From cf6d08a63f095b1fe19ba8ca71072b7cffd738ff Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 8 Dec 2013 17:30:01 -0800 Subject: [PATCH] Interworking: Add OCSP parameter to the cred block This new parameter can be used to configure credentials to mandate use of OCSP stapling for AAA server authentication. Signed-hostap: Jouni Malinen --- wpa_supplicant/README-HS20 | 5 +++++ wpa_supplicant/config.c | 5 +++++ wpa_supplicant/config.h | 9 +++++++++ wpa_supplicant/config_file.c | 3 +++ wpa_supplicant/interworking.c | 2 ++ wpa_supplicant/wpa_supplicant.conf | 5 +++++ 6 files changed, 29 insertions(+) diff --git a/wpa_supplicant/README-HS20 b/wpa_supplicant/README-HS20 index c8a00e284..b6f067356 100644 --- a/wpa_supplicant/README-HS20 +++ b/wpa_supplicant/README-HS20 @@ -265,6 +265,11 @@ Credentials can be pre-configured for automatic network selection: # req_conn_capab=17:500 # req_conn_capab=50 # +# ocsp: Whether to use/require OCSP to check server certificate +# 0 = do not use OCSP stapling (TLS certificate status extension) +# 1 = try to use OCSP stapling, but not require response +# 2 = require valid OCSP stapling response +# # for example: # #cred={ diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index 9394a9c11..da9580e94 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2556,6 +2556,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, if (os_strcmp(var, "req_conn_capab") == 0) return wpa_config_set_cred_req_conn_capab(cred, value); + if (os_strcmp(var, "ocsp") == 0) { + cred->ocsp = atoi(value); + return 0; + } + val = wpa_config_parse_string(value, &len); if (val == NULL) { wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index a981ca942..de4397060 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -279,6 +279,15 @@ struct wpa_cred { unsigned int num_req_conn_capab; u8 *req_conn_capab_proto; int **req_conn_capab_port; + + /** + * ocsp - Whether to use/require OCSP to check server certificate + * + * 0 = do not use OCSP stapling (TLS certificate status extension) + * 1 = try to use OCSP stapling, but not require response + * 2 = require valid OCSP stapling response + */ + int ocsp; }; diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c index 436204be4..850a6cf9d 100644 --- a/wpa_supplicant/config_file.c +++ b/wpa_supplicant/config_file.c @@ -828,6 +828,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred) if (cred->max_bss_load) fprintf(f, "\tmax_bss_load=%u\n", cred->max_bss_load); + + if (cred->ocsp) + fprintf(f, "\tocsp=%d\n", cred->ocsp); } diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c index b5d1b7111..fcfa63970 100644 --- a/wpa_supplicant/interworking.c +++ b/wpa_supplicant/interworking.c @@ -1420,6 +1420,8 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid, cred->domain_suffix_match) < 0) return -1; + ssid->eap.ocsp = cred->ocsp; + return 0; } diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 78dbd0939..442b44cbb 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -478,6 +478,11 @@ fast_reauth=1 # req_conn_capab=17:500 # req_conn_capab=50 # +# ocsp: Whether to use/require OCSP to check server certificate +# 0 = do not use OCSP stapling (TLS certificate status extension) +# 1 = try to use OCSP stapling, but not require response +# 2 = require valid OCSP stapling response +# # for example: # #cred={