Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

OpenSSL: Reject OCSP-required configuration if no OCSP support

This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 9 years ago
parent
c07e7b43e9
commit
355a5c8ec5
1 changed files with 10 additions and 0 deletions
Split View Show Diff Stats
  1. 10 0
      src/crypto/tls_openssl.c

+ 10 - 0
src/crypto/tls_openssl.c
View File 

@@ -3788,6 +3788,16 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
 		SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
 
 		SSL_CTX_set_tlsext_status_arg(ssl_ctx, conn);
 
 	}
 
+#else /* HAVE_OCSP */
 
+	if (params->flags & TLS_CONN_REQUIRE_OCSP) {
 
+		wpa_printf(MSG_INFO,
 
+			   "OpenSSL: No OCSP support included - reject configuration");
 
+		return -1;
 
+	}
 
+	if (params->flags & TLS_CONN_REQUEST_OCSP) {
 
+		wpa_printf(MSG_DEBUG,
 
+			   "OpenSSL: No OCSP support included - allow optional OCSP case to continue");
 
+	}
 
 #endif /* HAVE_OCSP */
 
 
 	conn->flags = params->flags;