aboutsummaryrefslogtreecommitdiffstats
path: root/src/crypto
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2015-12-22 14:47:29 (GMT)
committerJouni Malinen <j@w1.fi>2015-12-22 14:47:29 (GMT)
commit9532bd2b449b71fda33a8ebc1869bea1dd8bc591 (patch)
tree63f71d305b660d5ee4bc08aeb4258daacd334385 /src/crypto
parent62417667096eeff02af5d429cdda05dfab4f518d (diff)
downloadhostap-9532bd2b449b71fda33a8ebc1869bea1dd8bc591.zip
hostap-9532bd2b449b71fda33a8ebc1869bea1dd8bc591.tar.gz
hostap-9532bd2b449b71fda33a8ebc1869bea1dd8bc591.tar.bz2
GnuTLS: OCSP stapling on the server side
This adds support for hostapd-as-authentication-server to be build against GnuTLS with OCSP stapling server side support. This is more or less identical to the design used with OpenSSL, i.e., the cached response is read from the ocsp_stapling_response=<file> and sent as a response if the client requests it during the TLS handshake. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'src/crypto')
-rw-r--r--src/crypto/tls_gnutls.c52
1 files changed, 52 insertions, 0 deletions
diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index b1bec4a..fbb1348 100644
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -37,6 +37,8 @@ struct tls_global {
union tls_event_data *data);
void *cb_ctx;
int cert_in_cb;
+
+ char *ocsp_stapling_response;
};
struct tls_connection {
@@ -133,6 +135,7 @@ void tls_deinit(void *ssl_ctx)
if (global->params_set)
gnutls_certificate_free_credentials(global->xcred);
os_free(global->session_data);
+ os_free(global->ocsp_stapling_response);
os_free(global);
}
@@ -602,6 +605,44 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
}
+#if GNUTLS_VERSION_NUMBER >= 0x030103
+static int server_ocsp_status_req(gnutls_session_t session, void *ptr,
+ gnutls_datum_t *resp)
+{
+ struct tls_global *global = ptr;
+ char *cached;
+ size_t len;
+
+ if (!global->ocsp_stapling_response) {
+ wpa_printf(MSG_DEBUG, "GnuTLS: OCSP status callback - no response configured");
+ return GNUTLS_E_NO_CERTIFICATE_STATUS;
+ }
+
+ cached = os_readfile(global->ocsp_stapling_response, &len);
+ if (!cached) {
+ wpa_printf(MSG_DEBUG,
+ "GnuTLS: OCSP status callback - could not read response file (%s)",
+ global->ocsp_stapling_response);
+ return GNUTLS_E_NO_CERTIFICATE_STATUS;
+ }
+
+ wpa_printf(MSG_DEBUG,
+ "GnuTLS: OCSP status callback - send cached response");
+ resp->data = gnutls_malloc(len);
+ if (!resp->data) {
+ os_free(resp);
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ os_memcpy(resp->data, cached, len);
+ resp->size = len;
+ os_free(cached);
+
+ return GNUTLS_E_SUCCESS;
+}
+#endif /* 3.1.3 */
+
+
int tls_global_set_params(void *tls_ctx,
const struct tls_connection_params *params)
{
@@ -696,6 +737,17 @@ int tls_global_set_params(void *tls_ctx,
}
}
+#if GNUTLS_VERSION_NUMBER >= 0x030103
+ os_free(global->ocsp_stapling_response);
+ if (params->ocsp_stapling_response)
+ global->ocsp_stapling_response =
+ os_strdup(params->ocsp_stapling_response);
+ else
+ global->ocsp_stapling_response = NULL;
+ gnutls_certificate_set_ocsp_status_request_function(
+ global->xcred, server_ocsp_status_req, global);
+#endif /* 3.1.3 */
+
global->params_set = 1;
return 0;