mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 07:07:04 +02:00
BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI
This patch reverts 2 fixes that were made in an attempt to fix the
ocsp-update feature used with the 'commit ssl cert' command.
The patches crash the worker when doing a soft-stop when the 'set ssl
ocsp-response' command was used, or during runtime if the ocsp-update
was used.
This was reported in issue #2462 and #2442.
The last patch reverted is the associated reg-test.
Revert "BUG/MEDIUM: ssl: Fix crash when calling "update ssl ocsp-response" when an update is ongoing"
This reverts commit 5e66bf26ec.
Revert "BUG/MEDIUM: ocsp: Separate refcount per instance and per store"
This reverts commit 04b77f84d1b52185fc64735d7d81137479d68b00.
Revert "REGTESTS: ssl: Add OCSP related tests"
This reverts commit acd1b85d3442fc58164bd0fb96e72f3d4b501d15.
This commit is contained in:
William Lallemand
parent
19559d4447
commit
4895fdac5a
@ -47,8 +47,7 @@ struct certificate_ocsp {
|
||||
struct ebmb_node key;
|
||||
unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
|
||||
unsigned int key_length;
|
||||
int refcount_store; /* Number of ckch_store that reference this certificate_ocsp */
|
||||
int refcount_instance; /* Number of ckch_inst that reference this certificate_ocsp */
|
||||
int refcount;
|
||||
struct buffer response;
|
||||
long expire;
|
||||
X509 *issuer;
|
||||
@ -61,9 +60,8 @@ struct certificate_ocsp {
|
||||
unsigned int last_update_status;/* Status of the last OCSP update */
|
||||
unsigned int num_success; /* Number of successful updates */
|
||||
unsigned int num_failure; /* Number of failed updates */
|
||||
unsigned int fail_count:30; /* Number of successive failures */
|
||||
unsigned int fail_count:31; /* Number of successive failures */
|
||||
unsigned int update_once:1; /* Set if an entry should not be reinserted into te tree after update */
|
||||
unsigned int updating:1; /* Set if an entry is already being updated */
|
||||
char path[VAR_ARRAY];
|
||||
};
|
||||
|
||||
|
||||
@ -36,7 +36,6 @@ int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype);
|
||||
int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg);
|
||||
|
||||
void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp);
|
||||
void ssl_sock_free_ocsp_instance(struct certificate_ocsp *ocsp);
|
||||
|
||||
int ssl_sock_load_ocsp_response(struct buffer *ocsp_response,
|
||||
struct certificate_ocsp *ocsp,
|
||||
|
||||
@ -533,186 +533,3 @@ haproxy h6 -cli {
|
||||
send "show ssl ocsp-updates"
|
||||
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*| 1 | 0 | 1 | Update successful"
|
||||
}
|
||||
|
||||
haproxy h6 -wait
|
||||
process p6 -wait
|
||||
|
||||
|
||||
######################
|
||||
# #
|
||||
# SEVENTH TEST CASE #
|
||||
# #
|
||||
######################
|
||||
|
||||
#
|
||||
# Check that removing crt-list instances does not remove the OCSP responses
|
||||
# from the tree but that they will not be auto updated anymore if the last
|
||||
# instance is removed (via del ssl crt-list).
|
||||
#
|
||||
|
||||
haproxy h7 -conf {
|
||||
global
|
||||
tune.ssl.default-dh-param 2048
|
||||
tune.ssl.capture-buffer-size 1
|
||||
stats socket "${tmpdir}/h7/stats" level admin
|
||||
crt-base ${testdir}/ocsp_update
|
||||
|
||||
defaults
|
||||
mode http
|
||||
option httplog
|
||||
log stderr local0 debug err
|
||||
option logasap
|
||||
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
|
||||
frontend ssl-fe
|
||||
bind "${tmpdir}/ssl-h7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
||||
http-request return status 200
|
||||
|
||||
listen http_rebound_lst
|
||||
mode http
|
||||
bind "127.0.0.1:12345"
|
||||
server s1 "127.0.0.1:12346"
|
||||
} -start
|
||||
|
||||
# Check that the two certificates are taken into account in the auto update process
|
||||
haproxy h7 -cli {
|
||||
send "show ssl ocsp-updates"
|
||||
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
|
||||
|
||||
send "show ssl ocsp-updates"
|
||||
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
|
||||
}
|
||||
|
||||
# Remove the second line from the crt-list and check that the corresponding
|
||||
# ocsp response was removed from the auto update list but is still present in the
|
||||
# system
|
||||
haproxy h7 -cli {
|
||||
send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
|
||||
expect ~ "Entry.*deleted in crtlist"
|
||||
|
||||
send "show ssl ocsp-updates"
|
||||
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
|
||||
|
||||
send "show ssl ocsp-response"
|
||||
expect ~ "Certificate ID key : 303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016"
|
||||
|
||||
send "show ssl ocsp-response ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
|
||||
expect ~ ".* Cert Status: good.*"
|
||||
}
|
||||
|
||||
# Add the previously removed crt-list line with auto-update enabled and check that
|
||||
# the ocsp response appears in the auto update list
|
||||
shell {
|
||||
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h7/stats" - | grep "Inserting certificate.*in crt-list"
|
||||
}
|
||||
|
||||
haproxy h7 -cli {
|
||||
send "show ssl ocsp-updates"
|
||||
expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
|
||||
}
|
||||
|
||||
# Check that the auto update option consistency check work even when crt-list
|
||||
# lines are added through the cli
|
||||
shell {
|
||||
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h7/stats" - | grep "Incompatibilities found in OCSP update mode for certificate"
|
||||
}
|
||||
|
||||
haproxy h7 -wait
|
||||
|
||||
####################
|
||||
# #
|
||||
# EIGTH TEST CASE #
|
||||
# #
|
||||
####################
|
||||
|
||||
#
|
||||
# Check that a certificate created through the CLI and which does not have ocsp
|
||||
# update enabled can be updated via "update ssl ocsp-response" command.
|
||||
#
|
||||
|
||||
process p8 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
|
||||
|
||||
barrier b8 cond 2 -cyclic
|
||||
|
||||
syslog Syslog_h8 -level info {
|
||||
recv
|
||||
expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
|
||||
|
||||
barrier b8 sync
|
||||
} -start
|
||||
|
||||
|
||||
haproxy h8 -conf {
|
||||
global
|
||||
tune.ssl.default-dh-param 2048
|
||||
tune.ssl.capture-buffer-size 1
|
||||
stats socket "${tmpdir}/h8/stats" level admin
|
||||
crt-base ${testdir}/ocsp_update
|
||||
|
||||
defaults
|
||||
mode http
|
||||
option httplog
|
||||
log stderr local0 debug err
|
||||
option logasap
|
||||
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
||||
|
||||
frontend ssl-fe
|
||||
bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
|
||||
http-request return status 200
|
||||
|
||||
listen http_rebound_lst
|
||||
mode http
|
||||
option httplog
|
||||
log ${Syslog_h8_addr}:${Syslog_h8_port} local0
|
||||
bind "127.0.0.1:12345"
|
||||
server s1 "127.0.0.1:12346"
|
||||
} -start
|
||||
|
||||
# We need to "enable" the cli with a first cli call before using it only through socats
|
||||
haproxy h8 -cli {
|
||||
send "show ssl cert"
|
||||
expect ~ ""
|
||||
}
|
||||
|
||||
# Create a new certificate and add it in the crt-list with ocsp auto-update enabled
|
||||
shell {
|
||||
echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
|
||||
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h8/stats" -
|
||||
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h8/stats" -
|
||||
printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h8/stats" -
|
||||
echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
|
||||
|
||||
printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h8/stats" -
|
||||
}
|
||||
|
||||
# Check that the line is in the crt-list
|
||||
haproxy h8 -cli {
|
||||
send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
|
||||
expect ~ "${testdir}/ocsp_update/rsa.pem .* foo.bar"
|
||||
}
|
||||
|
||||
# Check that the new certificate is NOT in the auto update list
|
||||
haproxy h8 -cli {
|
||||
send "show ssl ocsp-updates"
|
||||
expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
|
||||
}
|
||||
|
||||
shell {
|
||||
echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
|
||||
}
|
||||
|
||||
shell "sleep 1"
|
||||
|
||||
barrier b8 sync
|
||||
|
||||
haproxy h8 -cli {
|
||||
send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
|
||||
expect ~ ".* Cert Status: revoked.*"
|
||||
}
|
||||
|
||||
haproxy h8 -wait
|
||||
process p8 -wait
|
||||
|
||||
@ -1,2 +0,0 @@
|
||||
multicert/server_ocsp.pem.rsa [ocsp-update on ssl-min-ver TLSv1.2] *
|
||||
multicert/server_ocsp.pem.ecdsa [ocsp-update on ssl-min-ver TLSv1.2] *
|
||||
@ -734,27 +734,8 @@ void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
|
||||
X509_free(data->ocsp_issuer);
|
||||
data->ocsp_issuer = NULL;
|
||||
|
||||
|
||||
/* We need to properly remove the reference to the corresponding
|
||||
* certificate_ocsp structure if it exists (which it should).
|
||||
*/
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
if (data->ocsp_cid) {
|
||||
struct certificate_ocsp *ocsp = NULL;
|
||||
unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
|
||||
unsigned int certid_length = 0;
|
||||
|
||||
if (ssl_ocsp_build_response_key(data->ocsp_cid, (unsigned char*)certid, &certid_length) >= 0) {
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, certid, OCSP_MAX_CERTID_ASN1_LENGTH);
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
ssl_sock_free_ocsp(ocsp);
|
||||
}
|
||||
|
||||
OCSP_CERTID_free(data->ocsp_cid);
|
||||
data->ocsp_cid = NULL;
|
||||
}
|
||||
#endif
|
||||
OCSP_CERTID_free(data->ocsp_cid);
|
||||
data->ocsp_cid = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@ -392,9 +392,8 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
|
||||
return;
|
||||
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
ocsp->refcount_store--;
|
||||
if (ocsp->refcount_store <= 0) {
|
||||
BUG_ON(ocsp->refcount_instance > 0);
|
||||
ocsp->refcount--;
|
||||
if (ocsp->refcount <= 0) {
|
||||
ebmb_delete(&ocsp->key);
|
||||
eb64_delete(&ocsp->next_update);
|
||||
X509_free(ocsp->issuer);
|
||||
@ -412,19 +411,6 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
}
|
||||
|
||||
void ssl_sock_free_ocsp_instance(struct certificate_ocsp *ocsp)
|
||||
{
|
||||
if (!ocsp)
|
||||
return;
|
||||
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
ocsp->refcount_instance--;
|
||||
if (ocsp->refcount_instance <= 0) {
|
||||
eb64_delete(&ocsp->next_update);
|
||||
}
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* This function dumps the details of an OCSP_CERTID. It is based on
|
||||
@ -640,13 +626,13 @@ void ssl_sock_ocsp_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int id
|
||||
ocsp_arg = ptr;
|
||||
|
||||
if (ocsp_arg->is_single) {
|
||||
ssl_sock_free_ocsp_instance(ocsp_arg->s_ocsp);
|
||||
ssl_sock_free_ocsp(ocsp_arg->s_ocsp);
|
||||
ocsp_arg->s_ocsp = NULL;
|
||||
} else {
|
||||
int i;
|
||||
|
||||
for (i = 0; i < SSL_SOCK_NUM_KEYTYPES; i++) {
|
||||
ssl_sock_free_ocsp_instance(ocsp_arg->m_ocsp[i]);
|
||||
ssl_sock_free_ocsp(ocsp_arg->m_ocsp[i]);
|
||||
ocsp_arg->m_ocsp[i] = NULL;
|
||||
}
|
||||
}
|
||||
@ -981,6 +967,12 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
|
||||
*/
|
||||
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
|
||||
{
|
||||
/* This entry was only supposed to be updated once, it does not need to
|
||||
* be reinserted into the update tree.
|
||||
*/
|
||||
if (ocsp->update_once)
|
||||
return 0;
|
||||
|
||||
/* Set next_update based on current time and the various OCSP
|
||||
* minimum/maximum update times.
|
||||
*/
|
||||
@ -989,12 +981,7 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
|
||||
ocsp->fail_count = 0;
|
||||
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
ocsp->updating = 0;
|
||||
/* An entry with update_once set to 1 was only supposed to be updated
|
||||
* once, it does not need to be reinserted into the update tree.
|
||||
*/
|
||||
if (!ocsp->update_once)
|
||||
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
|
||||
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
|
||||
return 0;
|
||||
@ -1011,6 +998,12 @@ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp)
|
||||
{
|
||||
int replay_delay = 0;
|
||||
|
||||
/* This entry was only supposed to be updated once, it does not need to
|
||||
* be reinserted into the update tree.
|
||||
*/
|
||||
if (ocsp->update_once)
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* Set next_update based on current time and the various OCSP
|
||||
* minimum/maximum update times.
|
||||
@ -1033,12 +1026,7 @@ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp)
|
||||
ocsp->next_update.key = date.tv_sec + replay_delay;
|
||||
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
ocsp->updating = 0;
|
||||
/* An entry with update_once set to 1 was only supposed to be updated
|
||||
* once, it does not need to be reinserted into the update tree.
|
||||
*/
|
||||
if (!ocsp->update_once)
|
||||
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
|
||||
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
|
||||
return 0;
|
||||
@ -1201,7 +1189,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
|
||||
/* Reinsert the entry into the update list so that it can be updated later */
|
||||
ssl_ocsp_update_insert(ocsp);
|
||||
/* Release the reference kept on the updated ocsp response. */
|
||||
ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
|
||||
ssl_sock_free_ocsp(ctx->cur_ocsp);
|
||||
ctx->cur_ocsp = NULL;
|
||||
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
@ -1244,8 +1232,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
|
||||
* reinserted after the response is processed. */
|
||||
eb64_delete(&ocsp->next_update);
|
||||
|
||||
ocsp->updating = 1;
|
||||
ocsp->refcount_instance++;
|
||||
++ocsp->refcount;
|
||||
ctx->cur_ocsp = ocsp;
|
||||
ocsp->last_update_status = OCSP_UPDT_UNKNOWN;
|
||||
|
||||
@ -1312,7 +1299,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
|
||||
++ctx->cur_ocsp->num_failure;
|
||||
ssl_ocsp_update_insert_after_error(ctx->cur_ocsp);
|
||||
/* Release the reference kept on the updated ocsp response. */
|
||||
ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
|
||||
ssl_sock_free_ocsp(ctx->cur_ocsp);
|
||||
ctx->cur_ocsp = NULL;
|
||||
}
|
||||
if (hc)
|
||||
@ -1341,7 +1328,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
|
||||
if (hc)
|
||||
httpclient_stop_and_destroy(hc);
|
||||
/* Release the reference kept on the updated ocsp response. */
|
||||
ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
|
||||
ssl_sock_free_ocsp(ctx->cur_ocsp);
|
||||
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
/* Set next_wakeup to the new first entry of the tree */
|
||||
eb = eb64_first(&ocsp_update_tree);
|
||||
@ -1426,24 +1413,13 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* No need to try to update this response, it is already being updated. */
|
||||
if (!ocsp->updating) {
|
||||
update_once = (ocsp->next_update.node.leaf_p == NULL);
|
||||
eb64_delete(&ocsp->next_update);
|
||||
update_once = (ocsp->next_update.node.leaf_p == NULL);
|
||||
eb64_delete(&ocsp->next_update);
|
||||
|
||||
/* Insert the entry at the beginning of the update tree.
|
||||
* We don't need to increase the reference counter on the
|
||||
* certificate_ocsp structure because we would not have a way to
|
||||
* decrease it afterwards since this update operation is asynchronous.
|
||||
* If the corresponding entry were to be destroyed before the update can
|
||||
* be performed, which is pretty unlikely, it would not be such a
|
||||
* problem because that would mean that the OCSP response is not
|
||||
* actually used.
|
||||
*/
|
||||
ocsp->next_update.key = 0;
|
||||
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
|
||||
ocsp->update_once = update_once;
|
||||
}
|
||||
/* Insert the entry at the beginning of the update tree. */
|
||||
ocsp->next_update.key = 0;
|
||||
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
|
||||
ocsp->update_once = update_once;
|
||||
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
|
||||
@ -1569,7 +1545,7 @@ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
return cli_err(appctx, "Certificate ID or path does not match any certificate.\n");
|
||||
}
|
||||
ocsp->refcount_instance++;
|
||||
++ocsp->refcount;
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
|
||||
ctx->ocsp = ocsp;
|
||||
@ -1670,7 +1646,7 @@ static int cli_io_handler_show_ocspresponse(struct appctx *appctx)
|
||||
free_trash_chunk(tmp);
|
||||
BIO_free(bio);
|
||||
|
||||
ocsp->refcount_instance++;
|
||||
++ocsp->refcount;
|
||||
ctx->ocsp = ocsp;
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
return 0;
|
||||
@ -1679,14 +1655,6 @@ static int cli_io_handler_show_ocspresponse(struct appctx *appctx)
|
||||
#endif
|
||||
}
|
||||
|
||||
static void cli_release_show_ocspresponse(struct appctx *appctx)
|
||||
{
|
||||
struct show_ocspresp_cli_ctx *ctx = appctx->svcctx;
|
||||
|
||||
if (ctx)
|
||||
ssl_sock_free_ocsp(ctx->ocsp);
|
||||
}
|
||||
|
||||
/* Check if the ckch_store and the entry does have the same configuration */
|
||||
int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
|
||||
{
|
||||
@ -1947,7 +1915,7 @@ smp_fetch_ssl_ocsp_success_cnt(const struct arg *args, struct sample *smp, const
|
||||
static struct cli_kw_list cli_kws = {{ },{
|
||||
{ { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload> : update a certificate's OCSP Response from a base64-encode DER", cli_parse_set_ocspresponse, NULL },
|
||||
|
||||
{ { "show", "ssl", "ocsp-response", NULL },"show ssl ocsp-response [[text|base64] id] : display the IDs of the OCSP responses used in memory, or the details of a single OCSP response (in text or base64 format)", cli_parse_show_ocspresponse, cli_io_handler_show_ocspresponse, cli_release_show_ocspresponse },
|
||||
{ { "show", "ssl", "ocsp-response", NULL },"show ssl ocsp-response [[text|base64] id] : display the IDs of the OCSP responses used in memory, or the details of a single OCSP response (in text or base64 format)", cli_parse_show_ocspresponse, cli_io_handler_show_ocspresponse, NULL },
|
||||
{ { "show", "ssl", "ocsp-updates", NULL }, "show ssl ocsp-updates : display information about the next 'nb' ocsp responses that will be updated automatically", cli_parse_show_ocsp_updates, cli_io_handler_show_ocsp_updates, cli_release_show_ocsp_updates },
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
{ { "update", "ssl", "ocsp-response", NULL }, "update ssl ocsp-response <certfile> : send ocsp request and update stored ocsp response", cli_parse_update_ocsp_response, NULL, NULL },
|
||||
|
||||
@ -1123,7 +1123,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
|
||||
struct buffer *ocsp_uri = get_trash_chunk();
|
||||
char *err = NULL;
|
||||
size_t path_len;
|
||||
int inc_refcount_store = 0;
|
||||
|
||||
x = data->cert;
|
||||
if (!x)
|
||||
@ -1159,10 +1158,8 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
|
||||
if (!issuer)
|
||||
goto out;
|
||||
|
||||
if (!data->ocsp_cid) {
|
||||
if (!data->ocsp_cid)
|
||||
data->ocsp_cid = OCSP_cert_to_id(0, x, issuer);
|
||||
inc_refcount_store = 1;
|
||||
}
|
||||
if (!data->ocsp_cid)
|
||||
goto out;
|
||||
|
||||
@ -1189,9 +1186,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
|
||||
#endif
|
||||
SSL_CTX_get_tlsext_status_cb(ctx, &callback);
|
||||
|
||||
if (inc_refcount_store)
|
||||
iocsp->refcount_store++;
|
||||
|
||||
if (!callback) {
|
||||
struct ocsp_cbk_arg *cb_arg;
|
||||
EVP_PKEY *pkey;
|
||||
@ -1202,7 +1196,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
|
||||
|
||||
cb_arg->is_single = 1;
|
||||
cb_arg->s_ocsp = iocsp;
|
||||
iocsp->refcount_instance++;
|
||||
iocsp->refcount++;
|
||||
|
||||
pkey = X509_get_pubkey(x);
|
||||
cb_arg->single_kt = EVP_PKEY_base_id(pkey);
|
||||
@ -1242,7 +1236,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
|
||||
index = ssl_sock_get_ocsp_arg_kt_index(key_type);
|
||||
if (index >= 0 && !cb_arg->m_ocsp[index]) {
|
||||
cb_arg->m_ocsp[index] = iocsp;
|
||||
iocsp->refcount_instance++;
|
||||
iocsp->refcount++;
|
||||
}
|
||||
}
|
||||
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user