WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #5086 from elms/cmake/ocsp_crl 

cmake: Add CRL, OCSP, and OCSP stapling options
pull/5092/head
David Garske 2022-04-27 09:31:51 -07:00 committed by GitHub
parent ad68bb9a7a ec38048711
commit 1d64c735ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 49 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
CMakeLists.txt
View File

@ -1176,10 +1176,7 @@ if(NOT WOLFSSL_INLINE)
list(APPEND WOLFSSL_DEFINITIONS "-DNO_INLINE") list(APPEND WOLFSSL_DEFINITIONS "-DNO_INLINE")
endif() endif()
# TODO: - OCSP # TODO:
# - OCSP stapling
# - OCSP stapling v2
# - CRL
# - CRL monitor # - CRL monitor
# - User crypto # - User crypto
# - Whitewood netRandom client library # - Whitewood netRandom client library
@ -1192,31 +1189,19 @@ endif()
# - Secure renegotiation # - Secure renegotiation
# - Fallback SCSV # - Fallback SCSV
add_option(WOLFSSL_OCSP "Enable OCSP (default: disabled)" "no" "yes;no")
add_option(WOLFSSL_OCSPSTAPLING "Enable OCSP Stapling (default: disabled)" "no" "yes;no")
add_option(WOLFSSL_OCSPSTAPLING_V2 "Enable OCSP Stapling v2 (default: disabled)" "no" "yes;no")
add_option(WOLFSSL_CRL
"Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)"
"no" "yes;no;io")
set(WOLFSSL_SNI_HELP_STRING "Enable SNI (default: disabled)") set(WOLFSSL_SNI_HELP_STRING "Enable SNI (default: disabled)")
add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} "no" "yes;no") add_option(WOLFSSL_SNI ${WOLFSSL_SNI_HELP_STRING} "no" "yes;no")
if (WOLFSSL_SNI)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_TLS_EXTENSIONS" "-DHAVE_SNI")
endif()
set(WOLFSSL_TLSX_HELP_STRING "Enable all TLS Extensions (default: disabled)") set(WOLFSSL_TLSX_HELP_STRING "Enable all TLS Extensions (default: disabled)")
add_option(WOLFSSL_TLSX ${WOLFSSL_TLSX_HELP_STRING} "no" "yes;no") add_option(WOLFSSL_TLSX ${WOLFSSL_TLSX_HELP_STRING} "no" "yes;no")
if (WOLFSSL_TLSX)
list(APPEND WOLFSSL_DEFINITIONS
"-DHAVE_TLS_EXTENSIONS"
"-DHAVE_SNI"
"-DHAVE_MAX_FRAGMENT"
"-DHAVE_TRUNCATED_HMAC"
"-DHAVE_ALPN"
"-DHAVE_TRUSTED_CA")
if (WOLFSSL_ECC OR WOLFSSL_CURVE25519 OR WOLFSSL_CURVE448 OR WOLFSSL_TLS13)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_SUPPORTED_CURVES")
endif()
endif()
# Supported elliptic curves extensions # Supported elliptic curves extensions
add_option("WOLFSSL_SUPPORTED_CURVES" add_option("WOLFSSL_SUPPORTED_CURVES"
"Enable Supported Elliptic Curves (default: enabled)" "Enable Supported Elliptic Curves (default: enabled)"
@ -1646,6 +1631,44 @@ if(WOLFSSL_CRYPTOCB)
list(APPEND WOLFSSL_DEFINITIONS "-DWOLF_CRYPTO_CB") list(APPEND WOLFSSL_DEFINITIONS "-DWOLF_CRYPTO_CB")
endif() endif()
if(WOLFSSL_OCSPSTAPLING)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CERTIFICATE_STATUS_REQUEST" "-DHAVE_TLS_EXTENSIONS")
override_cache(WOLFSSL_OCSP "yes")
endif()
if(WOLFSSL_OCSPSTAPLING_V2)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CERTIFICATE_STATUS_REQUEST_V2" "-DHAVE_TLS_EXTENSIONS")
override_cache(WOLFSSL_OCSP "yes")
endif()
# must be below OCSP stapling options to allow override
if (WOLFSSL_OCSP)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_OCSP")
endif()
if (WOLFSSL_CRL STREQUAL "yes")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CRL")
elseif(WOLFSSL_CRL STREQUAL "io")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CRL" "-DHAVE_CRL_IO")
endif()
if (WOLFSSL_SNI)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_TLS_EXTENSIONS" "-DHAVE_SNI")
endif()
if (WOLFSSL_TLSX)
list(APPEND WOLFSSL_DEFINITIONS
"-DHAVE_TLS_EXTENSIONS"
"-DHAVE_SNI"
"-DHAVE_MAX_FRAGMENT"
"-DHAVE_TRUNCATED_HMAC"
"-DHAVE_ALPN"
"-DHAVE_TRUSTED_CA")
if (WOLFSSL_ECC OR WOLFSSL_CURVE25519 OR WOLFSSL_CURVE448 OR WOLFSSL_TLS13)
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_SUPPORTED_CURVES")
endif()
endif()
# Generates the BUILD_* flags. These control what source files are included in # Generates the BUILD_* flags. These control what source files are included in
# the library. A series of AM_CONDITIONALs handle this in configure.ac. # the library. A series of AM_CONDITIONALs handle this in configure.ac.

4
cmake/functions.cmake
View File

@ -188,8 +188,8 @@ function(generate_build_flags)
if(WOLFSSL_OCSP OR WOLFSSL_USER_SETTINGS) if(WOLFSSL_OCSP OR WOLFSSL_USER_SETTINGS)
set(BUILD_OCSP "yes" PARENT_SCOPE) set(BUILD_OCSP "yes" PARENT_SCOPE)
endif() endif()
set(BUILD_OCSP_STAPLING ${WOLFSSL_CERTIFICATE_STATUS_REQUEST} PARENT_SCOPE) set(BUILD_OCSP_STAPLING ${WOLFSSL_OCSPSTAPLING} PARENT_SCOPE)
set(BUILD_OCSP_STAPLING_V2 ${WOLFSSL_CERTIFICATE_STATUS_REQUEST_V2} PARENT_SCOPE) set(BUILD_OCSP_STAPLING_V2 ${WOLFSSL_OCSPSTAPLING_V2} PARENT_SCOPE)
if(WOLFSSL_CRL OR WOLFSSL_USER_SETTINGS) if(WOLFSSL_CRL OR WOLFSSL_USER_SETTINGS)
set(BUILD_CRL "yes" PARENT_SCOPE) set(BUILD_CRL "yes" PARENT_SCOPE)
endif() endif()

2
tests/api.c
View File

@ -34220,7 +34220,7 @@ static void test_wolfSSL_Tls13_Key_Logging_test(void)
wait_tcp_ready(&server_args); wait_tcp_ready(&server_args);
/* run as a TLS1.2 client */ /* run as a TLS1.3 client */
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
AssertIntEQ(WOLFSSL_SUCCESS, AssertIntEQ(WOLFSSL_SUCCESS,
wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0));