Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 0c96ee48b4abcb0f5f9fc5b1f9f3e7d7311ebdef^! / .
commit0c96ee48b4abcb0f5f9fc5b1f9f3e7d7311ebdef[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Wed Mar 01 16:11:50 2023 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Thu Mar 02 15:37:15 2023 +0100
tree95dbb867f7a51c7dde132e82d7f9ec5a63f7a3a0
parentad6cba83a407c36954af9ef4c953cb0a5040657c [diff]
MINOR: ssl: Add certificate's path to certificate_ocsp structure

In order to have some information about the frontend certificate when
dumping the contents of the ocsp update tree from the cli, we could
either keep a reference to a ckch_store in the certificate_ocsp
structure, which might cause some dangling reference problems, or
simply copy the path to the certificate in the ocsp response structure.
This latter solution was chosen because of its simplicity.

diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h
index b3304f7..599d68a 100644
--- a/include/haproxy/ssl_ocsp-t.h
+++ b/include/haproxy/ssl_ocsp-t.h

@@ -55,6 +55,8 @@
 	unsigned int last_update_status;/* Status of the last OCSP update */
 	unsigned int num_success;	/* Number of successful updates */
 	unsigned int num_failure;	/* Number of failed updates */
+	unsigned int fail_count;	/* Number of successive failures */
+	char path[VAR_ARRAY];
 };
 
 struct ocsp_cbk_arg {

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7c3c152..2d4eded 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1099,7 +1099,7 @@
  * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
  * successfully enabled, or -1 in other error case.
  */
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
 {
 	X509 *x, *issuer;
 	int i, ret = -1;
@@ -1159,7 +1159,7 @@
 	if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
 		goto out;
 
-	ocsp = calloc(1, sizeof(*ocsp));
+	ocsp = calloc(1, sizeof(*ocsp)+strlen(path)+1);
 	if (!ocsp)
 		goto out;
 
@@ -1261,6 +1261,8 @@
 				goto out;
 			}
 
+			strcpy(iocsp->path, path);
+
 			ssl_ocsp_update_insert(iocsp);
 		}
 	}
@@ -1286,7 +1288,7 @@
 #endif
 
 #ifdef OPENSSL_IS_BORINGSSL
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
 {
 	return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
 }
@@ -3462,7 +3464,7 @@
 	 * ocsp tree even if no ocsp_response was known during init, unless the
 	 * frontend's conf disables ocsp update explicitely.
 	 */
-	if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) {
+	if (ssl_sock_load_ocsp(path, ctx, data, find_chain) < 0) {
 		if (data->ocsp_response)
 			memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
 				  err && *err ? *err : "", path);