Add ocsp=3 configuration parameter for multi-OCSP

ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index aa90a55ccb97480b4691d5d5c209563e5f3235c6..453b4deb5e35c09097db1426d21d74278810def9 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -96,6 +96,7 @@ struct tls_config {
 #define TLS_CONN_EAP_FAST BIT(7)
 #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
 #define TLS_CONN_EXT_CERT_CHECK BIT(9)
+#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index fbb1348c73b81c76ed056c9e64d5c59805568c0d..c4cd3c1a5f0f4caf24a9efe035458ebf195075d5 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -350,6 +350,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
        if (conn == NULL || params == NULL)
                return -1;
 
+       if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+               wpa_printf(MSG_INFO,
+                          "GnuTLS: ocsp=3 not supported");
+               return -1;
+       }
+
        if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
                wpa_printf(MSG_INFO,
                           "GnuTLS: tls_ext_cert_check=1 not supported");

diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 01a7c97de3e611c15cbe8ec24cb51603a045815f..0d8f1db647685b3db38606bdbb967f9513541a41 100644 (file)
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -200,6 +200,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
        if (conn->client == NULL)
                return -1;
 
+       if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+               wpa_printf(MSG_INFO,
+                          "TLS: ocsp=3 not supported");
+               return -1;
+       }
+
        if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
                wpa_printf(MSG_INFO,
                           "TLS: tls_ext_cert_check=1 not supported");

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1d75ba7af97dc792d535abd31116f1f7b967e89d..62277c46fdc7f93bdfcb57c5d58811469c0ebea2 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3890,6 +3890,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
        if (conn == NULL)
                return -1;
 
+       if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+               wpa_printf(MSG_INFO,
+                          "OpenSSL: ocsp=3 not supported");
+               return -1;
+       }
+
        /*
         * If the engine isn't explicitly configured, and any of the
         * cert/key fields are actually PKCS#11 URIs, then automatically

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index c270832b790980a90b16de1cdd5b54204030c465..406c1624de36a098097db274baebaad98838d84a 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -196,8 +196,10 @@ static int eap_tls_init_connection(struct eap_sm *sm,
 
        if (config->ocsp)
                params->flags |= TLS_CONN_REQUEST_OCSP;
-       if (config->ocsp == 2)
+       if (config->ocsp >= 2)
                params->flags |= TLS_CONN_REQUIRE_OCSP;
+       if (config->ocsp == 3)
+               params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
        data->conn = tls_connection_init(data->ssl_ctx);
        if (data->conn == NULL) {
                wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index d8c3849baea79d511ea97c7b6952de3c9989b328..e204061f70262434c0b9a9bc6cebb33ff138c5ae 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -586,6 +586,8 @@ fast_reauth=1
 #      0 = do not use OCSP stapling (TLS certificate status extension)
 #      1 = try to use OCSP stapling, but not require response
 #      2 = require valid OCSP stapling response
+#      3 = require valid OCSP stapling response for all not-trusted
+#          certificates in the server certificate chain
 #
 # sim_num: Identifier for which SIM to use in multi-SIM devices
 #
@@ -1084,6 +1086,8 @@ fast_reauth=1
 #      0 = do not use OCSP stapling (TLS certificate status extension)
 #      1 = try to use OCSP stapling, but not require response
 #      2 = require valid OCSP stapling response
+#      3 = require valid OCSP stapling response for all not-trusted
+#          certificates in the server certificate chain
 #
 # openssl_ciphers: OpenSSL specific cipher configuration
 #      This can be used to override the global openssl_ciphers configuration