diff --git a/src/ocsp.c b/src/ocsp.c index 22a72dbe9..30723df45 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -266,9 +266,9 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, * entry The OCSP entry for this certificate. * returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise. */ -static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz, - buffer* responseBuffer, CertStatus* status, - OcspEntry* entry, OcspRequest* ocspRequest) +WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, + WOLFSSL_BUFFER_INFO *responseBuffer, CertStatus *status, + OcspEntry *entry, OcspRequest *ocspRequest) { #ifdef WOLFSSL_SMALL_STACK CertStatus* newStatus; @@ -383,24 +383,6 @@ end: return ret; } -WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *cm, - byte *response, int responseSz, buffer *responseBuffer, - CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); - if (cm == NULL || response == NULL) - return BAD_FUNC_ARG; - if (cm->ocspEnabled == 0) - return WOLFSSL_SUCCESS; - - ret = CheckResponse(cm->ocsp, response, responseSz, responseBuffer, status, - entry, ocspRequest); - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - /* 0 on success */ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, buffer* responseBuffer) @@ -445,7 +427,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, ret = ocsp->statusCb(ssl, ioCtx); if (ret == 0) { ret = wolfSSL_get_ocsp_response(ssl, &response); - ret = CheckResponse(ocsp, response, ret, responseBuffer, status, + ret = CheckOcspResponse(ocsp, response, ret, responseBuffer, status, entry, NULL); if (response != NULL) XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL); @@ -493,7 +475,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP); if (responseSz >= 0 && response) { - ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status, + ret = CheckOcspResponse(ocsp, response, responseSz, responseBuffer, status, entry, ocspRequest); } diff --git a/src/ssl.c b/src/ssl.c index fc3442a61..4d06681e7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5656,6 +5656,23 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) return ret == 0 ? WOLFSSL_SUCCESS : ret; } +WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, + byte *response, int responseSz, buffer *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); + if (cm == NULL || response == NULL) + return BAD_FUNC_ARG; + if (cm->ocspEnabled == 0) + return WOLFSSL_SUCCESS; + + ret = CheckOcspResponse(cm->ocsp, response, responseSz, responseBuffer, status, + entry, ocspRequest); + + return ret == 0 ? WOLFSSL_SUCCESS : ret; +} int wolfSSL_CertManagerSetOCSPOverrideURL(WOLFSSL_CERT_MANAGER* cm, const char* url) diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 7bc359ec6..33ea8f523 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -54,16 +54,16 @@ WOLFSSL_LOCAL int CheckCertOCSP_ex(WOLFSSL_OCSP*, DecodedCert*, WOLFSSL_BUFFER_INFO* responseBuffer, WOLFSSL* ssl); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); -WOLFSSL_API int wolfSSL_CertManagerCheckOCSP_Staple(WOLFSSL_CERT_MANAGER *, - byte *response, int responseSz, WOLFSSL_BUFFER_INFO *responseBuffer, - CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest); +WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int responseSz, + WOLFSSL_BUFFER_INFO *responseBuffer, CertStatus *status, + OcspEntry *entry, OcspRequest *ocspRequest); #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) -WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, - WOLFSSL_OCSP_CERTID* id, int* status, int* reason, - WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, - WOLFSSL_ASN1_TIME** nextupd); + WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, + WOLFSSL_OCSP_CERTID *id, int *status, int *reason, + WOLFSSL_ASN1_TIME **revtime, WOLFSSL_ASN1_TIME **thisupd, + WOLFSSL_ASN1_TIME **nextupd); WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long s); WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd, WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 44bc2367b..ef0b8c426 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -100,7 +100,6 @@ #endif #endif - #ifdef __cplusplus extern "C" { #endif @@ -414,6 +413,11 @@ enum AlertLevel { alert_fatal = 2 }; +#if defined(HAVE_OCSP) +#include "wolfssl/ocsp.h" +#include "wolfssl/wolfcrypt/asn.h" +#endif + /* Maximum master key length (SECRET_LEN) */ #define WOLFSSL_MAX_MASTER_KEY_LENGTH 48 /* Maximum number of groups that can be set */ @@ -2113,6 +2117,11 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); #ifdef HAVE_CRL_IO WOLFSSL_API int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER*, CbCrlIO); +#endif +#if defined(HAVE_OCSP) + WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *, + byte *response, int responseSz, WOLFSSL_BUFFER_INFO *responseBuffer, + CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest); #endif WOLFSSL_API int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER*, unsigned char*, int sz);