mirror of https://github.com/wolfSSL/wolfssl
refactor CRL/OCSP lookup for peer cert. add option to allow checking all certs in peer cert chain.
This commit is contained in:
parent
66a65f84bd
commit
fe303c97c6
|
@ -575,6 +575,7 @@
|
|||
#define CYASSL_CRL_START_MON WOLFSSL_CRL_START_MON /**/
|
||||
#define CYASSL_OCSP_NO_NONCE WOLFSSL_OCSP_NO_NONCE /**/
|
||||
#define CYASSL_OCSP_URL_OVERRIDE WOLFSSL_OCSP_URL_OVERRIDE
|
||||
#define CYASSL_OCSP_CHECKALL WOLFSSL_OCSP_CHECKALL
|
||||
|
||||
#define CyaSSL_CTX_EnableOCSP wolfSSL_CTX_EnableOCSP
|
||||
#define CyaSSL_CTX_OCSP_set_options wolfSSL_CTX_OCSP_set_options /**/
|
||||
|
|
|
@ -3986,16 +3986,34 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||
WOLFSSL_MSG("Verified CA from chain and already had it");
|
||||
}
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
|
||||
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
||||
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
||||
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tCRL check not ok");
|
||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
||||
if (ret == 0) {
|
||||
int doCrlLookup = 1;
|
||||
#ifdef HAVE_OCSP
|
||||
if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) {
|
||||
WOLFSSL_MSG("Doing Non Leaf OCSP check");
|
||||
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||
if (ret != 0) {
|
||||
doCrlLookup = 0;
|
||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_OCSP */
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
if (doCrlLookup && ssl->ctx->cm->crlEnabled
|
||||
&& ssl->ctx->cm->crlCheckAll) {
|
||||
WOLFSSL_MSG("Doing Non Leaf CRL check");
|
||||
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
||||
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tCRL check not ok");
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_CRL */
|
||||
}
|
||||
#endif /* HAVE_OCSP || HAVE_CRL */
|
||||
|
||||
if (ret != 0 && anyError == 0)
|
||||
anyError = ret; /* save error from last time */
|
||||
|
@ -4057,38 +4075,32 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
|
||||
if (fatal == 0) {
|
||||
int doCrlLookup = 1;
|
||||
#ifdef HAVE_OCSP
|
||||
if (fatal == 0 && ssl->ctx->cm->ocspEnabled) {
|
||||
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||
fatal = 0;
|
||||
if (ssl->ctx->cm->ocspEnabled) {
|
||||
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
|
||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tOCSP Lookup not ok");
|
||||
fatal = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#endif /* HAVE_OCSP */
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
|
||||
int doCrlLookup = 1;
|
||||
|
||||
#ifdef HAVE_OCSP
|
||||
if (ssl->ctx->cm->ocspEnabled) {
|
||||
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
|
||||
}
|
||||
#endif /* HAVE_OCSP */
|
||||
|
||||
if (doCrlLookup) {
|
||||
if (doCrlLookup && ssl->ctx->cm->crlEnabled) {
|
||||
WOLFSSL_MSG("Doing Leaf CRL check");
|
||||
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
|
||||
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tCRL check not ok");
|
||||
fatal = 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* HAVE_CRL */
|
||||
}
|
||||
#endif /* HAVE_OCSP || HAVE_CRL */
|
||||
|
||||
#ifdef KEEP_PEER_CERT
|
||||
{
|
||||
|
|
|
@ -2815,6 +2815,8 @@ int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options)
|
|||
cm->ocspSendNonce = 0;
|
||||
else
|
||||
cm->ocspSendNonce = 1;
|
||||
if (options & WOLFSSL_OCSP_CHECKALL)
|
||||
cm->ocspCheckAll = 1;
|
||||
#ifndef WOLFSSL_USER_IO
|
||||
cm->ocspIOCb = EmbedOcspLookup;
|
||||
cm->ocspRespFreeCb = EmbedOcspRespFree;
|
||||
|
|
|
@ -1185,6 +1185,7 @@ struct WOLFSSL_CERT_MANAGER {
|
|||
byte crlEnabled; /* is CRL on ? */
|
||||
byte crlCheckAll; /* always leaf, but all ? */
|
||||
byte ocspEnabled; /* is OCSP on ? */
|
||||
byte ocspCheckAll; /* always leaf, but all ? */
|
||||
byte ocspSendNonce; /* send the OCSP nonce ? */
|
||||
byte ocspUseOverrideURL; /* ignore cert's responder, override */
|
||||
};
|
||||
|
|
|
@ -569,6 +569,7 @@ enum {
|
|||
|
||||
WOLFSSL_OCSP_URL_OVERRIDE = 1,
|
||||
WOLFSSL_OCSP_NO_NONCE = 2,
|
||||
WOLFSSL_OCSP_CHECKALL = 4,
|
||||
|
||||
WOLFSSL_CRL_CHECKALL = 1,
|
||||
|
||||
|
|
Loading…
Reference in New Issue