Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[ocsp] Allow OCSP checks to be disabled
Some CAs provide non-functional OCSP servers, and some clients are
forced to operate on networks without access to the OCSP servers.
Allow the user to explicitly disable the use of OCSP checks by
undefining OCSP_CHECK in config/crypto.h.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Mar 18, 2018
1 parent a0021a3 commit 9759860
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/config/crypto.h
Expand Up @@ -58,6 +58,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
*/
#define CROSSCERT "http://ca.ipxe.org/auto"

/** Perform OCSP checks when applicable
*
* Some CAs provide non-functional OCSP servers, and some clients are
* forced to operate on networks without access to the OCSP servers.
* Allow the user to explicitly disable the use of OCSP checks.
*/
#define OCSP_CHECK

#include <config/named.h>
#include NAMED_CONFIG(crypto.h)
#include <config/local/crypto.h>
Expand Down
12 changes: 12 additions & 0 deletions src/include/ipxe/ocsp.h
Expand Up @@ -14,6 +14,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
#include <ipxe/asn1.h>
#include <ipxe/x509.h>
#include <ipxe/refcnt.h>
#include <config/crypto.h>

/* Allow OCSP to be disabled completely */
#ifdef OCSP_CHECK
#define OCSP_ENABLED 1
#else
#define OCSP_ENABLED 0
#endif

/** OCSP algorithm identifier */
#define OCSP_ALGORITHM_IDENTIFIER( ... ) \
Expand Down Expand Up @@ -119,6 +127,10 @@ ocsp_put ( struct ocsp_check *ocsp ) {
*/
static inline int ocsp_required ( struct x509_certificate *cert ) {

/* An OCSP check is never required if OCSP checks are disabled */
if ( ! OCSP_ENABLED )
return 0;

/* An OCSP check is required if an OCSP URI exists but the
* OCSP status is not (yet) good.
*/
Expand Down

0 comments on commit 9759860

Please sign in to comment.