aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-12-17 09:45:48 (GMT)
committerJouni Malinen <j@w1.fi>2015-12-17 09:47:38 (GMT)
commit8ba8c01d0cec3847c48c58e18c5bda5def8993b3 (patch)
treece78a6c7656f8cd6e60a0b1cf43f050fffc95637 /src/tls
parentf163ed8bae4668bb088bd7a339fd9c948ac02b99 (diff)
downloadhostap-8ba8c01d0cec3847c48c58e18c5bda5def8993b3.zip
hostap-8ba8c01d0cec3847c48c58e18c5bda5def8993b3.tar.gz
hostap-8ba8c01d0cec3847c48c58e18c5bda5def8993b3.tar.bz2
TLS: Report OCSP rejection cases when no valid response if found
This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS messages with 'bad certificate status response' for cases where no valid OCSP response was received, but the network profile requires OCSP to be used. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/tlsv1_client_read.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index b1fa15f..ff12452 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -889,11 +889,21 @@ static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
goto skip;
tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
+ if (conn->server_cert)
+ tls_cert_chain_failure_event(
+ conn, 0, conn->server_cert,
+ TLS_FAIL_UNSPECIFIED,
+ "bad certificate status response");
return -1;
case TLS_OCSP_INVALID:
if (!(conn->flags & TLS_CONN_REQUIRE_OCSP))
goto skip; /* ignore - process as if no response */
tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
+ if (conn->server_cert)
+ tls_cert_chain_failure_event(
+ conn, 0, conn->server_cert,
+ TLS_FAIL_UNSPECIFIED,
+ "bad certificate status response");
return -1;
case TLS_OCSP_GOOD:
wpa_printf(MSG_DEBUG, "TLSv1: OCSP response good");