Interworking: Add OCSP parameter to the cred block
This new parameter can be used to configure credentials to mandate use of OCSP stapling for AAA server authentication. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
6402f2fe40
commit
cf6d08a63f
6 changed files with 29 additions and 0 deletions
|
|
@ -265,6 +265,11 @@ Credentials can be pre-configured for automatic network selection:
|
||||||
# req_conn_capab=17:500
|
# req_conn_capab=17:500
|
||||||
# req_conn_capab=50
|
# req_conn_capab=50
|
||||||
#
|
#
|
||||||
|
# ocsp: Whether to use/require OCSP to check server certificate
|
||||||
|
# 0 = do not use OCSP stapling (TLS certificate status extension)
|
||||||
|
# 1 = try to use OCSP stapling, but not require response
|
||||||
|
# 2 = require valid OCSP stapling response
|
||||||
|
#
|
||||||
# for example:
|
# for example:
|
||||||
#
|
#
|
||||||
#cred={
|
#cred={
|
||||||
|
|
|
||||||
|
|
@ -2556,6 +2556,11 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
|
||||||
if (os_strcmp(var, "req_conn_capab") == 0)
|
if (os_strcmp(var, "req_conn_capab") == 0)
|
||||||
return wpa_config_set_cred_req_conn_capab(cred, value);
|
return wpa_config_set_cred_req_conn_capab(cred, value);
|
||||||
|
|
||||||
|
if (os_strcmp(var, "ocsp") == 0) {
|
||||||
|
cred->ocsp = atoi(value);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
val = wpa_config_parse_string(value, &len);
|
val = wpa_config_parse_string(value, &len);
|
||||||
if (val == NULL) {
|
if (val == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
|
wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
|
||||||
|
|
|
||||||
|
|
@ -279,6 +279,15 @@ struct wpa_cred {
|
||||||
unsigned int num_req_conn_capab;
|
unsigned int num_req_conn_capab;
|
||||||
u8 *req_conn_capab_proto;
|
u8 *req_conn_capab_proto;
|
||||||
int **req_conn_capab_port;
|
int **req_conn_capab_port;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ocsp - Whether to use/require OCSP to check server certificate
|
||||||
|
*
|
||||||
|
* 0 = do not use OCSP stapling (TLS certificate status extension)
|
||||||
|
* 1 = try to use OCSP stapling, but not require response
|
||||||
|
* 2 = require valid OCSP stapling response
|
||||||
|
*/
|
||||||
|
int ocsp;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -828,6 +828,9 @@ static void wpa_config_write_cred(FILE *f, struct wpa_cred *cred)
|
||||||
if (cred->max_bss_load)
|
if (cred->max_bss_load)
|
||||||
fprintf(f, "\tmax_bss_load=%u\n",
|
fprintf(f, "\tmax_bss_load=%u\n",
|
||||||
cred->max_bss_load);
|
cred->max_bss_load);
|
||||||
|
|
||||||
|
if (cred->ocsp)
|
||||||
|
fprintf(f, "\tocsp=%d\n", cred->ocsp);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1420,6 +1420,8 @@ static int interworking_set_eap_params(struct wpa_ssid *ssid,
|
||||||
cred->domain_suffix_match) < 0)
|
cred->domain_suffix_match) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
ssid->eap.ocsp = cred->ocsp;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -478,6 +478,11 @@ fast_reauth=1
|
||||||
# req_conn_capab=17:500
|
# req_conn_capab=17:500
|
||||||
# req_conn_capab=50
|
# req_conn_capab=50
|
||||||
#
|
#
|
||||||
|
# ocsp: Whether to use/require OCSP to check server certificate
|
||||||
|
# 0 = do not use OCSP stapling (TLS certificate status extension)
|
||||||
|
# 1 = try to use OCSP stapling, but not require response
|
||||||
|
# 2 = require valid OCSP stapling response
|
||||||
|
#
|
||||||
# for example:
|
# for example:
|
||||||
#
|
#
|
||||||
#cred={
|
#cred={
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue