Server configuration for OCSP stapling with ocsp_multi (RFC 6961)

This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index f2163b83f51c64e1c860ebe962337624e2fdbabe..503d47979764a1b5f2bbda220ef9870a0f225e49 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2132,6 +2132,9 @@ static int hostapd_config_fill(struct hostapd_config *conf,
        } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) {
                os_free(bss->ocsp_stapling_response);
                bss->ocsp_stapling_response = os_strdup(pos);
+       } else if (os_strcmp(buf, "ocsp_stapling_response_multi") == 0) {
+               os_free(bss->ocsp_stapling_response_multi);
+               bss->ocsp_stapling_response_multi = os_strdup(pos);
        } else if (os_strcmp(buf, "dh_file") == 0) {
                os_free(bss->dh_file);
                bss->dh_file = os_strdup(pos);

diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 4f51140b567059354a28d778788f2978285cf75b..ecd4328ca6af14338a8244028dc871b9e75694dc 100644 (file)
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -795,6 +795,11 @@ eap_server=0
 #      -respout /tmp/ocsp-cache.der
 #ocsp_stapling_response=/tmp/ocsp-cache.der
 
+# Cached OCSP stapling response list (DER encoded OCSPResponseList)
+# This is similar to ocsp_stapling_response, but the extended version defined in
+# RFC 6961 to allow multiple OCSP responses to be provided.
+#ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der
+
 # dh_file: File path to DH/DSA parameters file (in PEM format)
 # This is an optional configuration file for setting parameters for an
 # ephemeral DH key exchange. In most cases, the default RSA authentication does

diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index cf9b2ceba9ca1b2a476cef85f6c7088ff25f630e..88074f2e69a8f4601579535ae5b046c627dcc855 100644 (file)
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -471,6 +471,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
        os_free(conf->private_key);
        os_free(conf->private_key_passwd);
        os_free(conf->ocsp_stapling_response);
+       os_free(conf->ocsp_stapling_response_multi);
        os_free(conf->dh_file);
        os_free(conf->openssl_ciphers);
        os_free(conf->pac_opaque_encr_key);

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index ff9dcb05dc50dc5ff4bb5232ee5fe1c8fb481a9d..44bccccb817fa7b3df0f2467a8d6b5a6cb2728f5 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -341,6 +341,7 @@ struct hostapd_bss_config {
        int check_crl;
        unsigned int tls_session_lifetime;
        char *ocsp_stapling_response;
+       char *ocsp_stapling_response_multi;
        char *dh_file;
        char *openssl_ciphers;
        u8 *pac_opaque_encr_key;

diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index c9111f6cae35096cf1ac7c4d3b14c76ad85207ac..cdb49cdd9d32f72d2c0b5e4d18752254d2f91b4e 100644 (file)
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -173,6 +173,8 @@ int authsrv_init(struct hostapd_data *hapd)
                params.openssl_ciphers = hapd->conf->openssl_ciphers;
                params.ocsp_stapling_response =
                        hapd->conf->ocsp_stapling_response;
+               params.ocsp_stapling_response_multi =
+                       hapd->conf->ocsp_stapling_response_multi;
 
                if (tls_global_set_params(hapd->ssl_ctx, &params)) {
                        wpa_printf(MSG_ERROR, "Failed to set TLS parameters");

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index bca94d67dd87910644d8fd4eb5824126e5a35cca..aa90a55ccb97480b4691d5d5c209563e5f3235c6 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -140,6 +140,9 @@ struct tls_config {
  * @flags: Parameter options (TLS_CONN_*)
  * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
  *     or %NULL if OCSP is not enabled
+ * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling
+ *     response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if
+ *     ocsp_multi is not enabled
  *
  * TLS connection parameters to be configured with tls_connection_set_params()
  * and tls_global_set_params().
@@ -180,6 +183,7 @@ struct tls_connection_params {
 
        unsigned int flags;
        const char *ocsp_stapling_response;
+       const char *ocsp_stapling_response_multi;
 };