MINOR: ssl: improve HAVE_SSL_OCSP ifdef

Allow to build correctly without OCSP. It could be disabled easily with
OpenSSL build with OPENSSL_NO_OCSP. Or even with
DEFINE="-DOPENSSL_NO_OCSP" on haproxy make line.
This commit is contained in:
William Lallemand 2024-12-11 15:35:58 +01:00
parent 1c7f5ce32e
commit acb2c9eb8b
7 changed files with 38 additions and 19 deletions

View File

@ -149,6 +149,12 @@
#define HASSL_DH_up_ref DH_up_ref #define HASSL_DH_up_ref DH_up_ref
#endif #endif
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB || AWSLC_API_VERSION >= 29) && (!defined(OPENSSL_NO_OCSP)))
#define HAVE_SSL_OCSP
#else
typedef void OCSP_CERTID;
#endif
#if ((HA_OPENSSL_VERSION_NUMBER < 0x1000000fL) && !defined(X509_get_X509_PUBKEY)) #if ((HA_OPENSSL_VERSION_NUMBER < 0x1000000fL) && !defined(X509_get_X509_PUBKEY))
#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key) #define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
#endif #endif

View File

@ -38,7 +38,7 @@ extern int ocsp_ex_index;
#define SSL_OCSP_UPDATE_MARGIN 60 /* 1 minute */ #define SSL_OCSP_UPDATE_MARGIN 60 /* 1 minute */
#define SSL_OCSP_HTTP_ERR_REPLAY 60 /* 1 minute */ #define SSL_OCSP_HTTP_ERR_REPLAY 60 /* 1 minute */
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) #if defined(HAVE_SSL_OCSP)
/* /*
* struct alignment works here such that the key.key is the same as key_data * struct alignment works here such that the key.key is the same as key_data
* Do not change the placement of key_data * Do not change the placement of key_data
@ -89,7 +89,7 @@ extern struct task *ocsp_update_task;
__decl_thread(extern HA_SPINLOCK_T ocsp_tree_lock); __decl_thread(extern HA_SPINLOCK_T ocsp_tree_lock);
#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */ #endif /* HAVE_SSL_OCSP */
#endif /* USE_OPENSSL */ #endif /* USE_OPENSSL */
#endif /* _HAPROXY_SSL_OCSP_T_H */ #endif /* _HAPROXY_SSL_OCSP_T_H */

View File

@ -136,7 +136,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store);
#ifdef HAVE_SSL_PROVIDERS #ifdef HAVE_SSL_PROVIDERS
int ssl_init_provider(const char *provider_name); int ssl_init_provider(const char *provider_name);
#endif #endif
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
int ssl_get_ocspresponse_detail(unsigned char *ocsp_certid, struct buffer *out); int ssl_get_ocspresponse_detail(unsigned char *ocsp_certid, struct buffer *out);
int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out); int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out);
#endif #endif

View File

@ -13353,14 +13353,14 @@ __LJMP static int hlua_ckch_set(lua_State *L)
errcode |= ERR_ALERT | ERR_FATAL; errcode |= ERR_ALERT | ERR_FATAL;
goto end; goto end;
} }
#ifdef HAVE_SSL_OCSP
/* Reset the OCSP CID */ /* Reset the OCSP CID */
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY || if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
cert_ext->type == CERT_TYPE_ISSUER) { cert_ext->type == CERT_TYPE_ISSUER) {
OCSP_CERTID_free(new_ckchs->data->ocsp_cid); OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
new_ckchs->data->ocsp_cid = NULL; new_ckchs->data->ocsp_cid = NULL;
} }
#endif
/* apply the change on the duplicate */ /* apply the change on the duplicate */
if (cert_ext->load(filename, payload, data, &err) != 0) { if (cert_ext->load(filename, payload, data, &err) != 0) {
memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext); memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);

View File

@ -255,7 +255,7 @@ int ssl_sock_load_sctl_from_file(const char *sctl_path, char *buf, struct ckch_d
return ret; return ret;
} }
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) #if defined(HAVE_SSL_OCSP)
/* /*
* This function load the OCSP Response in DER format contained in file at * This function load the OCSP Response in DER format contained in file at
* path 'ocsp_path' or base64 in a buffer <buf> * path 'ocsp_path' or base64 in a buffer <buf>
@ -457,6 +457,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
} }
#endif #endif
#ifdef HAVE_SSL_OCSP
/* try to load an ocsp response file */ /* try to load an ocsp response file */
if (global_ssl.extra_files & SSL_GF_OCSP) { if (global_ssl.extra_files & SSL_GF_OCSP) {
struct stat st; struct stat st;
@ -478,7 +479,6 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
*(fp->area + fp->data - strlen(".ocsp")) = '\0'; *(fp->area + fp->data - strlen(".ocsp")) = '\0';
b_sub(fp, strlen(".ocsp")); b_sub(fp, strlen(".ocsp"));
} }
#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */ #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) { if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
/* if no issuer was found, try to load an issuer from the .issuer */ /* if no issuer was found, try to load an issuer from the .issuer */
@ -510,6 +510,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
b_sub(fp, strlen(".issuer")); b_sub(fp, strlen(".issuer"));
} }
} }
#endif
#endif #endif
ret = 0; ret = 0;
@ -767,7 +768,7 @@ void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
/* We need to properly remove the reference to the corresponding /* We need to properly remove the reference to the corresponding
* certificate_ocsp structure if it exists (which it should). * certificate_ocsp structure if it exists (which it should).
*/ */
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
if (data->ocsp_cid) { if (data->ocsp_cid) {
struct certificate_ocsp *ocsp = NULL; struct certificate_ocsp *ocsp = NULL;
unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
@ -837,6 +838,7 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
dst->sctl = sctl; dst->sctl = sctl;
} }
#ifdef HAVE_SSL_OCSP
if (src->ocsp_response) { if (src->ocsp_response) {
struct buffer *ocsp_response; struct buffer *ocsp_response;
@ -852,9 +854,8 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
X509_up_ref(src->ocsp_issuer); X509_up_ref(src->ocsp_issuer);
dst->ocsp_issuer = src->ocsp_issuer; dst->ocsp_issuer = src->ocsp_issuer;
} }
dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid); dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
#endif
return dst; return dst;
error: error:
@ -1538,7 +1539,7 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
struct cert_exts cert_exts[] = { struct cert_exts cert_exts[] = {
{ "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */ { "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
{ "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch }, { "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch },
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) #if defined(HAVE_SSL_OCSP)
{ "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file }, { "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file },
#endif #endif
#ifdef HAVE_SSL_SCTL #ifdef HAVE_SSL_SCTL
@ -2090,7 +2091,7 @@ static int show_cert_detail(X509 *cert, STACK_OF(X509) *chain, struct issuer_cha
*/ */
static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out) static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
{ {
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {}; unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
unsigned int key_length = 0; unsigned int key_length = 0;
int i; int i;
@ -2163,7 +2164,7 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
*/ */
static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx) static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
{ {
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
struct show_cert_ctx *ctx = appctx->svcctx; struct show_cert_ctx *ctx = appctx->svcctx;
struct ckch_store *ckchs = ctx->cur_ckchs; struct ckch_store *ckchs = ctx->cur_ckchs;
struct buffer *out = alloc_trash_chunk(); struct buffer *out = alloc_trash_chunk();
@ -2884,13 +2885,14 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
goto end; goto end;
} }
#if defined(HAVE_SSL_OCSP)
/* Reset the OCSP CID */ /* Reset the OCSP CID */
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY || if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
cert_ext->type == CERT_TYPE_ISSUER) { cert_ext->type == CERT_TYPE_ISSUER) {
OCSP_CERTID_free(new_ckchs->data->ocsp_cid); OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
new_ckchs->data->ocsp_cid = NULL; new_ckchs->data->ocsp_cid = NULL;
} }
#endif
data = new_ckchs->data; data = new_ckchs->data;
/* apply the change on the duplicate */ /* apply the change on the duplicate */
@ -4471,10 +4473,14 @@ struct ckch_conf_kws ckch_conf_kws[] = {
{ "alias", -1, PARSE_TYPE_NONE, NULL, NULL }, { "alias", -1, PARSE_TYPE_NONE, NULL, NULL },
{ "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ckch_conf_load_pem, &current_crtbase }, { "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ckch_conf_load_pem, &current_crtbase },
{ "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ckch_conf_load_key, &current_keybase }, { "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ckch_conf_load_key, &current_keybase },
#ifdef HAVE_SSL_OCSP
{ "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ckch_conf_load_ocsp_response, &current_crtbase }, { "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ckch_conf_load_ocsp_response, &current_crtbase },
#endif
{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer, &current_crtbase }, { "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer, &current_crtbase },
{ "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ckch_conf_load_sctl, &current_crtbase }, { "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ckch_conf_load_sctl, &current_crtbase },
#if defined(HAVE_SSL_OCSP)
{ "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL }, { "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL },
#endif
{ NULL, -1, PARSE_TYPE_STR, NULL, NULL } { NULL, -1, PARSE_TYPE_STR, NULL, NULL }
}; };
@ -4655,6 +4661,7 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err)
default: default:
break; break;
} }
#if defined(HAVE_SSL_OCSP)
/* special case for ocsp-update and default */ /* special case for ocsp-update and default */
if (strcmp(ckch_conf_kws[i].name, "ocsp-update") == 0) { if (strcmp(ckch_conf_kws[i].name, "ocsp-update") == 0) {
int o1, o2; /* ocsp-update from the configuration */ int o1, o2; /* ocsp-update from the configuration */
@ -4694,6 +4701,7 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err)
ret = 1; ret = 1;
} }
} }
#endif
} }
out: out:

View File

@ -62,6 +62,7 @@
#include <haproxy/ticks.h> #include <haproxy/ticks.h>
#include <haproxy/time.h> #include <haproxy/time.h>
#ifdef HAVE_SSL_OCSP
/* ***** READ THIS before adding code here! ***** /* ***** READ THIS before adding code here! *****
* *
@ -2073,6 +2074,8 @@ static struct cfg_kw_list cfg_kws = {ILH, {
INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws); INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
REGISTER_CONFIG_POSTPARSER("ocsp-update", ocsp_update_postparser_init); REGISTER_CONFIG_POSTPARSER("ocsp-update", ocsp_update_postparser_init);
#endif /* HAVE_SSL_OCSP */
/* /*
* Local variables: * Local variables:
* c-indent-level: 8 * c-indent-level: 8

View File

@ -137,7 +137,7 @@ struct global_ssl global_ssl = {
.keylog = 0, .keylog = 0,
#endif #endif
.security_level = -1, .security_level = -1,
#ifndef OPENSSL_NO_OCSP #ifdef HAVE_SSL_OCSP
.ocsp_update.delay_max = SSL_OCSP_UPDATE_DELAY_MAX, .ocsp_update.delay_max = SSL_OCSP_UPDATE_DELAY_MAX,
.ocsp_update.delay_min = SSL_OCSP_UPDATE_DELAY_MIN, .ocsp_update.delay_min = SSL_OCSP_UPDATE_DELAY_MIN,
.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF, .ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF,
@ -1092,7 +1092,7 @@ static int tlskeys_finalize_config(void)
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */ #endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
/* /*
* This function enables the handling of OCSP status extension on 'ctx' if a * This function enables the handling of OCSP status extension on 'ctx' if a
* ocsp_response buffer was found in the cert_key_and_chain. To enable OCSP * ocsp_response buffer was found in the cert_key_and_chain. To enable OCSP
@ -2772,7 +2772,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_store *store
} }
#endif #endif
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) #if defined(HAVE_SSL_OCSP)
/* Load OCSP Info into context /* Load OCSP Info into context
* If OCSP update mode is set to 'on', an entry will be created in the * If OCSP update mode is set to 'on', an entry will be created in the
* ocsp tree even if no ocsp_response was known during init, unless the * ocsp tree even if no ocsp_response was known during init, unless the
@ -6965,7 +6965,7 @@ static void __ssl_sock_init(void)
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func); sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
#endif #endif
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) #if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
ocsp_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_ocsp_free_func); ocsp_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_ocsp_free_func);
#endif #endif
@ -7019,7 +7019,9 @@ static void __ssl_sock_init(void)
HA_SPIN_INIT(&ckch_lock); HA_SPIN_INIT(&ckch_lock);
#if defined(HAVE_SSL_OCSP)
HA_SPIN_INIT(&ocsp_tree_lock); HA_SPIN_INIT(&ocsp_tree_lock);
#endif
/* Try to register dedicated SSL/TLS protocol message callbacks for /* Try to register dedicated SSL/TLS protocol message callbacks for
* heartbleed attack (CVE-2014-0160) and clienthello. * heartbleed attack (CVE-2014-0160) and clienthello.
@ -7159,7 +7161,7 @@ static void __ssl_sock_deinit(void)
#endif #endif
BIO_meth_free(ha_meth); BIO_meth_free(ha_meth);
#if !defined OPENSSL_NO_OCSP #if defined(HAVE_SSL_OCSP)
ssl_destroy_ocsp_update_task(); ssl_destroy_ocsp_update_task();
#endif #endif
} }