From 3d7e86f08d52a9d70e713dd42434c390267b6fee Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 17 Oct 2017 13:52:05 -0700 Subject: [PATCH] Added missing API's for disabling OCSP stapling. Added OCSP stapling enable/disable for WOLFSSL. --- examples/server/server.c | 4 ++ src/ssl.c | 93 +++++++++++++++++++++++++++++----------- wolfssl/ssl.h | 7 ++- 3 files changed, 79 insertions(+), 25 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index ffb908cfd..4aba7c9eb 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1504,6 +1504,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } } /* while(1) */ +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + wolfSSL_CTX_DisableOCSPStapling(ctx); +#endif CloseSocket(sockfd); SSL_CTX_free(ctx); diff --git a/src/ssl.c b/src/ssl.c index b9179de10..9f67fa948 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -5759,38 +5759,57 @@ int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) int ret = WOLFSSL_SUCCESS; WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPStapling"); + if (cm == NULL) return BAD_FUNC_ARG; - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - if (cm->ocsp_stapling == NULL) { - cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), - cm->heap, DYNAMIC_TYPE_OCSP); - if (cm->ocsp_stapling == NULL) - return MEMORY_E; +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (cm->ocsp_stapling == NULL) { + cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), + cm->heap, DYNAMIC_TYPE_OCSP); + if (cm->ocsp_stapling == NULL) + return MEMORY_E; - if (InitOCSP(cm->ocsp_stapling, cm) != 0) { - WOLFSSL_MSG("Init OCSP failed"); - FreeOCSP(cm->ocsp_stapling, 1); - cm->ocsp_stapling = NULL; - return WOLFSSL_FAILURE; - } + if (InitOCSP(cm->ocsp_stapling, cm) != 0) { + WOLFSSL_MSG("Init OCSP failed"); + FreeOCSP(cm->ocsp_stapling, 1); + cm->ocsp_stapling = NULL; + return WOLFSSL_FAILURE; } - cm->ocspStaplingEnabled = 1; + } + cm->ocspStaplingEnabled = 1; - #ifndef WOLFSSL_USER_IO - cm->ocspIOCb = EmbedOcspLookup; - cm->ocspRespFreeCb = EmbedOcspRespFree; - cm->ocspIOCtx = cm->heap; - #endif /* WOLFSSL_USER_IO */ - #else - ret = NOT_COMPILED_IN; - #endif + #ifndef WOLFSSL_USER_IO + cm->ocspIOCb = EmbedOcspLookup; + cm->ocspRespFreeCb = EmbedOcspRespFree; + cm->ocspIOCtx = cm->heap; + #endif /* WOLFSSL_USER_IO */ +#else + ret = NOT_COMPILED_IN; +#endif return ret; } +int wolfSSL_CertManagerDisableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) +{ + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_CertManagerDisableOCSPStapling"); + + if (cm == NULL) + return BAD_FUNC_ARG; + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + cm->ocspStaplingEnabled = 0; +#else + ret = NOT_COMPILED_IN; +#endif + return ret; +} + #ifdef HAVE_OCSP @@ -5885,7 +5904,6 @@ int wolfSSL_EnableOCSP(WOLFSSL* ssl, int options) return BAD_FUNC_ARG; } - int wolfSSL_DisableOCSP(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_DisableOCSP"); @@ -5896,6 +5914,24 @@ int wolfSSL_DisableOCSP(WOLFSSL* ssl) } +int wolfSSL_EnableOCSPStapling(WOLFSSL* ssl) +{ + WOLFSSL_ENTER("wolfSSL_EnableOCSPStapling"); + if (ssl) + return wolfSSL_CertManagerEnableOCSPStapling(ssl->ctx->cm); + else + return BAD_FUNC_ARG; +} + +int wolfSSL_DisableOCSPStapling(WOLFSSL* ssl) +{ + WOLFSSL_ENTER("wolfSSL_DisableOCSPStapling"); + if (ssl) + return wolfSSL_CertManagerDisableOCSPStapling(ssl->ctx->cm); + else + return BAD_FUNC_ARG; +} + int wolfSSL_SetOCSP_OverrideURL(WOLFSSL* ssl, const char* url) { WOLFSSL_ENTER("wolfSSL_SetOCSP_OverrideURL"); @@ -5971,7 +6007,16 @@ int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx) else return BAD_FUNC_ARG; } -#endif + +int wolfSSL_CTX_DisableOCSPStapling(WOLFSSL_CTX* ctx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_DisableOCSPStapling"); + if (ctx) + return wolfSSL_CertManagerDisableOCSPStapling(ctx->cm); + else + return BAD_FUNC_ARG; +} +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST || HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ #endif /* HAVE_OCSP */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 08f508e84..2119d4932 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1789,6 +1789,8 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CertManagerEnableOCSPStapling( WOLFSSL_CERT_MANAGER* cm); + WOLFSSL_API int wolfSSL_CertManagerDisableOCSPStapling( + WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API int wolfSSL_EnableCRL(WOLFSSL* ssl, int options); WOLFSSL_API int wolfSSL_DisableCRL(WOLFSSL* ssl); @@ -1803,6 +1805,8 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_DisableOCSP(WOLFSSL*); WOLFSSL_API int wolfSSL_SetOCSP_OverrideURL(WOLFSSL*, const char*); WOLFSSL_API int wolfSSL_SetOCSP_Cb(WOLFSSL*, CbOCSPIO, CbOCSPRespFree, void*); + WOLFSSL_API int wolfSSL_EnableOCSPStapling(WOLFSSL*); + WOLFSSL_API int wolfSSL_DisableOCSPStapling(WOLFSSL*); WOLFSSL_API int wolfSSL_CTX_EnableCRL(WOLFSSL_CTX* ctx, int options); WOLFSSL_API int wolfSSL_CTX_DisableCRL(WOLFSSL_CTX* ctx); @@ -1813,13 +1817,14 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); #ifdef HAVE_CRL_IO WOLFSSL_API int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX*, CbCrlIO); #endif + WOLFSSL_API int wolfSSL_CTX_EnableOCSP(WOLFSSL_CTX*, int options); WOLFSSL_API int wolfSSL_CTX_DisableOCSP(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_SetOCSP_OverrideURL(WOLFSSL_CTX*, const char*); WOLFSSL_API int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX*, CbOCSPIO, CbOCSPRespFree, void*); - WOLFSSL_API int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX*); + WOLFSSL_API int wolfSSL_CTX_DisableOCSPStapling(WOLFSSL_CTX*); #endif /* !NO_CERTS */