diff --git a/cyassl/ssl.h b/cyassl/ssl.h index de5593178..2fced9224 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -575,6 +575,7 @@ #define CYASSL_CRL_START_MON WOLFSSL_CRL_START_MON /**/ #define CYASSL_OCSP_NO_NONCE WOLFSSL_OCSP_NO_NONCE /**/ #define CYASSL_OCSP_URL_OVERRIDE WOLFSSL_OCSP_URL_OVERRIDE +#define CYASSL_OCSP_CHECKALL WOLFSSL_OCSP_CHECKALL #define CyaSSL_CTX_EnableOCSP wolfSSL_CTX_EnableOCSP #define CyaSSL_CTX_OCSP_set_options wolfSSL_CTX_OCSP_set_options /**/ diff --git a/src/internal.c b/src/internal.c index d79c24373..2da4d91f6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3986,16 +3986,34 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Verified CA from chain and already had it"); } -#ifdef HAVE_CRL - if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) { - WOLFSSL_MSG("Doing Non Leaf CRL check"); - ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); - - if (ret != 0) { - WOLFSSL_MSG("\tCRL check not ok"); +#if defined(HAVE_OCSP) || defined(HAVE_CRL) + if (ret == 0) { + int doCrlLookup = 1; +#ifdef HAVE_OCSP + if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { + WOLFSSL_MSG("Doing Non Leaf OCSP check"); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); + doCrlLookup = (ret == OCSP_CERT_UNKNOWN); + if (ret != 0) { + doCrlLookup = 0; + WOLFSSL_MSG("\tOCSP Lookup not ok"); + } + } +#endif /* HAVE_OCSP */ + +#ifdef HAVE_CRL + if (doCrlLookup && ssl->ctx->cm->crlEnabled + && ssl->ctx->cm->crlCheckAll) { + WOLFSSL_MSG("Doing Non Leaf CRL check"); + ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); + + if (ret != 0) { + WOLFSSL_MSG("\tCRL check not ok"); + } } - } #endif /* HAVE_CRL */ + } +#endif /* HAVE_OCSP || HAVE_CRL */ if (ret != 0 && anyError == 0) anyError = ret; /* save error from last time */ @@ -4057,38 +4075,32 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif +#if defined(HAVE_OCSP) || defined(HAVE_CRL) + if (fatal == 0) { + int doCrlLookup = 1; #ifdef HAVE_OCSP - if (fatal == 0 && ssl->ctx->cm->ocspEnabled) { - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); - if (ret != 0) { - WOLFSSL_MSG("\tOCSP Lookup not ok"); - fatal = 0; + if (ssl->ctx->cm->ocspEnabled) { + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); + doCrlLookup = (ret == OCSP_CERT_UNKNOWN); + if (ret != 0) { + WOLFSSL_MSG("\tOCSP Lookup not ok"); + fatal = 0; + } } - } -#endif +#endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (fatal == 0 && ssl->ctx->cm->crlEnabled) { - int doCrlLookup = 1; - - #ifdef HAVE_OCSP - if (ssl->ctx->cm->ocspEnabled) { - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); - } - #endif /* HAVE_OCSP */ - - if (doCrlLookup) { + if (doCrlLookup && ssl->ctx->cm->crlEnabled) { WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); - if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); fatal = 0; } } - } - #endif /* HAVE_CRL */ + } +#endif /* HAVE_OCSP || HAVE_CRL */ #ifdef KEEP_PEER_CERT { diff --git a/src/ssl.c b/src/ssl.c index 1cf5d7e74..69d34055b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2815,6 +2815,8 @@ int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options) cm->ocspSendNonce = 0; else cm->ocspSendNonce = 1; + if (options & WOLFSSL_OCSP_CHECKALL) + cm->ocspCheckAll = 1; #ifndef WOLFSSL_USER_IO cm->ocspIOCb = EmbedOcspLookup; cm->ocspRespFreeCb = EmbedOcspRespFree; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 5666f5097..a18858247 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1185,6 +1185,7 @@ struct WOLFSSL_CERT_MANAGER { byte crlEnabled; /* is CRL on ? */ byte crlCheckAll; /* always leaf, but all ? */ byte ocspEnabled; /* is OCSP on ? */ + byte ocspCheckAll; /* always leaf, but all ? */ byte ocspSendNonce; /* send the OCSP nonce ? */ byte ocspUseOverrideURL; /* ignore cert's responder, override */ }; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index fda5a9522..2f090a20f 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -569,6 +569,7 @@ enum { WOLFSSL_OCSP_URL_OVERRIDE = 1, WOLFSSL_OCSP_NO_NONCE = 2, + WOLFSSL_OCSP_CHECKALL = 4, WOLFSSL_CRL_CHECKALL = 1,