mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 15:17:01 +02:00
MINOR: ssl: improve HAVE_SSL_OCSP ifdef
Allow to build correctly without OCSP. It could be disabled easily with OpenSSL build with OPENSSL_NO_OCSP. Or even with DEFINE="-DOPENSSL_NO_OCSP" on haproxy make line.
This commit is contained in:
William Lallemand
parent
1c7f5ce32e
commit
acb2c9eb8b
@ -149,6 +149,12 @@
|
||||
#define HASSL_DH_up_ref DH_up_ref
|
||||
#endif
|
||||
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB || AWSLC_API_VERSION >= 29) && (!defined(OPENSSL_NO_OCSP)))
|
||||
#define HAVE_SSL_OCSP
|
||||
#else
|
||||
typedef void OCSP_CERTID;
|
||||
#endif
|
||||
|
||||
#if ((HA_OPENSSL_VERSION_NUMBER < 0x1000000fL) && !defined(X509_get_X509_PUBKEY))
|
||||
#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
|
||||
#endif
|
||||
|
||||
@ -38,7 +38,7 @@ extern int ocsp_ex_index;
|
||||
#define SSL_OCSP_UPDATE_MARGIN 60 /* 1 minute */
|
||||
#define SSL_OCSP_HTTP_ERR_REPLAY 60 /* 1 minute */
|
||||
|
||||
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
/*
|
||||
* struct alignment works here such that the key.key is the same as key_data
|
||||
* Do not change the placement of key_data
|
||||
@ -89,7 +89,7 @@ extern struct task *ocsp_update_task;
|
||||
|
||||
__decl_thread(extern HA_SPINLOCK_T ocsp_tree_lock);
|
||||
|
||||
#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
|
||||
#endif /* HAVE_SSL_OCSP */
|
||||
|
||||
#endif /* USE_OPENSSL */
|
||||
#endif /* _HAPROXY_SSL_OCSP_T_H */
|
||||
|
||||
@ -136,7 +136,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store);
|
||||
#ifdef HAVE_SSL_PROVIDERS
|
||||
int ssl_init_provider(const char *provider_name);
|
||||
#endif
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
int ssl_get_ocspresponse_detail(unsigned char *ocsp_certid, struct buffer *out);
|
||||
int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out);
|
||||
#endif
|
||||
|
||||
@ -13353,14 +13353,14 @@ __LJMP static int hlua_ckch_set(lua_State *L)
|
||||
errcode |= ERR_ALERT | ERR_FATAL;
|
||||
goto end;
|
||||
}
|
||||
|
||||
#ifdef HAVE_SSL_OCSP
|
||||
/* Reset the OCSP CID */
|
||||
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
|
||||
cert_ext->type == CERT_TYPE_ISSUER) {
|
||||
OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
|
||||
new_ckchs->data->ocsp_cid = NULL;
|
||||
}
|
||||
|
||||
#endif
|
||||
/* apply the change on the duplicate */
|
||||
if (cert_ext->load(filename, payload, data, &err) != 0) {
|
||||
memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);
|
||||
|
||||
@ -255,7 +255,7 @@ int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_d
|
||||
return ret;
|
||||
}
|
||||
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
/*
|
||||
* This function load the OCSP Response in DER format contained in file at
|
||||
* path 'ocsp_path' or base64 in a buffer <buf>
|
||||
@ -457,6 +457,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SSL_OCSP
|
||||
/* try to load an ocsp response file */
|
||||
if (global_ssl.extra_files & SSL_GF_OCSP) {
|
||||
struct stat st;
|
||||
@ -478,7 +479,6 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
|
||||
*(fp->area + fp->data - strlen(".ocsp")) = '\0';
|
||||
b_sub(fp, strlen(".ocsp"));
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
|
||||
if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
|
||||
/* if no issuer was found, try to load an issuer from the .issuer */
|
||||
@ -510,6 +510,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
|
||||
b_sub(fp, strlen(".issuer"));
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
ret = 0;
|
||||
@ -767,7 +768,7 @@ void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
|
||||
/* We need to properly remove the reference to the corresponding
|
||||
* certificate_ocsp structure if it exists (which it should).
|
||||
*/
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
if (data->ocsp_cid) {
|
||||
struct certificate_ocsp *ocsp = NULL;
|
||||
unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
|
||||
@ -837,6 +838,7 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
|
||||
dst->sctl = sctl;
|
||||
}
|
||||
|
||||
#ifdef HAVE_SSL_OCSP
|
||||
if (src->ocsp_response) {
|
||||
struct buffer *ocsp_response;
|
||||
|
||||
@ -852,9 +854,8 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
|
||||
X509_up_ref(src->ocsp_issuer);
|
||||
dst->ocsp_issuer = src->ocsp_issuer;
|
||||
}
|
||||
|
||||
dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
|
||||
|
||||
#endif
|
||||
return dst;
|
||||
|
||||
error:
|
||||
@ -1538,7 +1539,7 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
|
||||
struct cert_exts cert_exts[] = {
|
||||
{ "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
|
||||
{ "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch },
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
{ "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file },
|
||||
#endif
|
||||
#ifdef HAVE_SSL_SCTL
|
||||
@ -2090,7 +2091,7 @@ static int show_cert_detail(X509 *cert, STACK_OF(X509) *chain, struct issuer_cha
|
||||
*/
|
||||
static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
|
||||
{
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
|
||||
unsigned int key_length = 0;
|
||||
int i;
|
||||
@ -2163,7 +2164,7 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
|
||||
*/
|
||||
static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
|
||||
{
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
struct show_cert_ctx *ctx = appctx->svcctx;
|
||||
struct ckch_store *ckchs = ctx->cur_ckchs;
|
||||
struct buffer *out = alloc_trash_chunk();
|
||||
@ -2884,13 +2885,14 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
|
||||
goto end;
|
||||
}
|
||||
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
/* Reset the OCSP CID */
|
||||
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
|
||||
cert_ext->type == CERT_TYPE_ISSUER) {
|
||||
OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
|
||||
new_ckchs->data->ocsp_cid = NULL;
|
||||
}
|
||||
|
||||
#endif
|
||||
data = new_ckchs->data;
|
||||
|
||||
/* apply the change on the duplicate */
|
||||
@ -4471,10 +4473,14 @@ struct ckch_conf_kws ckch_conf_kws[] = {
|
||||
{ "alias", -1, PARSE_TYPE_NONE, NULL, NULL },
|
||||
{ "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ckch_conf_load_pem, ¤t_crtbase },
|
||||
{ "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ckch_conf_load_key, ¤t_keybase },
|
||||
#ifdef HAVE_SSL_OCSP
|
||||
{ "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ckch_conf_load_ocsp_response, ¤t_crtbase },
|
||||
#endif
|
||||
{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer, ¤t_crtbase },
|
||||
{ "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ckch_conf_load_sctl, ¤t_crtbase },
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
{ "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL },
|
||||
#endif
|
||||
{ NULL, -1, PARSE_TYPE_STR, NULL, NULL }
|
||||
};
|
||||
|
||||
@ -4655,6 +4661,7 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err)
|
||||
default:
|
||||
break;
|
||||
}
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
/* special case for ocsp-update and default */
|
||||
if (strcmp(ckch_conf_kws[i].name, "ocsp-update") == 0) {
|
||||
int o1, o2; /* ocsp-update from the configuration */
|
||||
@ -4694,6 +4701,7 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err)
|
||||
ret = 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
out:
|
||||
|
||||
@ -62,6 +62,7 @@
|
||||
#include <haproxy/ticks.h>
|
||||
#include <haproxy/time.h>
|
||||
|
||||
#ifdef HAVE_SSL_OCSP
|
||||
|
||||
/* ***** READ THIS before adding code here! *****
|
||||
*
|
||||
@ -2073,6 +2074,8 @@ static struct cfg_kw_list cfg_kws = {ILH, {
|
||||
INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
|
||||
|
||||
REGISTER_CONFIG_POSTPARSER("ocsp-update", ocsp_update_postparser_init);
|
||||
|
||||
#endif /* HAVE_SSL_OCSP */
|
||||
/*
|
||||
* Local variables:
|
||||
* c-indent-level: 8
|
||||
|
||||
@ -137,7 +137,7 @@ struct global_ssl global_ssl = {
|
||||
.keylog = 0,
|
||||
#endif
|
||||
.security_level = -1,
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
#ifdef HAVE_SSL_OCSP
|
||||
.ocsp_update.delay_max = SSL_OCSP_UPDATE_DELAY_MAX,
|
||||
.ocsp_update.delay_min = SSL_OCSP_UPDATE_DELAY_MIN,
|
||||
.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF,
|
||||
@ -1092,7 +1092,7 @@ static int tlskeys_finalize_config(void)
|
||||
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
|
||||
|
||||
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
/*
|
||||
* This function enables the handling of OCSP status extension on 'ctx' if a
|
||||
* ocsp_response buffer was found in the cert_key_and_chain. To enable OCSP
|
||||
@ -2772,7 +2772,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_store *store
|
||||
}
|
||||
#endif
|
||||
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
/* Load OCSP Info into context
|
||||
* If OCSP update mode is set to 'on', an entry will be created in the
|
||||
* ocsp tree even if no ocsp_response was known during init, unless the
|
||||
@ -6965,7 +6965,7 @@ static void __ssl_sock_init(void)
|
||||
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
|
||||
#endif
|
||||
|
||||
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
|
||||
ocsp_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_ocsp_free_func);
|
||||
#endif
|
||||
|
||||
@ -7019,7 +7019,9 @@ static void __ssl_sock_init(void)
|
||||
|
||||
HA_SPIN_INIT(&ckch_lock);
|
||||
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
HA_SPIN_INIT(&ocsp_tree_lock);
|
||||
#endif
|
||||
|
||||
/* Try to register dedicated SSL/TLS protocol message callbacks for
|
||||
* heartbleed attack (CVE-2014-0160) and clienthello.
|
||||
@ -7159,7 +7161,7 @@ static void __ssl_sock_deinit(void)
|
||||
#endif
|
||||
BIO_meth_free(ha_meth);
|
||||
|
||||
#if !defined OPENSSL_NO_OCSP
|
||||
#if defined(HAVE_SSL_OCSP)
|
||||
ssl_destroy_ocsp_update_task();
|
||||
#endif
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user