mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-06 23:27:04 +02:00
Code Issues Projects Releases Wiki Activity

MINOR: ssl: Add certificate's path to certificate_ocsp structure

Browse Source 
In order to have some information about the frontend certificate when
dumping the contents of the ocsp update tree from the cli, we could
either keep a reference to a ckch_store in the certificate_ocsp
structure, which might cause some dangling reference problems, or
simply copy the path to the certificate in the ocsp response structure.
This latter solution was chosen because of its simplicity.
This commit is contained in:
Remi Tricot-Le Breton 2023-03-01 16:11:50 +01:00 committed by William Lallemand
parent ad6cba83a4
commit 0c96ee48b4
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_ocsp-t.h
View File

@ -55,6 +55,8 @@ struct certificate_ocsp {
unsigned int last_update_status;/* Status of the last OCSP update */
unsigned int num_success; /* Number of successful updates */
unsigned int num_failure; /* Number of failed updates */
unsigned int fail_count; /* Number of successive failures */
char path[VAR_ARRAY];
};
struct ocsp_cbk_arg {

10
src/ssl_sock.c
View File

@ -1099,7 +1099,7 @@ static int tlskeys_finalize_config(void)
* Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
* successfully enabled, or -1 in other error case.
*/
static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
{
X509 *x, *issuer;
int i, ret = -1;
@ -1159,7 +1159,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
goto out;
ocsp = calloc(1, sizeof(*ocsp));
ocsp = calloc(1, sizeof(*ocsp)+strlen(path)+1);
if (!ocsp)
goto out;
@ -1261,6 +1261,8 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
goto out;
}
strcpy(iocsp->path, path);
ssl_ocsp_update_insert(iocsp);
}
}
@ -1286,7 +1288,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
#endif
#ifdef OPENSSL_IS_BORINGSSL
static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
{
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
}
@ -3462,7 +3464,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data,
* ocsp tree even if no ocsp_response was known during init, unless the
* frontend's conf disables ocsp update explicitely.
*/
if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) {
if (ssl_sock_load_ocsp(path, ctx, data, find_chain) < 0) {
if (data->ocsp_response)
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
err && *err ? *err : "", path);