From: Jouni Malinen Date: Fri, 4 Dec 2015 12:06:53 +0000 (+0200) Subject: HTTP (curl): OCSP with BoringSSL X-Git-Tag: hostap_2_6~1242 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8d27efa814e8f2c8bb4e26c1389a0cb60f8c6991;p=thirdparty%2Fhostap.git HTTP (curl): OCSP with BoringSSL This adds experimental support for using OCSP with libcurl that is built against BoringSSL. This needs small modifications to libcurl to allow CURLOPT_SSL_VERIFYSTATUS to be used to call SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1(). Signed-off-by: Jouni Malinen --- diff --git a/hs20/client/Android.mk b/hs20/client/Android.mk index b23ac17b4..2ae2d6a08 100644 --- a/hs20/client/Android.mk +++ b/hs20/client/Android.mk @@ -55,6 +55,7 @@ OBJS += ../../src/crypto/crypto_internal.c OBJS += ../../src/crypto/md5-internal.c OBJS += ../../src/crypto/sha1-internal.c OBJS += ../../src/crypto/sha256-internal.c +OBJS += ../../src/crypto/tls_openssl_ocsp.c L_CFLAGS += -DEAP_TLS_OPENSSL diff --git a/hs20/client/Makefile b/hs20/client/Makefile index 94cd5f14d..fc9b61940 100644 --- a/hs20/client/Makefile +++ b/hs20/client/Makefile @@ -76,6 +76,7 @@ LIBS += -lcurl endif CFLAGS += -DEAP_TLS_OPENSSL +OBJS += ../../src/crypto/tls_openssl_ocsp.o LIBS += -lssl -lcrypto hs20-osu-client: $(OBJS) diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c index df2ce833e..9c49680c1 100644 --- a/src/utils/http_curl.c +++ b/src/utils/http_curl.c @@ -26,6 +26,9 @@ #include "common.h" #include "xml-utils.h" #include "http-utils.h" +#ifdef EAP_TLS_OPENSSL +#include "crypto/tls_openssl.h" +#endif /* EAP_TLS_OPENSSL */ struct http_ctx { @@ -1004,6 +1007,26 @@ static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx) if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0) return 0; +#ifdef OPENSSL_IS_BORINGSSL + if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) { + enum ocsp_result res; + + res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer, + ctx->peer_issuer_issuer); + if (res == OCSP_REVOKED) { + preverify_ok = 0; + wpa_printf(MSG_INFO, "OCSP: certificate revoked"); + if (err == X509_V_OK) + X509_STORE_CTX_set_error( + x509_ctx, X509_V_ERR_CERT_REVOKED); + } else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) { + preverify_ok = 0; + wpa_printf(MSG_INFO, + "OCSP: bad certificate status response"); + } + } +#endif /* OPENSSL_IS_BORINGSSL */ + if (!preverify_ok) ctx->last_err = "TLS validation failed"; @@ -1296,6 +1319,16 @@ static CURL * setup_curl_post(struct http_ctx *ctx, const char *address, #ifdef EAP_TLS_OPENSSL curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl); curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx); +#ifdef OPENSSL_IS_BORINGSSL + /* For now, using the CURLOPT_SSL_VERIFYSTATUS option only + * with BoringSSL since the OpenSSL specific callback hack to + * enable OCSP is not available with BoringSSL. The OCSP + * implementation within libcurl is not sufficient for the + * Hotspot 2.0 OSU needs, so cannot use this with OpenSSL. + */ + if (ctx->ocsp != NO_OCSP) + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L); +#endif /* OPENSSL_IS_BORINGSSL */ #endif /* EAP_TLS_OPENSSL */ } else { curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);