default : multi OCSP stapling on TLS13

add configue.ac to handle mOCSP on TLS13
wolfSSL · Aug 4, 2024 · 83b6af6 · 83b6af6
1 parent 8081974
commit 83b6af6
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 8 deletions.
diff --git a/configure.ac b/configure.ac
@@ -5893,10 +5893,27 @@ fi
 
 # Certificate Status Request : a.k.a. OCSP Stapling
 AC_ARG_ENABLE([ocspstapling],
-    [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])],
+    [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling ((options: yes, no-multi, no, disabled default: disabled)])],
     [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ],
     [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
     )
+AS_CASE([$ENABLED_CERTIFICATE_STATUS_REQUEST],
+    [no],[
+        ENABLED_CERTIFICATE_STATUS_REQUEST="no"
+        ENABLED_TLS_OCSP_MULTI="no"
+    ],
+    [disabled],[
+        ENABLED_CERTIFICATE_STATUS_REQUEST="no"
+        ENABLED_TLS_OCSP_MULTI="no"
+    ],
+    [yes],[
+        ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
+        ENABLED_TLS_OCSP_MULTI="yes"
+    ],
+    [no-multi],[
+        ENABLED_CERTIFICATE_STATUS_REQUEST="yes"
+        ENABLED_TLS_OCSP_MULTI="no"
+    ])
 
 if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \
    test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \
@@ -9454,7 +9471,17 @@ if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then
    LT_LIB_M
 fi
 
-
+# mulitple OCSP stapling for TLS 1.3 Certificate extension
+if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes"
+then
+    if test "$ENABLED_TLS13" = "yes"
+    then
+        if test "$ENABLED_TLS_OCSP_MULTI" = "yes"
+        then
+            AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_OCSP_MULTI"
+        fi
+    fi
+fi
 ################################################################################
 
 # USER SETTINGS
@@ -9705,6 +9732,7 @@ AM_CONDITIONAL([BUILD_SM4],[test "x$ENABLED_SM4" != "xno" || test "x$ENABLED_USE
 AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"])
 AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
+AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" && test "x$ENABLED_TLS13" = "xyes" && test "x$ENABLED_TLS_OCSP_MULTI" = "xyes"])
 AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
 AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
 AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])

diff --git a/examples/client/client.c b/examples/client/client.c
@@ -1221,7 +1221,7 @@ static const char* client_usage_msg[][78] = {
  || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
         "-W <num>    Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n",     /* 41 */
         "            With 'm' at end indicates MUST staple\n",          /* 42 */
-#if defined(WOLFSSL_TLS13) && defined(HAVE_CSR_TLS13MULTI)
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI)
         "            -W 1 tls13 multi. Perform multi OCSP stapling when"
         " using TLS13\n",                                               /* 43 */
 #endif
@@ -1453,7 +1453,7 @@ static const char* client_usage_msg[][78] = {
         "-W <num>    OCSP Staplingを使用する"
                                          " (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */
         "            'm' を最後に指定すると必ず staple を使用する\n"       /* 42 */
-#if defined(WOLFSSL_TLS13) && defined(HAVE_CSR_TLS13MULTI)
+#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI)
         "            -W 1 tls13 multi. "
         "TLS13 使用時に複数(Multi)の OCSP を実施します\n"                   /* 43 */
 #endif

diff --git a/scripts/include.am b/scripts/include.am
@@ -27,15 +27,19 @@ endif
 
 if BUILD_OCSP_STAPLING
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
+if BUILD_OCSP_STAPLING_MULTI
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling_tls13multi.test
+endif
 if !BUILD_OCSP_STAPLING_V2
-testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling_tls13multi.log scripts/ocsp-stapling-with-ca-as-responder.log
+testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling-with-ca-as-responder.log
 endif
 scripts/ocsp-stapling.log: scripts/ocsp.log
-scripts/ocsp-stapling_tls13multi.log: scripts/ocsp-stapling.log
 dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
 scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log
 scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
+if BUILD_OCSP_STAPLING_MULTI
+scripts/ocsp-stapling_tls13multi.log: scripts/ocsp-stapling-with-ca-as-responder.log
+endif
 endif
 
 if BUILD_OCSP_STAPLING_V2

diff --git a/src/tls.c b/src/tls.c
@@ -3248,7 +3248,7 @@ static int TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output,
 }
 
 #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \
-    defined(HAVE_CSR_TLS13MULTI)
+    defined(WOLFSSL_TLS_OCSP_MULTI)
 /* Process OCSP request certificate chain
  *
  * ssl       SSL/TLS object.
@@ -3551,7 +3551,7 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length,
 
             if (csr->responses[0].buffer)
                 TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
-        #if defined(HAVE_CSR_TLS13MULTI)
+        #if defined(WOLFSSL_TLS_OCSP_MULTI)
             /* process OCSP request in certificate chain */
             if ((ret = ProcessChainOCSPRequest(ssl)) != 0) {
                 WOLFSSL_MSG("Process Cert Chain OCSP request failed");