aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2019-09-01 13:07:58 (GMT)
committerJouni Malinen <j@w1.fi>2019-09-01 14:19:35 (GMT)
commit043de65f1c42658d72fa6edce7b31891d255140a (patch)
treed6876534746b49b55ed5ddc4f0ec1607305ff9ac
parente0ee87c70614b4d0d0bbe55bfae57297b1530b97 (diff)
downloadhostap-043de65f1c42658d72fa6edce7b31891d255140a.zip
hostap-043de65f1c42658d72fa6edce7b31891d255140a.tar.gz
hostap-043de65f1c42658d72fa6edce7b31891d255140a.tar.bz2
EAP peer config: Move ocsp param to phase1/phase2
OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
-rw-r--r--src/eap_peer/eap_config.h18
-rw-r--r--src/eap_peer/eap_tls_common.c12
-rw-r--r--wpa_supplicant/config.c3
-rw-r--r--wpa_supplicant/config_file.c3
-rw-r--r--wpa_supplicant/interworking.c2
-rw-r--r--wpa_supplicant/wpa_supplicant.conf1
6 files changed, 21 insertions, 18 deletions
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index feb1301..ae1de91 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -284,6 +284,15 @@ struct eap_peer_cert_config {
* This is used if the CA certificate for EAP-TLS is on a smartcard.
*/
char *ca_cert_id;
+
+ /**
+ * ocsp - Whether to use/require OCSP to check server certificate
+ *
+ * 0 = do not use OCSP stapling (TLS certificate status extension)
+ * 1 = try to use OCSP stapling, but not require response
+ * 2 = require valid OCSP stapling response
+ */
+ int ocsp;
};
/**
@@ -634,15 +643,6 @@ struct eap_peer_config {
u32 flags;
/**
- * ocsp - Whether to use/require OCSP to check server certificate
- *
- * 0 = do not use OCSP stapling (TLS certificate status extension)
- * 1 = try to use OCSP stapling, but not require response
- * 2 = require valid OCSP stapling response
- */
- int ocsp;
-
- /**
* external_sim_resp - Response from external SIM processing
*
* This field should not be set in configuration step. It is only used
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index ce8a1c7..a59c3a0 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -125,6 +125,12 @@ static void eap_tls_cert_params_from_conf(struct tls_connection_params *params,
params->key_id = config->key_id;
params->cert_id = config->cert_id;
params->ca_cert_id = config->ca_cert_id;
+ if (config->ocsp)
+ params->flags |= TLS_CONN_REQUEST_OCSP;
+ if (config->ocsp >= 2)
+ params->flags |= TLS_CONN_REQUIRE_OCSP;
+ if (config->ocsp == 3)
+ params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
}
@@ -233,12 +239,6 @@ static int eap_tls_init_connection(struct eap_sm *sm,
{
int res;
- if (config->ocsp)
- params->flags |= TLS_CONN_REQUEST_OCSP;
- if (config->ocsp >= 2)
- params->flags |= TLS_CONN_REQUIRE_OCSP;
- if (config->ocsp == 3)
- params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
data->conn = tls_connection_init(data->ssl_ctx);
if (data->conn == NULL) {
wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 00d829b..067585b 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2443,7 +2443,8 @@ static const struct parse_data ssid_fields[] = {
{ INT(eap_workaround) },
{ STRe(pac_file, pac_file) },
{ INTe(fragment_size, fragment_size) },
- { INTe(ocsp, ocsp) },
+ { INTe(ocsp, cert.ocsp) },
+ { INTe(ocsp2, phase2_cert.ocsp) },
#endif /* IEEE8021X_EAPOL */
#ifdef CONFIG_MESH
{ INT_RANGE(mode, 0, 5) },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 7dd7b17..c47300b 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -826,7 +826,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND);
STR(pac_file);
INT_DEFe(fragment_size, fragment_size, DEFAULT_FRAGMENT_SIZE);
- INTe(ocsp, ocsp);
+ INTe(ocsp, cert.ocsp);
+ INTe(ocsp2, phase2_cert.ocsp);
INT_DEFe(sim_num, sim_num, DEFAULT_USER_SELECTED_SIM);
#endif /* IEEE8021X_EAPOL */
INT(mode);
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index 2c2ff9c..0261bb7 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -1554,7 +1554,7 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
cred->domain_suffix_match) < 0)
return -1;
- ssid->eap.ocsp = cred->ocsp;
+ ssid->eap.cert.ocsp = cred->ocsp;
return 0;
}
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 1159bdc..f7a3652 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1323,6 +1323,7 @@ fast_reauth=1
# certificate. See altsubject_match documentation for more details.
# domain_suffix_match2: Constraint for server domain name. See
# domain_suffix_match for more details.
+# ocsp2: See ocsp for more details.
#
# fragment_size: Maximum EAP fragment size in bytes (default 1398).
# This value limits the fragment size for EAP methods that support