EAP peer config: Move ocsp param to phase1/phase2

author Jouni Malinen <j@w1.fi>

Sun, 1 Sep 2019 13:07:58 +0000 (16:07 +0300)

committer Jouni Malinen <j@w1.fi>

Sun, 1 Sep 2019 14:19:35 +0000 (17:19 +0300)
author Jouni Malinen <j@w1.fi>
Sun, 1 Sep 2019 13:07:58 +0000 (16:07 +0300)
committer Jouni Malinen <j@w1.fi>
Sun, 1 Sep 2019 14:19:35 +0000 (17:19 +0300)
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h

index feb130118effebfd7d133f092d5305b84cb7b1b8..ae1de914a014d7e4ca9161d55c64c842b80e0383 100644 (file)
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -284,6 +284,15 @@ struct eap_peer_cert_config {
          * This is used if the CA certificate for EAP-TLS is on a smartcard.
          */
         char *ca_cert_id;
+
+       /**
+        * ocsp - Whether to use/require OCSP to check server certificate
+        *
+        * 0 = do not use OCSP stapling (TLS certificate status extension)
+        * 1 = try to use OCSP stapling, but not require response
+        * 2 = require valid OCSP stapling response
+        */
+       int ocsp;
  };
  
  /**
@@ -633,15 +642,6 @@ struct eap_peer_config {
          */
         u32 flags;
  
-       /**
-        * ocsp - Whether to use/require OCSP to check server certificate
-        *
-        * 0 = do not use OCSP stapling (TLS certificate status extension)
-        * 1 = try to use OCSP stapling, but not require response
-        * 2 = require valid OCSP stapling response
-        */
-       int ocsp;
-
         /**
          * external_sim_resp - Response from external SIM processing
          *
diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c

index ce8a1c7805633691b15f9bfef254ec8e1340163a..a59c3a0eebf5763d4655e0aed9ac95ea57f8f0a4 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -125,6 +125,12 @@ static void eap_tls_cert_params_from_conf(struct tls_connection_params *params,
         params->key_id = config->key_id;
         params->cert_id = config->cert_id;
         params->ca_cert_id = config->ca_cert_id;
+       if (config->ocsp)
+               params->flags |= TLS_CONN_REQUEST_OCSP;
+       if (config->ocsp >= 2)
+               params->flags |= TLS_CONN_REQUIRE_OCSP;
+       if (config->ocsp == 3)
+               params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
  }
  
  
@@ -233,12 +239,6 @@ static int eap_tls_init_connection(struct eap_sm *sm,
  {
         int res;
  
-       if (config->ocsp)
-               params->flags |= TLS_CONN_REQUEST_OCSP;
-       if (config->ocsp >= 2)
-               params->flags |= TLS_CONN_REQUIRE_OCSP;
-       if (config->ocsp == 3)
-               params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
         data->conn = tls_connection_init(data->ssl_ctx);
         if (data->conn == NULL) {
                 wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c

index 00d829be15e3bfa1eff6ab3d4a77d6dec4f47a92..067585b81a3345a92461e22aa9f8ec67d63f3e2a 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2443,7 +2443,8 @@ static const struct parse_data ssid_fields[] = {
         { INT(eap_workaround) },
         { STRe(pac_file, pac_file) },
         { INTe(fragment_size, fragment_size) },
-       { INTe(ocsp, ocsp) },
+       { INTe(ocsp, cert.ocsp) },
+       { INTe(ocsp2, phase2_cert.ocsp) },
  #endif /* IEEE8021X_EAPOL */
  #ifdef CONFIG_MESH
         { INT_RANGE(mode, 0, 5) },
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c

index 7dd7b1786722410e53cb466000b597640c547bd8..c47300b1ac6d6a53ff8e4657d14d0eebc9583d9f 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -826,7 +826,8 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
         INT_DEF(eap_workaround, DEFAULT_EAP_WORKAROUND);
         STR(pac_file);
         INT_DEFe(fragment_size, fragment_size, DEFAULT_FRAGMENT_SIZE);
-       INTe(ocsp, ocsp);
+       INTe(ocsp, cert.ocsp);
+       INTe(ocsp2, phase2_cert.ocsp);
         INT_DEFe(sim_num, sim_num, DEFAULT_USER_SELECTED_SIM);
  #endif /* IEEE8021X_EAPOL */
         INT(mode);
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c

index 2c2ff9ccbd96531e0251264720d21241d8e1f1d0..0261bb7b8fd761b27d67c84d2bd6cd76cc4cddb7 100644 (file)
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -1554,7 +1554,7 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
                                   cred->domain_suffix_match) < 0)
                 return -1;
  
-       ssid->eap.ocsp = cred->ocsp;
+       ssid->eap.cert.ocsp = cred->ocsp;
  
         return 0;
  }
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf

index 1159bdcdc59bb2fcab6beed4278731a0453681a2..f7a365267a97ea2f8eb6675ccc5139462b3f5bad 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1323,6 +1323,7 @@ fast_reauth=1
  #      certificate. See altsubject_match documentation for more details.
  # domain_suffix_match2: Constraint for server domain name. See
  #      domain_suffix_match for more details.
+# ocsp2: See ocsp for more details.
  #
  # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  #      This value limits the fragment size for EAP methods that support
author	Jouni Malinen <j@w1.fi>
	Sun, 1 Sep 2019 13:07:58 +0000 (16:07 +0300)
committer	Jouni Malinen <j@w1.fi>
	Sun, 1 Sep 2019 14:19:35 +0000 (17:19 +0300)
src/eap_peer/eap_config.h		patch \| blob \| blame \| history
src/eap_peer/eap_tls_common.c		patch \| blob \| blame \| history
wpa_supplicant/config.c		patch \| blob \| blame \| history
wpa_supplicant/config_file.c		patch \| blob \| blame \| history
wpa_supplicant/interworking.c		patch \| blob \| blame \| history
wpa_supplicant/wpa_supplicant.conf		patch \| blob \| blame \| history