aboutsummaryrefslogtreecommitdiffstats
path: root/hs20
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2014-03-17 22:03:59 (GMT)
committerJouni Malinen <j@w1.fi>2014-03-17 22:39:58 (GMT)
commit48408fce2f3d94f5cab08d46cec7e5306db12c14 (patch)
treebaee25dcb0043412b56906b0177f7712958689dc /hs20
parent8f60293d3f1f19f65cd88da126e9ea266285bcf4 (diff)
downloadhostap-48408fce2f3d94f5cab08d46cec7e5306db12c14.zip
hostap-48408fce2f3d94f5cab08d46cec7e5306db12c14.tar.gz
hostap-48408fce2f3d94f5cab08d46cec7e5306db12c14.tar.bz2
HS 2.0R2: Do not mandate OCSP response for EST operations
OCSP validation is required only for the OSU operations and since the EST server may use a different server certificate, it may not necessarily support OCSP. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'hs20')
-rw-r--r--hs20/client/est.c9
-rw-r--r--hs20/client/osu_client.c3
2 files changed, 12 insertions, 0 deletions
diff --git a/hs20/client/est.c b/hs20/client/est.c
index 5346c09..ec05bc4 100644
--- a/hs20/client/est.c
+++ b/hs20/client/est.c
@@ -109,8 +109,11 @@ int est_load_cacerts(struct hs20_osu_client *ctx, const char *url)
wpa_printf(MSG_INFO, "Download EST cacerts from %s", buf);
write_summary(ctx, "Download EST cacerts from %s", buf);
ctx->no_osu_cert_validation = 1;
+ http_ocsp_set(ctx->http, 1);
res = http_download_file(ctx->http, buf, "Cert/est-cacerts.txt",
ctx->ca_fname);
+ http_ocsp_set(ctx->http,
+ (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
ctx->no_osu_cert_validation = 0;
if (res < 0) {
wpa_printf(MSG_INFO, "Failed to download EST cacerts from %s",
@@ -553,8 +556,11 @@ int est_build_csr(struct hs20_osu_client *ctx, const char *url)
wpa_printf(MSG_INFO, "Download csrattrs from %s", buf);
write_summary(ctx, "Download EST csrattrs from %s", buf);
ctx->no_osu_cert_validation = 1;
+ http_ocsp_set(ctx->http, 1);
res = http_download_file(ctx->http, buf, "Cert/est-csrattrs.txt",
ctx->ca_fname);
+ http_ocsp_set(ctx->http,
+ (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
ctx->no_osu_cert_validation = 0;
os_free(buf);
if (res < 0) {
@@ -652,10 +658,13 @@ int est_simple_enroll(struct hs20_osu_client *ctx, const char *url,
wpa_printf(MSG_INFO, "EST simpleenroll URL: %s", buf);
write_summary(ctx, "EST simpleenroll URL: %s", buf);
ctx->no_osu_cert_validation = 1;
+ http_ocsp_set(ctx->http, 1);
resp = http_post(ctx->http, buf, req, "application/pkcs10",
"Content-Transfer-Encoding: base64",
ctx->ca_fname, user, pw, client_cert, client_key,
&resp_len);
+ http_ocsp_set(ctx->http,
+ (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
ctx->no_osu_cert_validation = 0;
os_free(buf);
if (resp == NULL) {
diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index 33e641f..7d1617a 100644
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@@ -303,7 +303,10 @@ static int download_cert(struct hs20_osu_client *ctx, xml_node_t *params,
write_summary(ctx, "Download certificate from %s", url);
ctx->no_osu_cert_validation = 1;
+ http_ocsp_set(ctx->http, 1);
res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL);
+ http_ocsp_set(ctx->http,
+ (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2);
ctx->no_osu_cert_validation = 0;
xml_node_get_text_free(ctx->xml, url);
if (res < 0)