Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

GnuTLS: OCSP stapling on the server side

This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 9 years ago
parent
6241766709
commit
9532bd2b44
1 changed files with 52 additions and 0 deletions
Split View Show Diff Stats
  1. 52 0
      src/crypto/tls_gnutls.c

+ 52 - 0
src/crypto/tls_gnutls.c
View File 

@@ -37,6 +37,8 @@ struct tls_global {
 
 			 union tls_event_data *data);
 
 	void *cb_ctx;
 
 	int cert_in_cb;
 
+
 
+	char *ocsp_stapling_response;
 
 };
 
 
 struct tls_connection {
 
@@ -133,6 +135,7 @@ void tls_deinit(void *ssl_ctx)
 
 		if (global->params_set)
 
 			gnutls_certificate_free_credentials(global->xcred);
 
 		os_free(global->session_data);
 
+		os_free(global->ocsp_stapling_response);
 
 		os_free(global);
 
 	}
 
 
@@ -602,6 +605,44 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 
 }
 
 
 
+#if GNUTLS_VERSION_NUMBER >= 0x030103
 
+static int server_ocsp_status_req(gnutls_session_t session, void *ptr,
 
+				  gnutls_datum_t *resp)
 
+{
 
+	struct tls_global *global = ptr;
 
+	char *cached;
 
+	size_t len;
 
+
 
+	if (!global->ocsp_stapling_response) {
 
+		wpa_printf(MSG_DEBUG, "GnuTLS: OCSP status callback - no response configured");
 
+		return GNUTLS_E_NO_CERTIFICATE_STATUS;
 
+	}
 
+
 
+	cached = os_readfile(global->ocsp_stapling_response, &len);
 
+	if (!cached) {
 
+		wpa_printf(MSG_DEBUG,
 
+			   "GnuTLS: OCSP status callback - could not read response file (%s)",
 
+			   global->ocsp_stapling_response);
 
+		return GNUTLS_E_NO_CERTIFICATE_STATUS;
 
+	}
 
+
 
+	wpa_printf(MSG_DEBUG,
 
+		   "GnuTLS: OCSP status callback - send cached response");
 
+	resp->data = gnutls_malloc(len);
 
+	if (!resp->data) {
 
+		os_free(resp);
 
+		return GNUTLS_E_MEMORY_ERROR;
 
+	}
 
+
 
+	os_memcpy(resp->data, cached, len);
 
+	resp->size = len;
 
+	os_free(cached);
 
+
 
+	return GNUTLS_E_SUCCESS;
 
+}
 
+#endif /* 3.1.3 */
 
+
 
+
 
 int tls_global_set_params(void *tls_ctx,
 
 			  const struct tls_connection_params *params)
 
 {
 
@@ -696,6 +737,17 @@ int tls_global_set_params(void *tls_ctx,
 
 		}
 
 	}
 
 
+#if GNUTLS_VERSION_NUMBER >= 0x030103
 
+	os_free(global->ocsp_stapling_response);
 
+	if (params->ocsp_stapling_response)
 
+		global->ocsp_stapling_response =
 
+			os_strdup(params->ocsp_stapling_response);
 
+	else
 
+		global->ocsp_stapling_response = NULL;
 
+	gnutls_certificate_set_ocsp_status_request_function(
 
+		global->xcred, server_ocsp_status_req, global);
 
+#endif /* 3.1.3 */
 
+
 
 	global->params_set = 1;
 
 
 	return 0;