From: Jouni Malinen <j@w1.fi>
Date: Thu, 17 Dec 2015 09:45:48 +0000 (+0200)
Subject: TLS: Report OCSP rejection cases when no valid response if found
X-Git-Tag: hostap_2_6~1189
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ba8c01d0cec3847c48c58e18c5bda5def8993b3;p=thirdparty%2Fhostap.git

TLS: Report OCSP rejection cases when no valid response if found

This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS
messages with 'bad certificate status response' for cases where no valid
OCSP response was received, but the network profile requires OCSP to be
used.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/tls/tlsv1_client_read.c b/src/tls/tlsv1_client_read.c
index b1fa15f41..ff1245204 100644
--- a/src/tls/tlsv1_client_read.c
+++ b/src/tls/tlsv1_client_read.c
@@ -889,11 +889,21 @@ static int tls_process_certificate_status(struct tlsv1_client *conn, u8 ct,
 			goto skip;
 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL,
 			  TLS_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE);
+		if (conn->server_cert)
+			tls_cert_chain_failure_event(
+				conn, 0, conn->server_cert,
+				TLS_FAIL_UNSPECIFIED,
+				"bad certificate status response");
 		return -1;
 	case TLS_OCSP_INVALID:
 		if (!(conn->flags & TLS_CONN_REQUIRE_OCSP))
 			goto skip; /* ignore - process as if no response */
 		tls_alert(conn, TLS_ALERT_LEVEL_FATAL, TLS_ALERT_DECODE_ERROR);
+		if (conn->server_cert)
+			tls_cert_chain_failure_event(
+				conn, 0, conn->server_cert,
+				TLS_FAIL_UNSPECIFIED,
+				"bad certificate status response");
 		return -1;
 	case TLS_OCSP_GOOD:
 		wpa_printf(MSG_DEBUG, "TLSv1: OCSP response good");