diff --git a/configure.ac b/configure.ac index 344247c637..8f5b355abb 100644 --- a/configure.ac +++ b/configure.ac @@ -5893,10 +5893,27 @@ fi # Certificate Status Request : a.k.a. OCSP Stapling AC_ARG_ENABLE([ocspstapling], - [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])], + [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling ((options: yes, no-multi, no, disabled default: disabled)])], [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] ) +AS_CASE([$ENABLED_CERTIFICATE_STATUS_REQUEST], + [no],[ + ENABLED_CERTIFICATE_STATUS_REQUEST="no" + ENABLED_TLS_OCSP_MULTI="no" + ], + [disabled],[ + ENABLED_CERTIFICATE_STATUS_REQUEST="no" + ENABLED_TLS_OCSP_MULTI="no" + ], + [yes],[ + ENABLED_CERTIFICATE_STATUS_REQUEST="yes" + ENABLED_TLS_OCSP_MULTI="yes" + ], + [no-multi],[ + ENABLED_CERTIFICATE_STATUS_REQUEST="yes" + ENABLED_TLS_OCSP_MULTI="no" + ]) if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_WPAS" = "xyes" || \ test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes" || \ @@ -9454,7 +9471,17 @@ if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then LT_LIB_M fi - +# mulitple OCSP stapling for TLS 1.3 Certificate extension +if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes" +then + if test "$ENABLED_TLS13" = "yes" + then + if test "$ENABLED_TLS_OCSP_MULTI" = "yes" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS_OCSP_MULTI" + fi + fi +fi ################################################################################ # USER SETTINGS @@ -9705,6 +9732,7 @@ AM_CONDITIONAL([BUILD_SM4],[test "x$ENABLED_SM4" != "xno" || test "x$ENABLED_USE AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"]) AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"]) +AM_CONDITIONAL([BUILD_OCSP_STAPLING_MULTI],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" && test "x$ENABLED_TLS13" = "xyes" && test "x$ENABLED_TLS_OCSP_MULTI" = "xyes"]) AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"]) AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"]) diff --git a/examples/client/client.c b/examples/client/client.c index cdb4af83eb..bfd7fd273a 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1221,7 +1221,7 @@ static const char* client_usage_msg[][78] = { || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) "-W Use OCSP Stapling (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */ " With 'm' at end indicates MUST staple\n", /* 42 */ -#if defined(WOLFSSL_TLS13) && defined(HAVE_CSR_TLS13MULTI) +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI) " -W 1 tls13 multi. Perform multi OCSP stapling when" " using TLS13\n", /* 43 */ #endif @@ -1453,7 +1453,7 @@ static const char* client_usage_msg[][78] = { "-W OCSP Staplingを使用する" " (1 v1, 2 v2, 3 v2 multi)\n", /* 41 */ " 'm' を最後に指定すると必ず staple を使用する\n" /* 42 */ -#if defined(WOLFSSL_TLS13) && defined(HAVE_CSR_TLS13MULTI) +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS_OCSP_MULTI) " -W 1 tls13 multi. " "TLS13 使用時に複数(Multi)の OCSP を実施します\n" /* 43 */ #endif diff --git a/scripts/include.am b/scripts/include.am index 2d4bf3c840..c42fce2a7e 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -27,15 +27,19 @@ endif if BUILD_OCSP_STAPLING dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test +if BUILD_OCSP_STAPLING_MULTI dist_noinst_SCRIPTS+= scripts/ocsp-stapling_tls13multi.test +endif if !BUILD_OCSP_STAPLING_V2 -testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling_tls13multi.log scripts/ocsp-stapling-with-ca-as-responder.log +testsuite/testsuite.log: scripts/ocsp-stapling.log scripts/ocsp-stapling-with-ca-as-responder.log endif scripts/ocsp-stapling.log: scripts/ocsp.log -scripts/ocsp-stapling_tls13multi.log: scripts/ocsp-stapling.log dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp.log scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log +if BUILD_OCSP_STAPLING_MULTI +scripts/ocsp-stapling_tls13multi.log: scripts/ocsp-stapling-with-ca-as-responder.log +endif endif if BUILD_OCSP_STAPLING_V2 diff --git a/src/tls.c b/src/tls.c index 692cb22ee1..3807f1ba8f 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3248,7 +3248,7 @@ static int TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, } #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \ - defined(HAVE_CSR_TLS13MULTI) + defined(WOLFSSL_TLS_OCSP_MULTI) /* Process OCSP request certificate chain * * ssl SSL/TLS object. @@ -3551,7 +3551,7 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length, if (csr->responses[0].buffer) TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); - #if defined(HAVE_CSR_TLS13MULTI) + #if defined(WOLFSSL_TLS_OCSP_MULTI) /* process OCSP request in certificate chain */ if ((ret = ProcessChainOCSPRequest(ssl)) != 0) { WOLFSSL_MSG("Process Cert Chain OCSP request failed");