Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1e0867cfbc5bd6ec028a5c8eaa4386b2a402eb37^! / .
commit1e0867cfbc5bd6ec028a5c8eaa4386b2a402eb37[log] [tgz]
authorAurélien Nephtali <aurelien.nephtali@corp.ovh.com>Wed Apr 18 14:04:58 2018 +0200
committerWilly Tarreau <w@1wt.eu>Thu Apr 26 14:20:09 2018 +0200
tree41be8998cc16e97288028a14c9cd917ce5e5c492
parent25650ce5139ba5e8552930a1cc0c0c5c45e9e4d1 [diff]
MINOR: ssl: Add payload support to "set ssl ocsp-response"

It is now possible to use a payload with the "set ssl ocsp-response"
command.  These syntaxes will work the same way:

 # echo "set ssl ocsp-response $(base64 -w 10000 ocsp.der)" | \
     socat /tmp/sock1 -

 # echo -e "set ssl ocsp-response <<\n$(base64 ocsp.der)\n" | \
     socat /tmp/sock1 -

Signed-off-by: Aurélien Nephtali <aurelien.nephtali@corp.ovh.com>

diff --git a/doc/management.txt b/doc/management.txt
index c0c3f48..a2e8d8f 100644
--- a/doc/management.txt
+++ b/doc/management.txt

@@ -1712,7 +1712,7 @@
   Change the severity output format of the stats socket connected to for the
   duration of the current session.
 
-set ssl ocsp-response <response>
+set ssl ocsp-response <response | payload>
   This command is used to update an OCSP Response for a certificate (see "crt"
   on "bind" lines). Same controls are performed as during the initial loading of
   the response. The <response> must be passed as a base64 encoded string of the
@@ -1725,6 +1725,10 @@
     echo "set ssl ocsp-response $(base64 -w 10000 resp.der)" | \
                  socat stdio /var/run/haproxy.stat
 
+    using the payload syntax:
+    echo -e "set ssl ocsp-response <<\n$(base64 resp.der)\n" | \
+                 socat stdio /var/run/haproxy.stat
+
 set ssl tls-key <id> <tlskey>
   Set the next TLS key for the <id> listener to <tlskey>. This key becomes the
   ultimate key, while the penultimate one is used for encryption (others just

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 70bf660..db9d4c1 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -8565,16 +8565,28 @@
 {
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 	char *err = NULL;
+	int i, j;
+
+	if (!payload)
+		payload = args[3];
 
 	/* Expect one parameter: the new response in base64 encoding */
-	if (!*args[3]) {
+	if (!*payload) {
 		appctx->ctx.cli.severity = LOG_ERR;
 		appctx->ctx.cli.msg = "'set ssl ocsp-response' expects response in base64 encoding.\n";
 		appctx->st0 = CLI_ST_PRINT;
 		return 1;
 	}
+
+	/* remove \r and \n from the payload */
+	for (i = 0, j = 0; payload[i]; i++) {
+		if (payload[i] == '\r' || payload[i] == '\n')
+			continue;
+		payload[j++] = payload[i];
+	}
+	payload[j] = 0;
 
-	trash.len = base64dec(args[3], strlen(args[3]), trash.str, trash.size);
+	trash.len = base64dec(payload, j, trash.str, trash.size);
 	if (trash.len < 0) {
 		appctx->ctx.cli.severity = LOG_ERR;
 		appctx->ctx.cli.msg = "'set ssl ocsp-response' received invalid base64 encoded response.\n";