From 48408fce2f3d94f5cab08d46cec7e5306db12c14 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 18 Mar 2014 00:03:59 +0200 Subject: [PATCH] HS 2.0R2: Do not mandate OCSP response for EST operations OCSP validation is required only for the OSU operations and since the EST server may use a different server certificate, it may not necessarily support OCSP. Signed-off-by: Jouni Malinen --- hs20/client/est.c | 9 +++++++++ hs20/client/osu_client.c | 3 +++ 2 files changed, 12 insertions(+) diff --git a/hs20/client/est.c b/hs20/client/est.c index 5346c0993..ec05bc4e0 100644 --- a/hs20/client/est.c +++ b/hs20/client/est.c @@ -109,8 +109,11 @@ int est_load_cacerts(struct hs20_osu_client *ctx, const char *url) wpa_printf(MSG_INFO, "Download EST cacerts from %s", buf); write_summary(ctx, "Download EST cacerts from %s", buf); ctx->no_osu_cert_validation = 1; + http_ocsp_set(ctx->http, 1); res = http_download_file(ctx->http, buf, "Cert/est-cacerts.txt", ctx->ca_fname); + http_ocsp_set(ctx->http, + (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2); ctx->no_osu_cert_validation = 0; if (res < 0) { wpa_printf(MSG_INFO, "Failed to download EST cacerts from %s", @@ -553,8 +556,11 @@ int est_build_csr(struct hs20_osu_client *ctx, const char *url) wpa_printf(MSG_INFO, "Download csrattrs from %s", buf); write_summary(ctx, "Download EST csrattrs from %s", buf); ctx->no_osu_cert_validation = 1; + http_ocsp_set(ctx->http, 1); res = http_download_file(ctx->http, buf, "Cert/est-csrattrs.txt", ctx->ca_fname); + http_ocsp_set(ctx->http, + (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2); ctx->no_osu_cert_validation = 0; os_free(buf); if (res < 0) { @@ -652,10 +658,13 @@ int est_simple_enroll(struct hs20_osu_client *ctx, const char *url, wpa_printf(MSG_INFO, "EST simpleenroll URL: %s", buf); write_summary(ctx, "EST simpleenroll URL: %s", buf); ctx->no_osu_cert_validation = 1; + http_ocsp_set(ctx->http, 1); resp = http_post(ctx->http, buf, req, "application/pkcs10", "Content-Transfer-Encoding: base64", ctx->ca_fname, user, pw, client_cert, client_key, &resp_len); + http_ocsp_set(ctx->http, + (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2); ctx->no_osu_cert_validation = 0; os_free(buf); if (resp == NULL) { diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c index 33e641f0c..7d1617a3f 100644 --- a/hs20/client/osu_client.c +++ b/hs20/client/osu_client.c @@ -303,7 +303,10 @@ static int download_cert(struct hs20_osu_client *ctx, xml_node_t *params, write_summary(ctx, "Download certificate from %s", url); ctx->no_osu_cert_validation = 1; + http_ocsp_set(ctx->http, 1); res = http_download_file(ctx->http, url, TMP_CERT_DL_FILE, NULL); + http_ocsp_set(ctx->http, + (ctx->workarounds & WORKAROUND_OCSP_OPTIONAL) ? 1 : 2); ctx->no_osu_cert_validation = 0; xml_node_get_text_free(ctx->xml, url); if (res < 0)