Server-side OCSP stapling support.
This is a simpler implementation than OpenSSL's, lacking responder IDs
and request extensions support. This mirrors the client implementation
already present.
Change-Id: I54592b60e0a708bfb003d491c9250401403c9e69
Reviewed-on: https://boringssl-review.googlesource.com/5700
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7d62fb9..8397b74 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -627,6 +627,13 @@
OPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl,
STACK_OF(X509) **out_chain);
+/* SSL_CTX_set_ocsp_response sets the OCSP reponse that is sent to clients
+ * which request it. It returns one on success and zero on error. The caller
+ * retains ownership of |response|. */
+OPENSSL_EXPORT int SSL_CTX_set_ocsp_response(SSL_CTX *ctx,
+ const uint8_t *response,
+ size_t response_len);
+
/* Certificate and private key convenience functions. */
@@ -1464,6 +1471,10 @@
/* If true, a client will request a stapled OCSP response. */
char ocsp_stapling_enabled;
+ /* OCSP response to be sent to the client, if requested. */
+ uint8_t *ocsp_response;
+ size_t ocsp_response_length;
+
/* If not NULL, session key material will be logged to this BIO for debugging
* purposes. The format matches NSS's and is readable by Wireshark. */
BIO *keylog_bio;
@@ -1830,9 +1841,8 @@
/* Enable signed certificate time stamps. Currently client only. */
char signed_cert_timestamps_enabled;
- /* Enable OCSP stapling. Currently client only.
- * TODO(davidben): Add a server-side implementation when it becomes
- * necesary. */
+ /* ocsp_stapling_enabled is only used by client connections and indicates
+ * whether OCSP stapling will be requested. */
char ocsp_stapling_enabled;
/* For a client, this contains the list of supported protocols in wire
