TLS: Add status_request ClientHello extension if OCSP is requested

This allows the internal TLS implementation to request server
certificate status using OCSP stapling. This commit is only adding code
to add the request. The response is not yet used.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/tls/tlsv1_client_write.c b/src/tls/tlsv1_client_write.c
index b1906b21a50f40e065bf0cb7cf963c11be8b7194..8e8cb5e4902f3cdb5b8a7e66f798f2529c817d5b 100644 (file)
--- a/src/tls/tlsv1_client_write.c
+++ b/src/tls/tlsv1_client_write.c
@@ -1,6 +1,6 @@
 /*
  * TLSv1 client - write handshake message
- * Copyright (c) 2006-2014, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2015, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -156,6 +156,44 @@ u8 * tls_send_client_hello(struct tlsv1_client *conn, size_t *out_len)
                pos += conn->client_hello_ext_len;
        }
 
+       if (conn->flags & TLS_CONN_REQUEST_OCSP) {
+               wpa_printf(MSG_DEBUG,
+                          "TLSv1: Add status_request extension for OCSP stapling");
+               /* ExtensionsType extension_type = status_request(5) */
+               WPA_PUT_BE16(pos, TLS_EXT_STATUS_REQUEST);
+               pos += 2;
+               /* opaque extension_data<0..2^16-1> length */
+               WPA_PUT_BE16(pos, 5);
+               pos += 2;
+
+               /*
+                * RFC 6066, 8:
+                * struct {
+                *     CertificateStatusType status_type;
+                *     select (status_type) {
+                *         case ocsp: OCSPStatusRequest;
+                *     } request;
+                * } CertificateStatusRequest;
+                *
+                * enum { ocsp(1), (255) } CertificateStatusType;
+                */
+               *pos++ = 1; /* status_type = ocsp(1) */
+
+               /*
+                * struct {
+                *     ResponderID responder_id_list<0..2^16-1>;
+                *     Extensions  request_extensions;
+                * } OCSPStatusRequest;
+                *
+                * opaque ResponderID<1..2^16-1>;
+                * opaque Extensions<0..2^16-1>;
+                */
+               WPA_PUT_BE16(pos, 0); /* responder_id_list(empty) */
+               pos += 2;
+               WPA_PUT_BE16(pos, 0); /* request_extensions(empty) */
+               pos += 2;
+       }
+
        if (pos == ext_start + 2)
                pos -= 2; /* no extensions */
        else