[ocsp] Allow OCSP checks to be disabled

Some CAs provide non-functional OCSP servers, and some clients are
forced to operate on networks without access to the OCSP servers.
Allow the user to explicitly disable the use of OCSP checks by
undefining OCSP_CHECK in config/crypto.h.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

2 files changed, 20 insertions, 0 deletions

diff --git a/src/config/crypto.h b/src/config/crypto.h
index 8f885c554..1edcdce45 100644
--- a/src/config/crypto.h
+++ b/src/config/crypto.h
@@ -58,6 +58,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  */
 #define CROSSCERT "http://ca.ipxe.org/auto"
 
+/** Perform OCSP checks when applicable
+ *
+ * Some CAs provide non-functional OCSP servers, and some clients are
+ * forced to operate on networks without access to the OCSP servers.
+ * Allow the user to explicitly disable the use of OCSP checks.
+ */
+#define OCSP_CHECK
+
 #include <config/named.h>
 #include NAMED_CONFIG(crypto.h)
 #include <config/local/crypto.h>
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 9a6b3fe67..be0bddc50 100644
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -14,6 +14,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/asn1.h>
 #include <ipxe/x509.h>
 #include <ipxe/refcnt.h>
+#include <config/crypto.h>
+
+/* Allow OCSP to be disabled completely */
+#ifdef OCSP_CHECK
+#define OCSP_ENABLED 1
+#else
+#define OCSP_ENABLED 0
+#endif
 
 /** OCSP algorithm identifier */
 #define OCSP_ALGORITHM_IDENTIFIER( ... )				\
@@ -119,6 +127,10 @@ ocsp_put ( struct ocsp_check *ocsp ) {
  */
 static inline int ocsp_required ( struct x509_certificate *cert ) {
 
+	/* An OCSP check is never required if OCSP checks are disabled */
+	if ( ! OCSP_ENABLED )
+		return 0;
+
 	/* An OCSP check is required if an OCSP URI exists but the
 	 * OCSP status is not (yet) good.
 	 */