From 5addb0df596d50c7b00f5b2acee4611124b60f89 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 22 Dec 2015 19:34:36 +0200 Subject: [PATCH 1/1] Server configuration for OCSP stapling with ocsp_multi (RFC 6961) This adds a new hostapd configuration parameter ocsp_stapling_response_multi that can be used similarly to the existing ocsp_stapling_response, but for the purpose of providing multiple cached OCSP responses. This commit adds only the configuration parameter, but does not yet add support for this mechanism with any of the supported TLS implementations. Signed-off-by: Jouni Malinen --- hostapd/config_file.c | 3 +++ hostapd/hostapd.conf | 5 +++++ src/ap/ap_config.c | 1 + src/ap/ap_config.h | 1 + src/ap/authsrv.c | 2 ++ src/crypto/tls.h | 4 ++++ 6 files changed, 16 insertions(+) diff --git a/hostapd/config_file.c b/hostapd/config_file.c index f2163b8..503d479 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -2132,6 +2132,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, } else if (os_strcmp(buf, "ocsp_stapling_response") == 0) { os_free(bss->ocsp_stapling_response); bss->ocsp_stapling_response = os_strdup(pos); + } else if (os_strcmp(buf, "ocsp_stapling_response_multi") == 0) { + os_free(bss->ocsp_stapling_response_multi); + bss->ocsp_stapling_response_multi = os_strdup(pos); } else if (os_strcmp(buf, "dh_file") == 0) { os_free(bss->dh_file); bss->dh_file = os_strdup(pos); diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index 4f51140..ecd4328 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -795,6 +795,11 @@ eap_server=0 # -respout /tmp/ocsp-cache.der #ocsp_stapling_response=/tmp/ocsp-cache.der +# Cached OCSP stapling response list (DER encoded OCSPResponseList) +# This is similar to ocsp_stapling_response, but the extended version defined in +# RFC 6961 to allow multiple OCSP responses to be provided. +#ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der + # dh_file: File path to DH/DSA parameters file (in PEM format) # This is an optional configuration file for setting parameters for an # ephemeral DH key exchange. In most cases, the default RSA authentication does diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c index cf9b2ce..88074f2 100644 --- a/src/ap/ap_config.c +++ b/src/ap/ap_config.c @@ -471,6 +471,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf) os_free(conf->private_key); os_free(conf->private_key_passwd); os_free(conf->ocsp_stapling_response); + os_free(conf->ocsp_stapling_response_multi); os_free(conf->dh_file); os_free(conf->openssl_ciphers); os_free(conf->pac_opaque_encr_key); diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h index ff9dcb0..44bcccc 100644 --- a/src/ap/ap_config.h +++ b/src/ap/ap_config.h @@ -341,6 +341,7 @@ struct hostapd_bss_config { int check_crl; unsigned int tls_session_lifetime; char *ocsp_stapling_response; + char *ocsp_stapling_response_multi; char *dh_file; char *openssl_ciphers; u8 *pac_opaque_encr_key; diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c index c9111f6..cdb49cd 100644 --- a/src/ap/authsrv.c +++ b/src/ap/authsrv.c @@ -173,6 +173,8 @@ int authsrv_init(struct hostapd_data *hapd) params.openssl_ciphers = hapd->conf->openssl_ciphers; params.ocsp_stapling_response = hapd->conf->ocsp_stapling_response; + params.ocsp_stapling_response_multi = + hapd->conf->ocsp_stapling_response_multi; if (tls_global_set_params(hapd->ssl_ctx, ¶ms)) { wpa_printf(MSG_ERROR, "Failed to set TLS parameters"); diff --git a/src/crypto/tls.h b/src/crypto/tls.h index bca94d6..aa90a55 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -140,6 +140,9 @@ struct tls_config { * @flags: Parameter options (TLS_CONN_*) * @ocsp_stapling_response: DER encoded file with cached OCSP stapling response * or %NULL if OCSP is not enabled + * @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling + * response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if + * ocsp_multi is not enabled * * TLS connection parameters to be configured with tls_connection_set_params() * and tls_global_set_params(). @@ -180,6 +183,7 @@ struct tls_connection_params { unsigned int flags; const char *ocsp_stapling_response; + const char *ocsp_stapling_response_multi; }; -- 2.1.4