mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-21 22:01:31 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: ssl: OCSP must work with BoringSSL

Browse Source 
It's a regression from b3201a3e "BUG/MINOR: disable dynamic OCSP load
with BoringSSL". The origin bug is link to 76b4a12 "BUG/MEDIUM: ssl:
memory leak of ocsp data at SSL_CTX_free()": ssl_sock_free_ocsp()
shoud be in #ifndef OPENSSL_IS_BORINGSSL.
To avoid long #ifdef for small code, the BoringSSL part for ocsp load
is isolated in a simple #ifdef.

This must be backported in 2.2 and 2.1
This commit is contained in:
Emmanuel Hocdet 2020-10-26 13:55:30 +01:00 committed by William Lallemand
parent 5e10e44bce
commit a73a222a98
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/ssl_sock.c
View File

@ -1314,7 +1314,6 @@ static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
* Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
* successfully enabled, or -1 in other error case. * successfully enabled, or -1 in other error case.
*/ */
#ifndef OPENSSL_IS_BORINGSSL
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain) static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
{ {
X509 *x, *issuer; X509 *x, *issuer;
@ -1444,15 +1443,15 @@ out:
return ret; return ret;
} }
#else /* OPENSSL_IS_BORINGSSL */ #endif
#ifdef OPENSSL_IS_BORINGSSL
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain) static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
{ {
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data); return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
} }
#endif #endif
#endif
#if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) #if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
@ -3138,7 +3137,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
} }
#endif #endif
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
/* Load OCSP Info into context */ /* Load OCSP Info into context */
if (ckch->ocsp_response) { if (ckch->ocsp_response) {
if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) { if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {