OpenSSL: Use certificates from TLS authentication in OCSP stapling
OCSP response may not include all the needed CA certificates, so use the ones received during TLS handshake. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
c9629476f3
commit
6bf61fb288
1 changed files with 40 additions and 2 deletions
|
@ -112,6 +112,7 @@ struct tls_connection {
|
||||||
|
|
||||||
X509 *peer_cert;
|
X509 *peer_cert;
|
||||||
X509 *peer_issuer;
|
X509 *peer_issuer;
|
||||||
|
X509 *peer_issuer_issuer;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -1380,6 +1381,8 @@ static int tls_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||||
conn->peer_cert = err_cert;
|
conn->peer_cert = err_cert;
|
||||||
else if (depth == 1)
|
else if (depth == 1)
|
||||||
conn->peer_issuer = err_cert;
|
conn->peer_issuer = err_cert;
|
||||||
|
else if (depth == 2)
|
||||||
|
conn->peer_issuer_issuer = err_cert;
|
||||||
|
|
||||||
context = conn->context;
|
context = conn->context;
|
||||||
match = conn->subject_match;
|
match = conn->subject_match;
|
||||||
|
@ -2926,6 +2929,8 @@ static int ocsp_resp_cb(SSL *s, void *arg)
|
||||||
OCSP_BASICRESP *basic;
|
OCSP_BASICRESP *basic;
|
||||||
OCSP_CERTID *id;
|
OCSP_CERTID *id;
|
||||||
ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
|
ASN1_GENERALIZEDTIME *produced_at, *this_update, *next_update;
|
||||||
|
X509_STORE *store;
|
||||||
|
STACK_OF(X509) *certs = NULL;
|
||||||
|
|
||||||
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
|
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
|
||||||
if (!p) {
|
if (!p) {
|
||||||
|
@ -2956,8 +2961,41 @@ static int ocsp_resp_cb(SSL *s, void *arg)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
status = OCSP_basic_verify(basic, NULL, SSL_CTX_get_cert_store(s->ctx),
|
store = SSL_CTX_get_cert_store(s->ctx);
|
||||||
0);
|
if (conn->peer_issuer) {
|
||||||
|
wpa_printf(MSG_DEBUG, "OpenSSL: Add issuer");
|
||||||
|
X509_print_fp(stdout, conn->peer_issuer);
|
||||||
|
|
||||||
|
if (X509_STORE_add_cert(store, conn->peer_issuer) != 1) {
|
||||||
|
tls_show_errors(MSG_INFO, __func__,
|
||||||
|
"OpenSSL: Could not add issuer to certificate store\n");
|
||||||
|
}
|
||||||
|
certs = sk_X509_new_null();
|
||||||
|
if (certs) {
|
||||||
|
X509 *cert;
|
||||||
|
cert = X509_dup(conn->peer_issuer);
|
||||||
|
if (cert && !sk_X509_push(certs, cert)) {
|
||||||
|
tls_show_errors(
|
||||||
|
MSG_INFO, __func__,
|
||||||
|
"OpenSSL: Could not add issuer to OCSP responder trust store\n");
|
||||||
|
X509_free(cert);
|
||||||
|
sk_X509_free(certs);
|
||||||
|
certs = NULL;
|
||||||
|
}
|
||||||
|
if (conn->peer_issuer_issuer) {
|
||||||
|
cert = X509_dup(conn->peer_issuer_issuer);
|
||||||
|
if (cert && !sk_X509_push(certs, cert)) {
|
||||||
|
tls_show_errors(
|
||||||
|
MSG_INFO, __func__,
|
||||||
|
"OpenSSL: Could not add issuer to OCSP responder trust store\n");
|
||||||
|
X509_free(cert);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
status = OCSP_basic_verify(basic, certs, store, OCSP_TRUSTOTHER);
|
||||||
|
sk_X509_pop_free(certs, X509_free);
|
||||||
if (status <= 0) {
|
if (status <= 0) {
|
||||||
tls_show_errors(MSG_INFO, __func__,
|
tls_show_errors(MSG_INFO, __func__,
|
||||||
"OpenSSL: OCSP response failed verification");
|
"OpenSSL: OCSP response failed verification");
|
||||||
|
|
Loading…
Reference in a new issue