Add ocsp=3 configuration parameter for multi-OCSP
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the server certificate chain to receive a good OCSP status. This requires support for ocsp_multi (RFC 6961). This commit is only adding the configuration value, but all the currently included TLS library wrappers are rejecting this as unsupported for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
02683830b5
commit
d6b536f7e5
|
|
@ -96,6 +96,7 @@ struct tls_config {
|
|||
#define TLS_CONN_EAP_FAST BIT(7)
|
||||
#define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
|
||||
#define TLS_CONN_EXT_CERT_CHECK BIT(9)
|
||||
#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
|
||||
|
||||
/**
|
||||
* struct tls_connection_params - Parameters for TLS connection
|
||||
|
|
|
|||
|
|
@ -350,6 +350,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
if (conn == NULL || params == NULL)
|
||||
return -1;
|
||||
|
||||
if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"GnuTLS: ocsp=3 not supported");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"GnuTLS: tls_ext_cert_check=1 not supported");
|
||||
|
|
|
|||
|
|
@ -200,6 +200,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
if (conn->client == NULL)
|
||||
return -1;
|
||||
|
||||
if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"TLS: ocsp=3 not supported");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"TLS: tls_ext_cert_check=1 not supported");
|
||||
|
|
|
|||
|
|
@ -3890,6 +3890,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
|||
if (conn == NULL)
|
||||
return -1;
|
||||
|
||||
if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
|
||||
wpa_printf(MSG_INFO,
|
||||
"OpenSSL: ocsp=3 not supported");
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* If the engine isn't explicitly configured, and any of the
|
||||
* cert/key fields are actually PKCS#11 URIs, then automatically
|
||||
|
|
|
|||
|
|
@ -196,8 +196,10 @@ static int eap_tls_init_connection(struct eap_sm *sm,
|
|||
|
||||
if (config->ocsp)
|
||||
params->flags |= TLS_CONN_REQUEST_OCSP;
|
||||
if (config->ocsp == 2)
|
||||
if (config->ocsp >= 2)
|
||||
params->flags |= TLS_CONN_REQUIRE_OCSP;
|
||||
if (config->ocsp == 3)
|
||||
params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
|
||||
data->conn = tls_connection_init(data->ssl_ctx);
|
||||
if (data->conn == NULL) {
|
||||
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
|
||||
|
|
|
|||
|
|
@ -586,6 +586,8 @@ fast_reauth=1
|
|||
# 0 = do not use OCSP stapling (TLS certificate status extension)
|
||||
# 1 = try to use OCSP stapling, but not require response
|
||||
# 2 = require valid OCSP stapling response
|
||||
# 3 = require valid OCSP stapling response for all not-trusted
|
||||
# certificates in the server certificate chain
|
||||
#
|
||||
# sim_num: Identifier for which SIM to use in multi-SIM devices
|
||||
#
|
||||
|
|
@ -1084,6 +1086,8 @@ fast_reauth=1
|
|||
# 0 = do not use OCSP stapling (TLS certificate status extension)
|
||||
# 1 = try to use OCSP stapling, but not require response
|
||||
# 2 = require valid OCSP stapling response
|
||||
# 3 = require valid OCSP stapling response for all not-trusted
|
||||
# certificates in the server certificate chain
|
||||
#
|
||||
# openssl_ciphers: OpenSSL specific cipher configuration
|
||||
# This can be used to override the global openssl_ciphers configuration
|
||||
|
|
|
|||
Loading…
Reference in New Issue