forked from wolfSSL/wolfssl
refactor CRL/OCSP lookup for peer cert. add option to allow checking all certs in peer cert chain.
This commit is contained in:
John Safranek
@@ -575,6 +575,7 @@
|
|||||||
#define CYASSL_CRL_START_MON WOLFSSL_CRL_START_MON /**/
|
#define CYASSL_CRL_START_MON WOLFSSL_CRL_START_MON /**/
|
||||||
#define CYASSL_OCSP_NO_NONCE WOLFSSL_OCSP_NO_NONCE /**/
|
#define CYASSL_OCSP_NO_NONCE WOLFSSL_OCSP_NO_NONCE /**/
|
||||||
#define CYASSL_OCSP_URL_OVERRIDE WOLFSSL_OCSP_URL_OVERRIDE
|
#define CYASSL_OCSP_URL_OVERRIDE WOLFSSL_OCSP_URL_OVERRIDE
|
||||||
|
#define CYASSL_OCSP_CHECKALL WOLFSSL_OCSP_CHECKALL
|
||||||
|
|
||||||
#define CyaSSL_CTX_EnableOCSP wolfSSL_CTX_EnableOCSP
|
#define CyaSSL_CTX_EnableOCSP wolfSSL_CTX_EnableOCSP
|
||||||
#define CyaSSL_CTX_OCSP_set_options wolfSSL_CTX_OCSP_set_options /**/
|
#define CyaSSL_CTX_OCSP_set_options wolfSSL_CTX_OCSP_set_options /**/
|
||||||
|
|||||||
@@ -3986,8 +3986,24 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
WOLFSSL_MSG("Verified CA from chain and already had it");
|
WOLFSSL_MSG("Verified CA from chain and already had it");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
||||||
|
if (ret == 0) {
|
||||||
|
int doCrlLookup = 1;
|
||||||
|
#ifdef HAVE_OCSP
|
||||||
|
if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) {
|
||||||
|
WOLFSSL_MSG("Doing Non Leaf OCSP check");
|
||||||
|
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
||||||
|
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||||
|
if (ret != 0) {
|
||||||
|
doCrlLookup = 0;
|
||||||
|
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* HAVE_OCSP */
|
||||||
|
|
||||||
#ifdef HAVE_CRL
|
#ifdef HAVE_CRL
|
||||||
if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
|
if (doCrlLookup && ssl->ctx->cm->crlEnabled
|
||||||
|
&& ssl->ctx->cm->crlCheckAll) {
|
||||||
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
||||||
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
||||||
|
|
||||||
@@ -3996,6 +4012,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* HAVE_CRL */
|
#endif /* HAVE_CRL */
|
||||||
|
}
|
||||||
|
#endif /* HAVE_OCSP || HAVE_CRL */
|
||||||
|
|
||||||
if (ret != 0 && anyError == 0)
|
if (ret != 0 && anyError == 0)
|
||||||
anyError = ret; /* save error from last time */
|
anyError = ret; /* save error from last time */
|
||||||
@@ -4057,38 +4075,32 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
||||||
|
if (fatal == 0) {
|
||||||
|
int doCrlLookup = 1;
|
||||||
#ifdef HAVE_OCSP
|
#ifdef HAVE_OCSP
|
||||||
if (fatal == 0 && ssl->ctx->cm->ocspEnabled) {
|
if (ssl->ctx->cm->ocspEnabled) {
|
||||||
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
||||||
|
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||||
fatal = 0;
|
fatal = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef HAVE_CRL
|
|
||||||
if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
|
|
||||||
int doCrlLookup = 1;
|
|
||||||
|
|
||||||
#ifdef HAVE_OCSP
|
|
||||||
if (ssl->ctx->cm->ocspEnabled) {
|
|
||||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
|
||||||
}
|
|
||||||
#endif /* HAVE_OCSP */
|
#endif /* HAVE_OCSP */
|
||||||
|
|
||||||
if (doCrlLookup) {
|
#ifdef HAVE_CRL
|
||||||
|
if (doCrlLookup && ssl->ctx->cm->crlEnabled) {
|
||||||
WOLFSSL_MSG("Doing Leaf CRL check");
|
WOLFSSL_MSG("Doing Leaf CRL check");
|
||||||
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
||||||
|
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
WOLFSSL_MSG("\tCRL check not ok");
|
WOLFSSL_MSG("\tCRL check not ok");
|
||||||
fatal = 0;
|
fatal = 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
#endif /* HAVE_CRL */
|
#endif /* HAVE_CRL */
|
||||||
|
}
|
||||||
|
#endif /* HAVE_OCSP || HAVE_CRL */
|
||||||
|
|
||||||
#ifdef KEEP_PEER_CERT
|
#ifdef KEEP_PEER_CERT
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -2815,6 +2815,8 @@ int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options)
|
|||||||
cm->ocspSendNonce = 0;
|
cm->ocspSendNonce = 0;
|
||||||
else
|
else
|
||||||
cm->ocspSendNonce = 1;
|
cm->ocspSendNonce = 1;
|
||||||
|
if (options & WOLFSSL_OCSP_CHECKALL)
|
||||||
|
cm->ocspCheckAll = 1;
|
||||||
#ifndef WOLFSSL_USER_IO
|
#ifndef WOLFSSL_USER_IO
|
||||||
cm->ocspIOCb = EmbedOcspLookup;
|
cm->ocspIOCb = EmbedOcspLookup;
|
||||||
cm->ocspRespFreeCb = EmbedOcspRespFree;
|
cm->ocspRespFreeCb = EmbedOcspRespFree;
|
||||||
|
|||||||
@@ -1185,6 +1185,7 @@ struct WOLFSSL_CERT_MANAGER {
|
|||||||
byte crlEnabled; /* is CRL on ? */
|
byte crlEnabled; /* is CRL on ? */
|
||||||
byte crlCheckAll; /* always leaf, but all ? */
|
byte crlCheckAll; /* always leaf, but all ? */
|
||||||
byte ocspEnabled; /* is OCSP on ? */
|
byte ocspEnabled; /* is OCSP on ? */
|
||||||
|
byte ocspCheckAll; /* always leaf, but all ? */
|
||||||
byte ocspSendNonce; /* send the OCSP nonce ? */
|
byte ocspSendNonce; /* send the OCSP nonce ? */
|
||||||
byte ocspUseOverrideURL; /* ignore cert's responder, override */
|
byte ocspUseOverrideURL; /* ignore cert's responder, override */
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -569,6 +569,7 @@ enum {
|
|||||||
|
|
||||||
WOLFSSL_OCSP_URL_OVERRIDE = 1,
|
WOLFSSL_OCSP_URL_OVERRIDE = 1,
|
||||||
WOLFSSL_OCSP_NO_NONCE = 2,
|
WOLFSSL_OCSP_NO_NONCE = 2,
|
||||||
|
WOLFSSL_OCSP_CHECKALL = 4,
|
||||||
|
|
||||||
WOLFSSL_CRL_CHECKALL = 1,
|
WOLFSSL_CRL_CHECKALL = 1,
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user