From 0c96ee48b4abcb0f5f9fc5b1f9f3e7d7311ebdef Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Wed, 1 Mar 2023 16:11:50 +0100 Subject: [PATCH] MINOR: ssl: Add certificate's path to certificate_ocsp structure In order to have some information about the frontend certificate when dumping the contents of the ocsp update tree from the cli, we could either keep a reference to a ckch_store in the certificate_ocsp structure, which might cause some dangling reference problems, or simply copy the path to the certificate in the ocsp response structure. This latter solution was chosen because of its simplicity. --- include/haproxy/ssl_ocsp-t.h | 2 ++ src/ssl_sock.c | 10 ++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h index b3304f7a3..599d68afd 100644 --- a/include/haproxy/ssl_ocsp-t.h +++ b/include/haproxy/ssl_ocsp-t.h @@ -55,6 +55,8 @@ struct certificate_ocsp { unsigned int last_update_status;/* Status of the last OCSP update */ unsigned int num_success; /* Number of successful updates */ unsigned int num_failure; /* Number of failed updates */ + unsigned int fail_count; /* Number of successive failures */ + char path[VAR_ARRAY]; }; struct ocsp_cbk_arg { diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 7c3c152a5..2d4ededf1 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1099,7 +1099,7 @@ static int tlskeys_finalize_config(void) * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is * successfully enabled, or -1 in other error case. */ -static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain) +static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain) { X509 *x, *issuer; int i, ret = -1; @@ -1159,7 +1159,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50 if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH)) goto out; - ocsp = calloc(1, sizeof(*ocsp)); + ocsp = calloc(1, sizeof(*ocsp)+strlen(path)+1); if (!ocsp) goto out; @@ -1261,6 +1261,8 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50 goto out; } + strcpy(iocsp->path, path); + ssl_ocsp_update_insert(iocsp); } } @@ -1286,7 +1288,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50 #endif #ifdef OPENSSL_IS_BORINGSSL -static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain) +static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain) { return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data); } @@ -3462,7 +3464,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data, * ocsp tree even if no ocsp_response was known during init, unless the * frontend's conf disables ocsp update explicitely. */ - if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) { + if (ssl_sock_load_ocsp(path, ctx, data, find_chain) < 0) { if (data->ocsp_response) memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n", err && *err ? *err : "", path);