DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Server configuration for OCSP stapling with ocsp_multi (RFC 6961)

Browse source 
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2015-12-22 19:34:36 +02:00 committed by Jouni Malinen
parent bca0872dd5
commit 5addb0df59
6 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/ap/ap_config.c
View file

@ -471,6 +471,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
os_free(conf->private_key);
os_free(conf->private_key_passwd);
os_free(conf->ocsp_stapling_response);
os_free(conf->ocsp_stapling_response_multi);
os_free(conf->dh_file);
os_free(conf->openssl_ciphers);
os_free(conf->pac_opaque_encr_key);

1
src/ap/ap_config.h
View file

@ -341,6 +341,7 @@ struct hostapd_bss_config {
int check_crl;
unsigned int tls_session_lifetime;
char *ocsp_stapling_response;
char *ocsp_stapling_response_multi;
char *dh_file;
char *openssl_ciphers;
u8 *pac_opaque_encr_key;

2
src/ap/authsrv.c
View file

@ -173,6 +173,8 @@ int authsrv_init(struct hostapd_data *hapd)
params.openssl_ciphers = hapd->conf->openssl_ciphers;
params.ocsp_stapling_response =
hapd->conf->ocsp_stapling_response;
params.ocsp_stapling_response_multi =
hapd->conf->ocsp_stapling_response_multi;
if (tls_global_set_params(hapd->ssl_ctx, &params)) {
wpa_printf(MSG_ERROR, "Failed to set TLS parameters");

4
src/crypto/tls.h
View file

@ -140,6 +140,9 @@ struct tls_config {
* @flags: Parameter options (TLS_CONN_*)
* @ocsp_stapling_response: DER encoded file with cached OCSP stapling response
* or %NULL if OCSP is not enabled
* @ocsp_stapling_response_multi: DER encoded file with cached OCSP stapling
* response list (OCSPResponseList for ocsp_multi in RFC 6961) or %NULL if
* ocsp_multi is not enabled
*
* TLS connection parameters to be configured with tls_connection_set_params()
* and tls_global_set_params().
@ -180,6 +183,7 @@ struct tls_connection_params {
unsigned int flags;
const char *ocsp_stapling_response;
const char *ocsp_stapling_response_multi;
};