mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor CRL/OCSP lookup for peer cert. add option to allow checking all certs in peer cert chain.

This commit is contained in:
John Safranek 2015-03-23 17:35:56 -07:00
parent 66a65f84bd
commit fe303c97c6
5 changed files with 45 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cyassl/ssl.h
View File

@ -575,6 +575,7 @@
#define CYASSL_CRL_START_MON WOLFSSL_CRL_START_MON /**/
#define CYASSL_OCSP_NO_NONCE WOLFSSL_OCSP_NO_NONCE /**/
#define CYASSL_OCSP_URL_OVERRIDE WOLFSSL_OCSP_URL_OVERRIDE
#define CYASSL_OCSP_CHECKALL WOLFSSL_OCSP_CHECKALL
#define CyaSSL_CTX_EnableOCSP wolfSSL_CTX_EnableOCSP
#define CyaSSL_CTX_OCSP_set_options wolfSSL_CTX_OCSP_set_options /**/

68
src/internal.c
View File

@ -3986,16 +3986,34 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Verified CA from chain and already had it");
}
#ifdef HAVE_CRL
if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
WOLFSSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok");
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
if (ret == 0) {
int doCrlLookup = 1;
#ifdef HAVE_OCSP
if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) {
WOLFSSL_MSG("Doing Non Leaf OCSP check");
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) {
doCrlLookup = 0;
WOLFSSL_MSG("\tOCSP Lookup not ok");
}
}
#endif /* HAVE_OCSP */
#ifdef HAVE_CRL
if (doCrlLookup && ssl->ctx->cm->crlEnabled
&& ssl->ctx->cm->crlCheckAll) {
WOLFSSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok");
}
}
}
#endif /* HAVE_CRL */
}
#endif /* HAVE_OCSP || HAVE_CRL */
if (ret != 0 && anyError == 0)
anyError = ret; /* save error from last time */
@ -4057,38 +4075,32 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
#endif
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
if (fatal == 0) {
int doCrlLookup = 1;
#ifdef HAVE_OCSP
if (fatal == 0 && ssl->ctx->cm->ocspEnabled) {
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Lookup not ok");
fatal = 0;
if (ssl->ctx->cm->ocspEnabled) {
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Lookup not ok");
fatal = 0;
}
}
}
#endif
#endif /* HAVE_OCSP */
#ifdef HAVE_CRL
if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
int doCrlLookup = 1;
#ifdef HAVE_OCSP
if (ssl->ctx->cm->ocspEnabled) {
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
}
#endif /* HAVE_OCSP */
if (doCrlLookup) {
if (doCrlLookup && ssl->ctx->cm->crlEnabled) {
WOLFSSL_MSG("Doing Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok");
fatal = 0;
}
}
}
#endif /* HAVE_CRL */
}
#endif /* HAVE_OCSP || HAVE_CRL */
#ifdef KEEP_PEER_CERT
{

2
src/ssl.c
View File

@ -2815,6 +2815,8 @@ int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options)
cm->ocspSendNonce = 0;
else
cm->ocspSendNonce = 1;
if (options & WOLFSSL_OCSP_CHECKALL)
cm->ocspCheckAll = 1;
#ifndef WOLFSSL_USER_IO
cm->ocspIOCb = EmbedOcspLookup;
cm->ocspRespFreeCb = EmbedOcspRespFree;

1
wolfssl/internal.h
View File

@ -1185,6 +1185,7 @@ struct WOLFSSL_CERT_MANAGER {
byte crlEnabled; /* is CRL on ? */
byte crlCheckAll; /* always leaf, but all ? */
byte ocspEnabled; /* is OCSP on ? */
byte ocspCheckAll; /* always leaf, but all ? */
byte ocspSendNonce; /* send the OCSP nonce ? */
byte ocspUseOverrideURL; /* ignore cert's responder, override */
};

1
wolfssl/ssl.h
View File

@ -569,6 +569,7 @@ enum {
WOLFSSL_OCSP_URL_OVERRIDE = 1,
WOLFSSL_OCSP_NO_NONCE = 2,
WOLFSSL_OCSP_CHECKALL = 4,
WOLFSSL_CRL_CHECKALL = 1,