HTTP (curl): OCSP with BoringSSL

This adds experimental support for using OCSP with libcurl that is built
against BoringSSL. This needs small modifications to libcurl to allow
CURLOPT_SSL_VERIFYSTATUS to be used to call
SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/hs20/client/Android.mk b/hs20/client/Android.mk
index b23ac17b4b6230abbdfc117aed9908d2feee3c7c..2ae2d6a0829023ae0b9b223cb4cbf2fffc2c67a5 100644 (file)
--- a/hs20/client/Android.mk
+++ b/hs20/client/Android.mk
@@ -55,6 +55,7 @@ OBJS += ../../src/crypto/crypto_internal.c
 OBJS += ../../src/crypto/md5-internal.c
 OBJS += ../../src/crypto/sha1-internal.c
 OBJS += ../../src/crypto/sha256-internal.c
+OBJS += ../../src/crypto/tls_openssl_ocsp.c
 
 L_CFLAGS += -DEAP_TLS_OPENSSL
 

diff --git a/hs20/client/Makefile b/hs20/client/Makefile
index 94cd5f14df1443cc15ba8197ea34357127c4222d..fc9b61940c4f0155f2b7a6f3a3bf3e3a96cbc4c4 100644 (file)
--- a/hs20/client/Makefile
+++ b/hs20/client/Makefile
@@ -76,6 +76,7 @@ LIBS += -lcurl
 endif
 
 CFLAGS += -DEAP_TLS_OPENSSL
+OBJS += ../../src/crypto/tls_openssl_ocsp.o
 LIBS += -lssl -lcrypto
 
 hs20-osu-client: $(OBJS)

diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c
index df2ce833e21d20eb0d7007d53c570aadf4fcda42..9c49680c1dd84cfc77fd011cc4df08b8a7c330b4 100644 (file)
--- a/src/utils/http_curl.c
+++ b/src/utils/http_curl.c
@@ -26,6 +26,9 @@
 #include "common.h"
 #include "xml-utils.h"
 #include "http-utils.h"
+#ifdef EAP_TLS_OPENSSL
+#include "crypto/tls_openssl.h"
+#endif /* EAP_TLS_OPENSSL */
 
 
 struct http_ctx {
@@ -1004,6 +1007,26 @@ static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
        if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
                return 0;
 
+#ifdef OPENSSL_IS_BORINGSSL
+       if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
+               enum ocsp_result res;
+
+               res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
+                                     ctx->peer_issuer_issuer);
+               if (res == OCSP_REVOKED) {
+                       preverify_ok = 0;
+                       wpa_printf(MSG_INFO, "OCSP: certificate revoked");
+                       if (err == X509_V_OK)
+                               X509_STORE_CTX_set_error(
+                                       x509_ctx, X509_V_ERR_CERT_REVOKED);
+               } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
+                       preverify_ok = 0;
+                       wpa_printf(MSG_INFO,
+                                  "OCSP: bad certificate status response");
+               }
+       }
+#endif /* OPENSSL_IS_BORINGSSL */
+
        if (!preverify_ok)
                ctx->last_err = "TLS validation failed";
 
@@ -1296,6 +1319,16 @@ static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
 #ifdef EAP_TLS_OPENSSL
                curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
                curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
+#ifdef OPENSSL_IS_BORINGSSL
+               /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
+                * with BoringSSL since the OpenSSL specific callback hack to
+                * enable OCSP is not available with BoringSSL. The OCSP
+                * implementation within libcurl is not sufficient for the
+                * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
+                */
+               if (ctx->ocsp != NO_OCSP)
+                       curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
+#endif /* OPENSSL_IS_BORINGSSL */
 #endif /* EAP_TLS_OPENSSL */
        } else {
                curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);