Accueil Explorer Aide
S'inscrire Connexion
wareck
/
krackattacks
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

Interworking: Add OCSP parameter to the cred block

This new parameter can be used to configure credentials to mandate use
of OCSP stapling for AAA server authentication.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen il y a 11 ans
Parent
6402f2fe40
commit
cf6d08a63f
6 fichiers modifiés avec 29 ajouts et 0 suppressions
Vue séparée Afficher les stats Diff
  1. 5 0
      wpa_supplicant/README-HS20
  2. 5 0
      wpa_supplicant/config.c
  3. 9 0
      wpa_supplicant/config.h
  4. 3 0
      wpa_supplicant/config_file.c
  5. 2 0
      wpa_supplicant/interworking.c
  6. 5 0
      wpa_supplicant/wpa_supplicant.conf

+ 5 - 0
wpa_supplicant/README-HS20
Voir le fichier 

@@ -265,6 +265,11 @@ Credentials can be pre-configured for automatic network selection:
 
 #	req_conn_capab=17:500
 
 #	req_conn_capab=50
 
 #
 
+# ocsp: Whether to use/require OCSP to check server certificate
 
+#	0 = do not use OCSP stapling (TLS certificate status extension)
 
+#	1 = try to use OCSP stapling, but not require response
 
+#	2 = require valid OCSP stapling response
 
+#
 
 # for example:
 
 #
 
 #cred={

+ 5 - 0
wpa_supplicant/config.c
Voir le fichier 

@@ -2556,6 +2556,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
 
 	if (os_strcmp(var, "req_conn_capab") == 0)
 
 		return wpa_config_set_cred_req_conn_capab(cred, value);
 
 
+	if (os_strcmp(var, "ocsp") == 0) {
 
+		cred->ocsp = atoi(value);
 
+		return 0;
 
+	}
 
+
 
 	val = wpa_config_parse_string(value, &len);
 
 	if (val == NULL) {
 
 		wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "

+ 9 - 0
wpa_supplicant/config.h
Voir le fichier 

@@ -279,6 +279,15 @@ struct wpa_cred {
 
 	unsigned int num_req_conn_capab;
 
 	u8 *req_conn_capab_proto;
 
 	int **req_conn_capab_port;
 
+
 
+	/**
 
+	 * ocsp - Whether to use/require OCSP to check server certificate
 
+	 *
 
+	 * 0 = do not use OCSP stapling (TLS certificate status extension)
 
+	 * 1 = try to use OCSP stapling, but not require response
 
+	 * 2 = require valid OCSP stapling response
 
+	 */
 
+	int ocsp;
 
 };

+ 3 - 0
wpa_supplicant/config_file.c
Voir le fichier 

@@ -828,6 +828,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
 
 	if (cred->max_bss_load)
 
 		fprintf(f, "\tmax_bss_load=%u\n",
 
 			cred->max_bss_load);
 
+
 
+	if (cred->ocsp)
 
+		fprintf(f, "\tocsp=%d\n", cred->ocsp);
 
 }

+ 2 - 0
wpa_supplicant/interworking.c
Voir le fichier 

@@ -1420,6 +1420,8 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
 
 				  cred->domain_suffix_match) < 0)
 
 		return -1;
 
 
+	ssid->eap.ocsp = cred->ocsp;
 
+
 
 	return 0;
 
 }

+ 5 - 0
wpa_supplicant/wpa_supplicant.conf
Voir le fichier 

@@ -478,6 +478,11 @@ fast_reauth=1
 
 #	req_conn_capab=17:500
 
 #	req_conn_capab=50
 
 #
 
+# ocsp: Whether to use/require OCSP to check server certificate
 
+#	0 = do not use OCSP stapling (TLS certificate status extension)
 
+#	1 = try to use OCSP stapling, but not require response
 
+#	2 = require valid OCSP stapling response
 
+#
 
 # for example:
 
 #
 
 #cred={