,11 @@ fast_reauth=1
 #	req_conn_capab=17:500
 #	req_conn_capab=50
 #
+# ocsp: Whether to use/require OCSP to check server certificate
+#	0 = do not use OCSP stapling (TLS certificate status extension)
+#	1 = try to use OCSP stapling, but not require response
+#	2 = require valid OCSP stapling response
+#
 # for example:
 #
 #cred={