[ocsp] Allow OCSP checks to be disabled

Some CAs provide non-functional OCSP servers, and some clients are
forced to operate on networks without access to the OCSP servers.
Allow the user to explicitly disable the use of OCSP checks by
undefining OCSP_CHECK in config/crypto.h.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

Author: mcb30

src/config/crypto.h

@@ -58,6 +58,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
  */
 #define CROSSCERT "http://ca.ipxe.org/auto"
 
+/** Perform OCSP checks when applicable
+ *
+ * Some CAs provide non-functional OCSP servers, and some clients are
+ * forced to operate on networks without access to the OCSP servers.
+ * Allow the user to explicitly disable the use of OCSP checks.
+ */
+#define OCSP_CHECK
+
 #include <config/named.h>
 #include NAMED_CONFIG(crypto.h)
 #include <config/local/crypto.h>

src/include/ipxe/ocsp.h

@@ -14,6 +14,14 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/asn1.h>
 #include <ipxe/x509.h>
 #include <ipxe/refcnt.h>
+#include <config/crypto.h>
+
+/* Allow OCSP to be disabled completely */
+#ifdef OCSP_CHECK
+#define OCSP_ENABLED 1
+#else
+#define OCSP_ENABLED 0
+#endif
 
 /** OCSP algorithm identifier */
 #define OCSP_ALGORITHM_IDENTIFIER( ... )				\
@@ -119,6 +127,10 @@ ocsp_put ( struct ocsp_check *ocsp ) {
  */
 static inline int ocsp_required ( struct x509_certificate *cert ) {
 
+	/* An OCSP check is never required if OCSP checks are disabled */
+	if ( ! OCSP_ENABLED )
+		return 0;
+
 	/* An OCSP check is required if an OCSP URI exists but the
 	 * OCSP status is not (yet) good.
 	 */