Browse Source

[ocsp] Allow OCSP checks to be disabled

Some CAs provide non-functional OCSP servers, and some clients are
forced to operate on networks without access to the OCSP servers.
Allow the user to explicitly disable the use of OCSP checks by
undefining OCSP_CHECK in config/crypto.h.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 6 years ago
parent
commit
9759860ec0
2 changed files with 20 additions and 0 deletions
  1. 8
    0
      src/config/crypto.h
  2. 12
    0
      src/include/ipxe/ocsp.h

+ 8
- 0
src/config/crypto.h View File

58
  */
58
  */
59
 #define CROSSCERT "http://ca.ipxe.org/auto"
59
 #define CROSSCERT "http://ca.ipxe.org/auto"
60
 
60
 
61
+/** Perform OCSP checks when applicable
62
+ *
63
+ * Some CAs provide non-functional OCSP servers, and some clients are
64
+ * forced to operate on networks without access to the OCSP servers.
65
+ * Allow the user to explicitly disable the use of OCSP checks.
66
+ */
67
+#define OCSP_CHECK
68
+
61
 #include <config/named.h>
69
 #include <config/named.h>
62
 #include NAMED_CONFIG(crypto.h)
70
 #include NAMED_CONFIG(crypto.h)
63
 #include <config/local/crypto.h>
71
 #include <config/local/crypto.h>

+ 12
- 0
src/include/ipxe/ocsp.h View File

14
 #include <ipxe/asn1.h>
14
 #include <ipxe/asn1.h>
15
 #include <ipxe/x509.h>
15
 #include <ipxe/x509.h>
16
 #include <ipxe/refcnt.h>
16
 #include <ipxe/refcnt.h>
17
+#include <config/crypto.h>
18
+
19
+/* Allow OCSP to be disabled completely */
20
+#ifdef OCSP_CHECK
21
+#define OCSP_ENABLED 1
22
+#else
23
+#define OCSP_ENABLED 0
24
+#endif
17
 
25
 
18
 /** OCSP algorithm identifier */
26
 /** OCSP algorithm identifier */
19
 #define OCSP_ALGORITHM_IDENTIFIER( ... )				\
27
 #define OCSP_ALGORITHM_IDENTIFIER( ... )				\
119
  */
127
  */
120
 static inline int ocsp_required ( struct x509_certificate *cert ) {
128
 static inline int ocsp_required ( struct x509_certificate *cert ) {
121
 
129
 
130
+	/* An OCSP check is never required if OCSP checks are disabled */
131
+	if ( ! OCSP_ENABLED )
132
+		return 0;
133
+
122
 	/* An OCSP check is required if an OCSP URI exists but the
134
 	/* An OCSP check is required if an OCSP URI exists but the
123
 	 * OCSP status is not (yet) good.
135
 	 * OCSP status is not (yet) good.
124
 	 */
136
 	 */

Loading…
Cancel
Save