GnuTLS: OCSP stapling on the server side

This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index b1bec4a5388f19ebf2d676ef7093c73fa168e61f..fbb1348c73b81c76ed056c9e64d5c59805568c0d 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -37,6 +37,8 @@ struct tls_global {
                         union tls_event_data *data);
        void *cb_ctx;
        int cert_in_cb;
+
+       char *ocsp_stapling_response;
 };
 
 struct tls_connection {
@@ -133,6 +135,7 @@ void tls_deinit(void *ssl_ctx)
                if (global->params_set)
                        gnutls_certificate_free_credentials(global->xcred);
                os_free(global->session_data);
+               os_free(global->ocsp_stapling_response);
                os_free(global);
        }
 
@@ -602,6 +605,44 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 }
 
 
+#if GNUTLS_VERSION_NUMBER >= 0x030103
+static int server_ocsp_status_req(gnutls_session_t session, void *ptr,
+                                 gnutls_datum_t *resp)
+{
+       struct tls_global *global = ptr;
+       char *cached;
+       size_t len;
+
+       if (!global->ocsp_stapling_response) {
+               wpa_printf(MSG_DEBUG, "GnuTLS: OCSP status callback - no response configured");
+               return GNUTLS_E_NO_CERTIFICATE_STATUS;
+       }
+
+       cached = os_readfile(global->ocsp_stapling_response, &len);
+       if (!cached) {
+               wpa_printf(MSG_DEBUG,
+                          "GnuTLS: OCSP status callback - could not read response file (%s)",
+                          global->ocsp_stapling_response);
+               return GNUTLS_E_NO_CERTIFICATE_STATUS;
+       }
+
+       wpa_printf(MSG_DEBUG,
+                  "GnuTLS: OCSP status callback - send cached response");
+       resp->data = gnutls_malloc(len);
+       if (!resp->data) {
+               os_free(resp);
+               return GNUTLS_E_MEMORY_ERROR;
+       }
+
+       os_memcpy(resp->data, cached, len);
+       resp->size = len;
+       os_free(cached);
+
+       return GNUTLS_E_SUCCESS;
+}
+#endif /* 3.1.3 */
+
+
 int tls_global_set_params(void *tls_ctx,
                          const struct tls_connection_params *params)
 {
@@ -696,6 +737,17 @@ int tls_global_set_params(void *tls_ctx,
                }
        }
 
+#if GNUTLS_VERSION_NUMBER >= 0x030103
+       os_free(global->ocsp_stapling_response);
+       if (params->ocsp_stapling_response)
+               global->ocsp_stapling_response =
+                       os_strdup(params->ocsp_stapling_response);
+       else
+               global->ocsp_stapling_response = NULL;
+       gnutls_certificate_set_ocsp_status_request_function(
+               global->xcred, server_ocsp_status_req, global);
+#endif /* 3.1.3 */
+
        global->params_set = 1;
 
        return 0;