Add ocsp=3 configuration parameter for multi-OCSP

ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

src/crypto/tls.h

@@ -96,6 +96,7 @@ struct tls_config {
 #define TLS_CONN_EAP_FAST BIT(7)
 #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
 #define TLS_CONN_EXT_CERT_CHECK BIT(9)
+#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection

src/crypto/tls_gnutls.c

@@ -350,6 +350,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 	if (conn == NULL || params == NULL)
 		return -1;
 
+	if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+		wpa_printf(MSG_INFO,
+			   "GnuTLS: ocsp=3 not supported");
+		return -1;
+	}
+
 	if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
 		wpa_printf(MSG_INFO,
 			   "GnuTLS: tls_ext_cert_check=1 not supported");

src/crypto/tls_internal.c

@@ -200,6 +200,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 	if (conn->client == NULL)
 		return -1;
 
+	if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+		wpa_printf(MSG_INFO,
+			   "TLS: ocsp=3 not supported");
+		return -1;
+	}
+
 	if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
 		wpa_printf(MSG_INFO,
 			   "TLS: tls_ext_cert_check=1 not supported");

src/crypto/tls_openssl.c

@@ -3890,6 +3890,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 	if (conn == NULL)
 		return -1;
 
+	if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+		wpa_printf(MSG_INFO,
+			   "OpenSSL: ocsp=3 not supported");
+		return -1;
+	}
+
 	/*
 	 * If the engine isn't explicitly configured, and any of the
 	 * cert/key fields are actually PKCS#11 URIs, then automatically

src/eap_peer/eap_tls_common.c

@@ -196,8 +196,10 @@ static int eap_tls_init_connection(struct eap_sm *sm,
 
 	if (config->ocsp)
 		params->flags |= TLS_CONN_REQUEST_OCSP;
-	if (config->ocsp == 2)
+	if (config->ocsp >= 2)
 		params->flags |= TLS_CONN_REQUIRE_OCSP;
+	if (config->ocsp == 3)
+		params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
 	data->conn = tls_connection_init(data->ssl_ctx);
 	if (data->conn == NULL) {
 		wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "

wpa_supplicant/wpa_supplicant.conf

@@ -586,6 +586,8 @@ fast_reauth=1
 #	0 = do not use OCSP stapling (TLS certificate status extension)
 #	1 = try to use OCSP stapling, but not require response
 #	2 = require valid OCSP stapling response
+#	3 = require valid OCSP stapling response for all not-trusted
+#	    certificates in the server certificate chain
 #
 # sim_num: Identifier for which SIM to use in multi-SIM devices
 #
@@ -1084,6 +1086,8 @@ fast_reauth=1
 #	0 = do not use OCSP stapling (TLS certificate status extension)
 #	1 = try to use OCSP stapling, but not require response
 #	2 = require valid OCSP stapling response
+#	3 = require valid OCSP stapling response for all not-trusted
+#	    certificates in the server certificate chain
 #
 # openssl_ciphers: OpenSSL specific cipher configuration
 #	This can be used to override the global openssl_ciphers configuration