Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

OpenSSL: Use certificates from TLS authentication in OCSP stapling

OCSP response may not include all the needed CA certificates, so use the
ones received during TLS handshake.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 11 years ago
parent
c9629476f3
commit
6bf61fb288
1 changed files with 40 additions and 2 deletions
Split View Show Diff Stats
  1. 40 2
      src/crypto/tls_openssl.c

+ 40 - 2
src/crypto/tls_openssl.c
View File 

@@ -112,6 +112,7 @@ struct tls_connection {
 
 
 	X509 *peer_cert;
 
 	X509 *peer_issuer;
 
+	X509 *peer_issuer_issuer;
 
 };
 
 
 
@@ -1380,6 +1381,8 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
 
 		conn->peer_cert = err_cert;
 
 	else if (depth == 1)
 
 		conn->peer_issuer = err_cert;
 
+	else if (depth == 2)
 
+		conn->peer_issuer_issuer = err_cert;
 
 
 	context = conn->context;
 
 	match = conn->subject_match;
 
@@ -2926,6 +2929,8 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 
 	OCSP_BASICRESP *basic;
 
 	OCSP_CERTID *id;
 
 	ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
 
+	X509_STORE *store;
 
+	STACK_OF(X509) *certs = NULL;
 
 
 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 
 	if (!p) {
 
@@ -2956,8 +2961,41 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 
 		return 0;
 
 	}
 
 
-	status = OCSP_basic_verify(basic, NULL, SSL_CTX_get_cert_store(s->ctx),
 
-				   0);
 
+	store = SSL_CTX_get_cert_store(s->ctx);
 
+	if (conn->peer_issuer) {
 
+		wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
 
+		X509_print_fp(stdout, conn->peer_issuer);
 
+
 
+		if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
 
+			tls_show_errors(MSG_INFO, __func__,
 
+					"OpenSSL: Could not add issuer to certificate store\n");
 
+		}
 
+		certs = sk_X509_new_null();
 
+		if (certs) {
 
+			X509 *cert;
 
+			cert = X509_dup(conn->peer_issuer);
 
+			if (cert && !sk_X509_push(certs, cert)) {
 
+				tls_show_errors(
 
+					MSG_INFO, __func__,
 
+					"OpenSSL: Could not add issuer to OCSP responder trust store\n");
 
+				X509_free(cert);
 
+				sk_X509_free(certs);
 
+				certs = NULL;
 
+			}
 
+			if (conn->peer_issuer_issuer) {
 
+				cert = X509_dup(conn->peer_issuer_issuer);
 
+				if (cert && !sk_X509_push(certs, cert)) {
 
+					tls_show_errors(
 
+						MSG_INFO, __func__,
 
+						"OpenSSL: Could not add issuer to OCSP responder trust store\n");
 
+					X509_free(cert);
 
+				}
 
+			}
 
+		}
 
+	}
 
+
 
+	status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
 
+	sk_X509_pop_free(certs, X509_free);
 
 	if (status <= 0) {
 
 		tls_show_errors(MSG_INFO, __func__,
 
 				"OpenSSL: OCSP response failed verification");