Interworking: Add OCSP parameter to the cred block

This new parameter can be used to configure credentials to mandate use
of OCSP stapling for AAA server authentication.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/wpa_supplicant/README-HS20 b/wpa_supplicant/README-HS20
index c8a00e28427a76c8d4a71025e6a3355db1042567..b6f06735647e064144734700dfed717624ebbc79 100644 (file)
--- a/wpa_supplicant/README-HS20
+++ b/wpa_supplicant/README-HS20
@@ -265,6 +265,11 @@ Credentials can be pre-configured for automatic network selection:
 #      req_conn_capab=17:500
 #      req_conn_capab=50
 #
+# ocsp: Whether to use/require OCSP to check server certificate
+#      0 = do not use OCSP stapling (TLS certificate status extension)
+#      1 = try to use OCSP stapling, but not require response
+#      2 = require valid OCSP stapling response
+#
 # for example:
 #
 #cred={

diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 9394a9c11cd047b62edc4d3bdce4b7565f928128..da9580e9400cd6fcdcb580f49547154111bf45c6 100644 (file)
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2556,6 +2556,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
        if (os_strcmp(var, "req_conn_capab") == 0)
                return wpa_config_set_cred_req_conn_capab(cred, value);
 
+       if (os_strcmp(var, "ocsp") == 0) {
+               cred->ocsp = atoi(value);
+               return 0;
+       }
+
        val = wpa_config_parse_string(value, &len);
        if (val == NULL) {
                wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "

diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index a981ca9429693792673e0df1d03e386fc6ff0e1d..de43970606f13ae2014afee9d8c7dd71cf0ea6b1 100644 (file)
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -279,6 +279,15 @@ struct wpa_cred {
        unsigned int num_req_conn_capab;
        u8 *req_conn_capab_proto;
        int **req_conn_capab_port;
+
+       /**
+        * ocsp - Whether to use/require OCSP to check server certificate
+        *
+        * 0 = do not use OCSP stapling (TLS certificate status extension)
+        * 1 = try to use OCSP stapling, but not require response
+        * 2 = require valid OCSP stapling response
+        */
+       int ocsp;
 };
 
 

diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 436204be4816d39ad2ce445a700d83bada4343fb..850a6cf9d986dff0c35c785422e000f3f64e381e 100644 (file)
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -828,6 +828,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
        if (cred->max_bss_load)
                fprintf(f, "\tmax_bss_load=%u\n",
                        cred->max_bss_load);
+
+       if (cred->ocsp)
+               fprintf(f, "\tocsp=%d\n", cred->ocsp);
 }
 
 

diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index b5d1b7111fc25b3447dfc0e33b2fe9395f64766c..fcfa63970e8a9aebdfda8698c8b288a1a0d06261 100644 (file)
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -1420,6 +1420,8 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
                                  cred->domain_suffix_match) < 0)
                return -1;
 
+       ssid->eap.ocsp = cred->ocsp;
+
        return 0;
 }
 

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 78dbd093942d789deacc1c7f4f0d60609165b67e..442b44cbbdb814282d883b61008222d26fc68ec8 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -478,6 +478,11 @@ fast_reauth=1
 #      req_conn_capab=17:500
 #      req_conn_capab=50
 #
+# ocsp: Whether to use/require OCSP to check server certificate
+#      0 = do not use OCSP stapling (TLS certificate status extension)
+#      1 = try to use OCSP stapling, but not require response
+#      2 = require valid OCSP stapling response
+#
 # for example:
 #
 #cred={