WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TLS OCSP Stapling: MUST staple option 

Can enable OCSP Must Staple option to mean that if the client sends a
request for an OCSP Staple then it must receive a response.
pull/3392/head
Sean Parkinson 2020-10-15 17:27:58 +10:00
parent 026ba4e750
commit 60b0b0170b
8 changed files with 245 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
examples/client/client.c
View File

@ -1040,65 +1040,66 @@ static const char* client_usage_msg[][66] = {
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
"-W <num> Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */ "-W <num> Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
" With 'm' at end indicates MUST staple\n", /* 42 */
#endif #endif
#if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY) #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
"-U Atomic User Record Layer Callbacks\n", /* 42 */ "-U Atomic User Record Layer Callbacks\n", /* 43 */
#endif #endif
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
"-P Public Key Callbacks\n", /* 43 */ "-P Public Key Callbacks\n", /* 44 */
#endif #endif
#ifdef HAVE_ANON #ifdef HAVE_ANON
"-a Anonymous client\n", /* 44 */ "-a Anonymous client\n", /* 45 */
#endif #endif
#ifdef HAVE_CRL #ifdef HAVE_CRL
"-C Disable CRL\n", /* 45 */ "-C Disable CRL\n", /* 46 */
#endif #endif
#ifdef WOLFSSL_TRUST_PEER_CERT #ifdef WOLFSSL_TRUST_PEER_CERT
"-E <file> Path to load trusted peer cert\n", /* 46 */ "-E <file> Path to load trusted peer cert\n", /* 47 */
#endif #endif
#ifdef HAVE_WNR #ifdef HAVE_WNR
"-q <file> Whitewood config file, defaults\n", /* 47 */ "-q <file> Whitewood config file, defaults\n", /* 48 */
#endif #endif
"-H <arg> Internal tests" "-H <arg> Internal tests"
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 48 */ " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 49 */
" loadSSL, disallowETM]\n", /* 49 */ " loadSSL, disallowETM]\n", /* 50 */
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
"-J Use HelloRetryRequest to choose group for KE\n", /* 50 */ "-J Use HelloRetryRequest to choose group for KE\n", /* 51 */
"-K Key Exchange for PSK not using (EC)DHE\n", /* 51 */ "-K Key Exchange for PSK not using (EC)DHE\n", /* 52 */
"-I Update keys and IVs before sending data\n", /* 52 */ "-I Update keys and IVs before sending data\n", /* 53 */
#ifndef NO_DH #ifndef NO_DH
"-y Key Share with FFDHE named groups only\n", /* 53 */ "-y Key Share with FFDHE named groups only\n", /* 54 */
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
"-Y Key Share with ECC named groups only\n", /* 54 */ "-Y Key Share with ECC named groups only\n", /* 55 */
#endif #endif
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
"-t Use X25519 for key exchange\n", /* 55 */ "-t Use X25519 for key exchange\n", /* 56 */
#endif #endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
"-Q Support requesting certificate post-handshake\n", /* 56 */ "-Q Support requesting certificate post-handshake\n", /* 57 */
#endif #endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
"-0 Early data sent to server (0-RTT handshake)\n", /* 57 */ "-0 Early data sent to server (0-RTT handshake)\n", /* 58 */
#endif #endif
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
"-3 <grpid> Multicast, grpid < 256\n", /* 58 */ "-3 <grpid> Multicast, grpid < 256\n", /* 59 */
#endif #endif
"-1 <num> Display a result by specified language.\n" "-1 <num> Display a result by specified language.\n"
" 0: English, 1: Japanese\n", /* 59 */ " 0: English, 1: Japanese\n", /* 60 */
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \ #if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
"-2 Disable DH Prime check\n", /* 60 */ "-2 Disable DH Prime check\n", /* 61 */
#endif #endif
#ifdef HAVE_SECURE_RENEGOTIATION #ifdef HAVE_SECURE_RENEGOTIATION
"-4 Use resumption for renegotiation\n", /* 61 */ "-4 Use resumption for renegotiation\n", /* 62 */
#endif #endif
#ifdef HAVE_TRUSTED_CA #ifdef HAVE_TRUSTED_CA
"-5 Use Trusted CA Key Indication\n", /* 62 */ "-5 Use Trusted CA Key Indication\n", /* 63 */
#endif #endif
#ifdef HAVE_CURVE448 #ifdef HAVE_CURVE448
"-8 Use X448 for key exchange\n", /* 65 */ "-8 Use X448 for key exchange\n", /* 66 */
#endif #endif
#ifdef HAVE_CRL #ifdef HAVE_CRL
"-C Disable CRL\n", "-C Disable CRL\n",
@ -1208,67 +1209,68 @@ static const char* client_usage_msg[][66] = {
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
"-W <num> OCSP Staplingを使用する" "-W <num> OCSP Staplingを使用する"
" (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */ " (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
" With 'm' at end indicates MUST staple\n", /* 42 */
#endif #endif
#if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY) #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY)
"-U アトミック・ユーザー記録の" "-U アトミック・ユーザー記録の"
"コールバックを利用する\n", /* 42 */ "コールバックを利用する\n", /* 43 */
#endif #endif
#ifdef HAVE_PK_CALLBACKS #ifdef HAVE_PK_CALLBACKS
"-P 公開鍵コールバック\n", /* 43 */ "-P 公開鍵コールバック\n", /* 44 */
#endif #endif
#ifdef HAVE_ANON #ifdef HAVE_ANON
"-a 匿名クライアント\n", /* 44 */ "-a 匿名クライアント\n", /* 45 */
#endif #endif
#ifdef HAVE_CRL #ifdef HAVE_CRL
"-C CRLを無効\n", /* 45 */ "-C CRLを無効\n", /* 46 */
#endif #endif
#ifdef WOLFSSL_TRUST_PEER_CERT #ifdef WOLFSSL_TRUST_PEER_CERT
"-E <file> 信頼出来るピアの証明書ロードの為のパス\n", /* 46 */ "-E <file> 信頼出来るピアの証明書ロードの為のパス\n", /* 47 */
#endif #endif
#ifdef HAVE_WNR #ifdef HAVE_WNR
"-q <file> Whitewood コンフィグファイル, 既定値\n", /* 47 */ "-q <file> Whitewood コンフィグファイル, 既定値\n", /* 48 */
#endif #endif
"-H <arg> 内部テスト" "-H <arg> 内部テスト"
" [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 48 */ " [defCipherList, exitWithRet, verifyFail, useSupCurve,\n", /* 49 */
" loadSSL, disallowETM]\n", /* 49 */ " loadSSL, disallowETM]\n", /* 50 */
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
"-J HelloRetryRequestをKEのグループ選択に使用する\n", /* 50 */ "-J HelloRetryRequestをKEのグループ選択に使用する\n", /* 51 */
"-K 鍵交換にPSKを使用、(EC)DHEは使用しない\n", /* 51 */ "-K 鍵交換にPSKを使用、(EC)DHEは使用しない\n", /* 52 */
"-I データ送信前に、鍵とIVを更新する\n", /* 52 */ "-I データ送信前に、鍵とIVを更新する\n", /* 53 */
#ifndef NO_DH #ifndef NO_DH
"-y FFDHE名前付きグループとの鍵共有のみ\n", /* 53 */ "-y FFDHE名前付きグループとの鍵共有のみ\n", /* 54 */
#endif #endif
#ifdef HAVE_ECC #ifdef HAVE_ECC
"-Y ECC名前付きグループとの鍵共有のみ\n", /* 54 */ "-Y ECC名前付きグループとの鍵共有のみ\n", /* 55 */
#endif #endif
#endif /* WOLFSSL_TLS13 */ #endif /* WOLFSSL_TLS13 */
#ifdef HAVE_CURVE25519 #ifdef HAVE_CURVE25519
"-t X25519を鍵交換に使用する\n", /* 55 */ "-t X25519を鍵交換に使用する\n", /* 56 */
#endif #endif
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
"-Q ポストハンドシェークの証明要求をサポートする\n", /* 56 */ "-Q ポストハンドシェークの証明要求をサポートする\n", /* 57 */
#endif #endif
#ifdef WOLFSSL_EARLY_DATA #ifdef WOLFSSL_EARLY_DATA
"-0 Early data をサーバーへ送信する" "-0 Early data をサーバーへ送信する"
"0-RTTハンドシェイク\n", /* 57 */ "0-RTTハンドシェイク\n", /* 58 */
#endif #endif
#ifdef WOLFSSL_MULTICAST #ifdef WOLFSSL_MULTICAST
"-3 <grpid> マルチキャスト, grpid < 256\n", /* 58 */ "-3 <grpid> マルチキャスト, grpid < 256\n", /* 59 */
#endif #endif
"-1 <num> 指定された言語で結果を表示します。\n" "-1 <num> 指定された言語で結果を表示します。\n"
" 0: 英語、 1: 日本語\n", /* 59 */ " 0: 英語、 1: 日本語\n", /* 60 */
#if !defined(NO_DH) && !defined(HAVE_FIPS) && \ #if !defined(NO_DH) && !defined(HAVE_FIPS) && \
!defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK) !defined(HAVE_SELFTEST) && !defined(WOLFSSL_OLD_PRIME_CHECK)
"-2 DHプライム番号チェックを無効にする\n", /* 60 */ "-2 DHプライム番号チェックを無効にする\n", /* 61 */
#endif #endif
#ifdef HAVE_SECURE_RENEGOTIATION #ifdef HAVE_SECURE_RENEGOTIATION
"-4 再交渉に再開を使用\n", /* 61 */ "-4 再交渉に再開を使用\n", /* 62 */
#endif #endif
#ifdef HAVE_TRUSTED_CA #ifdef HAVE_TRUSTED_CA
"-5 信頼できる認証局の鍵表示を使用する\n", /* 62 */ "-5 信頼できる認証局の鍵表示を使用する\n", /* 63 */
#endif #endif
#ifdef HAVE_CURVE448 #ifdef HAVE_CURVE448
"-8 Use X448 for key exchange\n", /* 65 */ "-8 Use X448 for key exchange\n", /* 66 */
#endif #endif
NULL, NULL,
}, },
@ -1526,6 +1528,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
byte statusRequest = 0; byte statusRequest = 0;
byte mustStaple = 0;
#endif #endif
#ifdef HAVE_EXTENDED_MASTER #ifdef HAVE_EXTENDED_MASTER
byte disableExtMasterSecret = 0; byte disableExtMasterSecret = 0;
@ -1936,6 +1939,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
Usage(); Usage();
XEXIT_T(MY_EX_USAGE); XEXIT_T(MY_EX_USAGE);
} }
if (myoptarg[XSTRLEN(myoptarg)-1] == 'M' ||
myoptarg[XSTRLEN(myoptarg)-1] == 'm') {
mustStaple = 1;
}
#endif #endif
break; break;
@ -2885,6 +2892,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS) if (wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS)
err_sys("can't enable OCSP Stapling Certificate Manager"); err_sys("can't enable OCSP Stapling Certificate Manager");
if (mustStaple) {
if (wolfSSL_CTX_EnableOCSPMustStaple(ctx) != WOLFSSL_SUCCESS)
err_sys("can't enable OCSP Must Staple");
}
switch (statusRequest) { switch (statusRequest) {
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST #ifdef HAVE_CERTIFICATE_STATUS_REQUEST

52
scripts/ocsp-stapling.test
View File

@ -334,6 +334,58 @@ if [ $? -ne 0 ]; then
printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "Test successfully REVOKED!"
fi fi
# need a unique port since may run the same time as testsuite
generate_port() {
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
}
# Start OpenSSL server that has no OCSP responses to return
generate_port
openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
openssl_pid=$!
sleep 0.1
printf '%s\n\n' "------------- TEST CASE 5 SHOULD PASS ----------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 5 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 6 SHOULD UNKNOWN -------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] && printf '\n\n%s\n' "Client connection 6 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
openssl ciphers -tls1_3
openssl_tls13=$?
./examples/client/client -v 4 2>&1 | grep -- 'Bad SSL version'
wolfssl_not_tls13=$?
if [ "$openssl_tls13" = "0" -a "wolfssl_not_tls13" != "0" ]; then
printf '%s\n\n' "------------- TEST CASE 7 SHOULD PASS --------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 7 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 8 SHOULD UNKNOWN -----------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 4 -W 1m
RESULT=$?
[ $RESULT -ne 1 ] \
&& printf '\n\n%s\n' "Client connection 8 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
fi
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0 exit 0

29
scripts/ocsp-stapling2.test
View File

@ -423,6 +423,35 @@ if [ $? -ne 1 ]; then
fi fi
printf '%s\n\n' "Test successfully REVOKED!" printf '%s\n\n' "Test successfully REVOKED!"
# need a unique port since may run the same time as testsuite
generate_port() {
port=$(($(od -An -N2 /dev/random) % (65535-49512) + 49512))
}
# Start OpenSSL server that has no OCSP responses to return
generate_port
openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port &
openssl_pid=$!
sleep 0.1
printf '%s\n\n' "------------- TEST CASE 9 SHOULD PASS ----------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 2
RESULT=$?
[ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection 9 failed" && exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------- TEST CASE 10 SHOULD UNKNOWN -------------------"
# client asks for OCSP staple but doesn't fail when none returned
./examples/client/client -p $port -g -v 3 -W 2m
RESULT=$?
[ $RESULT -ne 1 ] \
&& printf '\n\n%s\n' "Client connection 10 succeeded $RESULT" \
&& exit 1
printf '%s\n\n' "Test PASSED!"
printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------" printf '%s\n\n' "------------------- TESTS COMPLETE ---------------------------"
exit 0 exit 0

24
src/internal.c
View File

@ -11136,7 +11136,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->fatal = TLSX_CSR_InitRequest(ssl->extensions, args->fatal = TLSX_CSR_InitRequest(ssl->extensions,
args->dCert, ssl->heap); args->dCert, ssl->heap);
doLookup = 0; doLookup = 0;
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_CLIENT)
if (ssl->options.tls1_3) { if (ssl->options.tls1_3) {
TLSX* ext = TLSX_Find(ssl->extensions, TLSX* ext = TLSX_Find(ssl->extensions,
TLSX_STATUS_REQUEST); TLSX_STATUS_REQUEST);
@ -11152,6 +11152,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
#endif #endif
} }
/* Ensure a stapling response was seen */
else if (ssl->options.tls1_3 &&
ssl->ctx->cm->ocspMustStaple) {
ret = OCSP_CERT_UNKNOWN;
goto exit_ppc;
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
if (ssl->status_request_v2) { if (ssl->status_request_v2) {
@ -12217,6 +12223,22 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
return ret; return ret;
} }
#endif #endif
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
/* Check that a status request extension was seen as the
* CertificateStatus wasn't when an OCSP staple is required.
*/
if (
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
!ssl->status_request &&
#endif
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
!ssl->status_request_v2 &&
#endif
ssl->ctx->cm->ocspMustStaple) {
return OCSP_CERT_UNKNOWN;
}
#endif
} }
break; break;

60
src/ssl.c
View File

@ -6293,6 +6293,48 @@ int wolfSSL_CertManagerDisableOCSPStapling(WOLFSSL_CERT_MANAGER* cm)
return ret; return ret;
} }
/* require OCSP stapling response */
int wolfSSL_CertManagerEnableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPMustStaple");
if (cm == NULL)
return BAD_FUNC_ARG;
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
#ifndef NO_WOLFSSL_CLIENT
cm->ocspMustStaple = 1;
#endif
#else
ret = NOT_COMPILED_IN;
#endif
return ret;
}
int wolfSSL_CertManagerDisableOCSPMustStaple(WOLFSSL_CERT_MANAGER* cm)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_CertManagerDisableOCSPMustStaple");
if (cm == NULL)
return BAD_FUNC_ARG;
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
#ifndef NO_WOLFSSL_CLIENT
cm->ocspMustStaple = 0;
#endif
#else
ret = NOT_COMPILED_IN;
#endif
return ret;
}
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
/* check CRL if enabled, WOLFSSL_SUCCESS */ /* check CRL if enabled, WOLFSSL_SUCCESS */
int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
@ -6513,6 +6555,24 @@ int wolfSSL_CTX_DisableOCSPStapling(WOLFSSL_CTX* ctx)
else else
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
int wolfSSL_CTX_EnableOCSPMustStaple(WOLFSSL_CTX* ctx)
{
WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSPMustStaple");
if (ctx)
return wolfSSL_CertManagerEnableOCSPMustStaple(ctx->cm);
else
return BAD_FUNC_ARG;
}
int wolfSSL_CTX_DisableOCSPMustStaple(WOLFSSL_CTX* ctx)
{
WOLFSSL_ENTER("wolfSSL_CTX_DisableOCSPMustStaple");
if (ctx)
return wolfSSL_CertManagerDisableOCSPMustStaple(ctx->cm);
else
return BAD_FUNC_ARG;
}
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST || HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ #endif /* HAVE_CERTIFICATE_STATUS_REQUEST || HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
#endif /* HAVE_OCSP */ #endif /* HAVE_OCSP */

4
tests/api.c
View File

@ -1581,6 +1581,8 @@ static void test_wolfSSL_CTX_enable_disable(void)
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
AssertIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), BAD_FUNC_ARG); AssertIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), BAD_FUNC_ARG);
AssertIntEQ(wolfSSL_CTX_EnableOCSPMustStaple(ctx), BAD_FUNC_ARG);
#endif #endif
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
@ -1620,6 +1622,8 @@ static void test_wolfSSL_CTX_enable_disable(void)
defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
AssertIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_DisableOCSPStapling(ctx), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_EnableOCSPStapling(ctx), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_DisableOCSPMustStaple(ctx), WOLFSSL_SUCCESS);
#endif #endif
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
#endif /* NO_CERTS */ #endif /* NO_CERTS */

28
wolfssl/internal.h
View File

@ -1998,18 +1998,22 @@ struct WOLFSSL_CERT_MANAGER {
#ifndef NO_WOLFSSL_CM_VERIFY #ifndef NO_WOLFSSL_CM_VERIFY
VerifyCallback verifyCallback; /* Verify callback */ VerifyCallback verifyCallback; /* Verify callback */
#endif #endif
CallbackCACache caCacheCallback; /* CA cache addition callback */ CallbackCACache caCacheCallback; /* CA cache addition callback */
CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ CbMissingCRL cbMissingCRL; /* notify thru cb of missing crl */
CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */
CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */
wolfSSL_Mutex caLock; /* CA list lock */ wolfSSL_Mutex caLock; /* CA list lock */
byte crlEnabled; /* is CRL on ? */ byte crlEnabled:1; /* is CRL on ? */
byte crlCheckAll; /* always leaf, but all ? */ byte crlCheckAll:1; /* always leaf, but all ? */
byte ocspEnabled; /* is OCSP on ? */ byte ocspEnabled:1; /* is OCSP on ? */
byte ocspCheckAll; /* always leaf, but all ? */ byte ocspCheckAll:1; /* always leaf, but all ? */
byte ocspSendNonce; /* send the OCSP nonce ? */ byte ocspSendNonce:1; /* send the OCSP nonce ? */
byte ocspUseOverrideURL; /* ignore cert's responder, override */ byte ocspUseOverrideURL:1; /* ignore cert responder, override */
byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ byte ocspStaplingEnabled:1; /* is OCSP Stapling on ? */
#if !defined(NO_WOLFSSL_CLIENT) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
|| defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))
byte ocspMustStaple:1; /* server must respond with staple */
#endif
#ifndef NO_RSA #ifndef NO_RSA
short minRsaKeySz; /* minimum allowed RSA key size */ short minRsaKeySz; /* minimum allowed RSA key size */

6
wolfssl/ssl.h
View File

@ -2772,6 +2772,10 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl);
WOLFSSL_CERT_MANAGER* cm); WOLFSSL_CERT_MANAGER* cm);
WOLFSSL_API int wolfSSL_CertManagerDisableOCSPStapling( WOLFSSL_API int wolfSSL_CertManagerDisableOCSPStapling(
WOLFSSL_CERT_MANAGER* cm); WOLFSSL_CERT_MANAGER* cm);
WOLFSSL_API int wolfSSL_CertManagerEnableOCSPMustStaple(
WOLFSSL_CERT_MANAGER* cm);
WOLFSSL_API int wolfSSL_CertManagerDisableOCSPMustStaple(
WOLFSSL_CERT_MANAGER* cm);
#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM)
WOLFSSL_API WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm);
#endif #endif
@ -2808,6 +2812,8 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm)
CbOCSPIO, CbOCSPRespFree, void*); CbOCSPIO, CbOCSPRespFree, void*);
WOLFSSL_API int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_DisableOCSPStapling(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_DisableOCSPStapling(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_EnableOCSPMustStaple(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_DisableOCSPMustStaple(WOLFSSL_CTX*);
#endif /* !NO_CERTS */ #endif /* !NO_CERTS */