MINOR: ssl/ocsp: use 'ocsp-update' in crt-store

Use the ocsp-update keyword in the crt-store section. This is not used as an exception in the crtlist code anymore. This patch introduces the "ocsp_update_mode" variable in the ckch_conf structure. The SSL_SOCK_OCSP_UPDATE_* enum was changed to a define to match the ckch_conf on/off parser so we can have off to -1.
2025-08-05 22:56:57 +02:00 · 2024-04-30 21:55:45 +02:00 · 2024-04-30 21:55:45 +02:00 · 2b6b7fea58
commit 2b6b7fea58
parent 462e5b0098
6 changed files with 22 additions and 6 deletions
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@ -65,6 +65,7 @@ struct ckch_conf {
 	char *ocsp;
 	char *issuer;
 	char *sctl;
+	int ocsp_update_mode;
 };

 /*
--- a/include/haproxy/ssl_ocsp.h
+++ b/include/haproxy/ssl_ocsp.h
@ -55,6 +55,7 @@ void ssl_destroy_ocsp_update_task(void);

 int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);

+int ocsp_update_init(void *value, char *buf, struct ckch_data *d, char **err);

 #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */

--- a/include/haproxy/ssl_sock-t.h
+++ b/include/haproxy/ssl_sock-t.h
@ -105,11 +105,9 @@ enum {
 };

 /* bind ocsp update mode */
-enum {
-	SSL_SOCK_OCSP_UPDATE_DFLT     = 0,
-	SSL_SOCK_OCSP_UPDATE_OFF      = 1,
-	SSL_SOCK_OCSP_UPDATE_ON       = 2,
-};
+#define	SSL_SOCK_OCSP_UPDATE_OFF   -1
+#define	SSL_SOCK_OCSP_UPDATE_DFLT   0
+#define	SSL_SOCK_OCSP_UPDATE_ON     1

 /* states of the CLI IO handler for 'set ssl cert' */
 enum {
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -4032,6 +4032,7 @@ struct ckch_conf_kws ckch_conf_kws[] = {
 	{ "ocsp",   offsetof(struct ckch_conf, ocsp),   PARSE_TYPE_STR, ckch_conf_load_ocsp_response, &current_crtbase },
 	{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer,   &current_crtbase },
 	{ "sctl",   offsetof(struct ckch_conf, sctl),   PARSE_TYPE_STR, ckch_conf_load_sctl,          &current_crtbase },
+	{ "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL   },
 	{ NULL,     -1,                                  PARSE_TYPE_STR, NULL,                                  NULL            }
 };

--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@ -1974,6 +1974,19 @@ static int ocsp_update_parse_global_http_proxy(char **args, int section_type, st
 	return 0;
 }

+int ocsp_update_init(void *value, char *buf, struct ckch_data *d, char **err)
+{
+	int ocsp_update_mode = *(int *)value;
+	int ret = 0;
+
+	if (ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) {
+		/* We might need to create the main ocsp update task */
+		ret = ssl_create_ocsp_update_task(err);
+	}
+
+	return ret;
+}
+
 static struct cli_kw_list cli_kws = {{ },{
 	{ { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload>       : update a certificate's OCSP Response from a base64-encode DER",      cli_parse_set_ocspresponse, NULL },

--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -1127,7 +1127,9 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
 	char *err = NULL;
 	size_t path_len;
 	int inc_refcount_store = 0;
-	int enable_auto_update = 0;
+	int enable_auto_update = (store->conf.ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) ||
+	                         (store->conf.ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT &&
+	                          global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON);

 	x = data->cert;
 	if (!x)