Add ocsp=3 configuration parameter for multi-OCSP

ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index aa90a55..453b4de 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -96,6 +96,7 @@ struct tls_config {
 #define TLS_CONN_EAP_FAST BIT(7)
 #define TLS_CONN_DISABLE_TLSv1_0 BIT(8)
 #define TLS_CONN_EXT_CERT_CHECK BIT(9)
+#define TLS_CONN_REQUIRE_OCSP_ALL BIT(10)
 
 /**
  * struct tls_connection_params - Parameters for TLS connection

diff --git a/src/crypto/tls_gnutls.c b/src/crypto/tls_gnutls.c
index fbb1348..c4cd3c1 100644 (file)
--- a/src/crypto/tls_gnutls.c
+++ b/src/crypto/tls_gnutls.c
@@ -350,6 +350,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
        if (conn == NULL || params == NULL)
                return -1;
 
+       if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+               wpa_printf(MSG_INFO,
+                          "GnuTLS: ocsp=3 not supported");
+               return -1;
+       }
+
        if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
                wpa_printf(MSG_INFO,
                           "GnuTLS: tls_ext_cert_check=1 not supported");

diff --git a/src/crypto/tls_internal.c b/src/crypto/tls_internal.c
index 01a7c97..0d8f1db 100644 (file)
--- a/src/crypto/tls_internal.c
+++ b/src/crypto/tls_internal.c
@@ -200,6 +200,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
        if (conn->client == NULL)
                return -1;
 
+       if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+               wpa_printf(MSG_INFO,
+                          "TLS: ocsp=3 not supported");
+               return -1;
+       }
+
        if (params->flags & TLS_CONN_EXT_CERT_CHECK) {
                wpa_printf(MSG_INFO,
                           "TLS: tls_ext_cert_check=1 not supported");

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1d75ba7..62277c4 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3890,6 +3890,12 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
        if (conn == NULL)
                return -1;
 
+       if (params->flags & TLS_CONN_REQUIRE_OCSP_ALL) {
+               wpa_printf(MSG_INFO,
+                          "OpenSSL: ocsp=3 not supported");
+               return -1;
+       }
+
        /*
         * If the engine isn't explicitly configured, and any of the
         * cert/key fields are actually PKCS#11 URIs, then automatically

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index c270832..406c162 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -196,8 +196,10 @@ static int eap_tls_init_connection(struct eap_sm *sm,
 
        if (config->ocsp)
                params->flags |= TLS_CONN_REQUEST_OCSP;
-       if (config->ocsp == 2)
+       if (config->ocsp >= 2)
                params->flags |= TLS_CONN_REQUIRE_OCSP;
+       if (config->ocsp == 3)
+               params->flags |= TLS_CONN_REQUIRE_OCSP_ALL;
        data->conn = tls_connection_init(data->ssl_ctx);
        if (data->conn == NULL) {
                wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index d8c3849..e204061 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -586,6 +586,8 @@ fast_reauth=1
 #      0 = do not use OCSP stapling (TLS certificate status extension)
 #      1 = try to use OCSP stapling, but not require response
 #      2 = require valid OCSP stapling response
+#      3 = require valid OCSP stapling response for all not-trusted
+#          certificates in the server certificate chain
 #
 # sim_num: Identifier for which SIM to use in multi-SIM devices
 #
@@ -1084,6 +1086,8 @@ fast_reauth=1
 #      0 = do not use OCSP stapling (TLS certificate status extension)
 #      1 = try to use OCSP stapling, but not require response
 #      2 = require valid OCSP stapling response
+#      3 = require valid OCSP stapling response for all not-trusted
+#          certificates in the server certificate chain
 #
 # openssl_ciphers: OpenSSL specific cipher configuration
 #      This can be used to override the global openssl_ciphers configuration