From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Mon, 17 Aug 2015 23:24:06 +0000 (+0300)
Subject: OpenSSL: Reject OCSP-required configuration if no OCSP support
X-Git-Tag: hostap_2_5~137
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=355a5c8ec55434858ee9158298a2e984c2abde5c;p=mech_eap.git

OpenSSL: Reject OCSP-required configuration if no OCSP support

This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 8c2df22..de1b2c7 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3788,6 +3788,16 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 		SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
 		SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
 	}
+#else /* HAVE_OCSP */
+	if (params->flags & TLS_CONN_REQUIRE_OCSP) {
+		wpa_printf(MSG_INFO,
+			   "OpenSSL: No OCSP support included - reject configuration");
+		return -1;
+	}
+	if (params->flags & TLS_CONN_REQUEST_OCSP) {
+		wpa_printf(MSG_DEBUG,
+			   "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
+	}
 #endif /* HAVE_OCSP */
 
 	conn->flags = params->flags;