aboutsummaryrefslogtreecommitdiffstats
path: root/src/tls
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-12-13 20:46:25 (GMT)
committerJouni Malinen <j@w1.fi>2015-12-14 13:49:01 (GMT)
commiteeba1684532f95a9d1f2b4a6379cf77b9a924df7 (patch)
treee5145326b1eabe13026a181652f25519a9fb8b76 /src/tls
parent4303d531a86ee04153d1ddafc1ca13f1fe151473 (diff)
downloadhostap-eeba1684532f95a9d1f2b4a6379cf77b9a924df7.zip
hostap-eeba1684532f95a9d1f2b4a6379cf77b9a924df7.tar.gz
hostap-eeba1684532f95a9d1f2b4a6379cf77b9a924df7.tar.bz2
TLS: Add status_request ClientHello extension if OCSP is requested
This allows the internal TLS implementation to request server certificate status using OCSP stapling. This commit is only adding code to add the request. The response is not yet used. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/tls')
-rw-r--r--src/tls/tlsv1_client_write.c40
1 files changed, 39 insertions, 1 deletions
diff --git a/src/tls/tlsv1_client_write.c b/src/tls/tlsv1_client_write.c
index b1906b2..8e8cb5e 100644
--- a/src/tls/tlsv1_client_write.c
+++ b/src/tls/tlsv1_client_write.c
@@ -1,6 +1,6 @@
/*
* TLSv1 client - write handshake message
- * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -156,6 +156,44 @@ u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
pos += conn->client_hello_ext_len;
}
+ if (conn->flags & TLS_CONN_REQUEST_OCSP) {
+ wpa_printf(MSG_DEBUG,
+ "TLSv1: Add status_request extension for OCSP stapling");
+ /* ExtensionsType extension_type = status_request(5) */
+ WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
+ pos += 2;
+ /* opaque extension_data<0..2^16-1> length */
+ WPA_PUT_BE16(pos, 5);
+ pos += 2;
+
+ /*
+ * RFC 6066, 8:
+ * struct {
+ * CertificateStatusType status_type;
+ * select (status_type) {
+ * case ocsp: OCSPStatusRequest;
+ * } request;
+ * } CertificateStatusRequest;
+ *
+ * enum { ocsp(1), (255) } CertificateStatusType;
+ */
+ *pos++ = 1; /* status_type = ocsp(1) */
+
+ /*
+ * struct {
+ * ResponderID responder_id_list<0..2^16-1>;
+ * Extensions request_extensions;
+ * } OCSPStatusRequest;
+ *
+ * opaque ResponderID<1..2^16-1>;
+ * opaque Extensions<0..2^16-1>;
+ */
+ WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
+ pos += 2;
+ WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
+ pos += 2;
+ }
+
if (pos == ext_start + 2)
pos -= 2; /* no extensions */
else