mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 10:18:21 -05:00
HTTP (curl): OCSP with BoringSSL
This adds experimental support for using OCSP with libcurl that is built against BoringSSL. This needs small modifications to libcurl to allow CURLOPT_SSL_VERIFYSTATUS to be used to call SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1(). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
213e158ca8
commit
8d27efa814
@ -55,6 +55,7 @@ OBJS += ../../src/crypto/crypto_internal.c
|
||||
OBJS += ../../src/crypto/md5-internal.c
|
||||
OBJS += ../../src/crypto/sha1-internal.c
|
||||
OBJS += ../../src/crypto/sha256-internal.c
|
||||
OBJS += ../../src/crypto/tls_openssl_ocsp.c
|
||||
|
||||
L_CFLAGS += -DEAP_TLS_OPENSSL
|
||||
|
||||
|
@ -76,6 +76,7 @@ LIBS += -lcurl
|
||||
endif
|
||||
|
||||
CFLAGS += -DEAP_TLS_OPENSSL
|
||||
OBJS += ../../src/crypto/tls_openssl_ocsp.o
|
||||
LIBS += -lssl -lcrypto
|
||||
|
||||
hs20-osu-client: $(OBJS)
|
||||
|
@ -26,6 +26,9 @@
|
||||
#include "common.h"
|
||||
#include "xml-utils.h"
|
||||
#include "http-utils.h"
|
||||
#ifdef EAP_TLS_OPENSSL
|
||||
#include "crypto/tls_openssl.h"
|
||||
#endif /* EAP_TLS_OPENSSL */
|
||||
|
||||
|
||||
struct http_ctx {
|
||||
@ -1004,6 +1007,26 @@ static int curl_cb_ssl_verify(int preverify_ok, X509_STORE_CTX *x509_ctx)
|
||||
if (depth == 0 && preverify_ok && validate_server_cert(ctx, cert) < 0)
|
||||
return 0;
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
if (depth == 0 && ctx->ocsp != NO_OCSP && preverify_ok) {
|
||||
enum ocsp_result res;
|
||||
|
||||
res = check_ocsp_resp(ssl_ctx, ssl, cert, ctx->peer_issuer,
|
||||
ctx->peer_issuer_issuer);
|
||||
if (res == OCSP_REVOKED) {
|
||||
preverify_ok = 0;
|
||||
wpa_printf(MSG_INFO, "OCSP: certificate revoked");
|
||||
if (err == X509_V_OK)
|
||||
X509_STORE_CTX_set_error(
|
||||
x509_ctx, X509_V_ERR_CERT_REVOKED);
|
||||
} else if (res != OCSP_GOOD && (ctx->ocsp == MANDATORY_OCSP)) {
|
||||
preverify_ok = 0;
|
||||
wpa_printf(MSG_INFO,
|
||||
"OCSP: bad certificate status response");
|
||||
}
|
||||
}
|
||||
#endif /* OPENSSL_IS_BORINGSSL */
|
||||
|
||||
if (!preverify_ok)
|
||||
ctx->last_err = "TLS validation failed";
|
||||
|
||||
@ -1296,6 +1319,16 @@ static CURL * setup_curl_post(struct http_ctx *ctx, const char *address,
|
||||
#ifdef EAP_TLS_OPENSSL
|
||||
curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, curl_cb_ssl);
|
||||
curl_easy_setopt(curl, CURLOPT_SSL_CTX_DATA, ctx);
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
/* For now, using the CURLOPT_SSL_VERIFYSTATUS option only
|
||||
* with BoringSSL since the OpenSSL specific callback hack to
|
||||
* enable OCSP is not available with BoringSSL. The OCSP
|
||||
* implementation within libcurl is not sufficient for the
|
||||
* Hotspot 2.0 OSU needs, so cannot use this with OpenSSL.
|
||||
*/
|
||||
if (ctx->ocsp != NO_OCSP)
|
||||
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYSTATUS, 1L);
|
||||
#endif /* OPENSSL_IS_BORINGSSL */
|
||||
#endif /* EAP_TLS_OPENSSL */
|
||||
} else {
|
||||
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
|
||||
|
Loading…
Reference in New Issue
Block a user