[ocsp] Allow OCSP checks to be disabled

Some CAs provide non-functional OCSP servers, and some clients are
forced to operate on networks without access to the OCSP servers.
Allow the user to explicitly disable the use of OCSP checks by
undefining OCSP_CHECK in config/crypto.h.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/config/crypto.h b/src/config/crypto.h
index 8f885c5543b4e6348a76e29933e77b9a3aaa07f8..1edcdce457c7cab44d49c6beea45a664f70d9a95 100644 (file)
--- a/src/config/crypto.h
+++ b/src/config/crypto.h
@@ -58,6 +58,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  */
 #define CROSSCERT "http://ca.ipxe.org/auto"
 
+/** Perform OCSP checks when applicable
+ *
+ * Some CAs provide non-functional OCSP servers, and some clients are
+ * forced to operate on networks without access to the OCSP servers.
+ * Allow the user to explicitly disable the use of OCSP checks.
+ */
+#define OCSP_CHECK
+
 #include <config/named.h>
 #include NAMED_CONFIG(crypto.h)
 #include <config/local/crypto.h>

diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 9a6b3fe67d3a50e56172ba54dafd72937c983c32..be0bddc50e100d30402e4fd447883c1a85ffb42f 100644 (file)
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -14,6 +14,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/asn1.h>
 #include <ipxe/x509.h>
 #include <ipxe/refcnt.h>
+#include <config/crypto.h>
+
+/* Allow OCSP to be disabled completely */
+#ifdef OCSP_CHECK
+#define OCSP_ENABLED 1
+#else
+#define OCSP_ENABLED 0
+#endif
 
 /** OCSP algorithm identifier */
 #define OCSP_ALGORITHM_IDENTIFIER( ... )                               \
@@ -119,6 +127,10 @@ ocsp_put ( struct ocsp_check *ocsp ) {
  */
 static inline int ocsp_required ( struct x509_certificate *cert ) {
 
+       /* An OCSP check is never required if OCSP checks are disabled */
+       if ( ! OCSP_ENABLED )
+               return 0;
+
        /* An OCSP check is required if an OCSP URI exists but the
         * OCSP status is not (yet) good.
         */