Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 2c32d8f3793b2413e09f85361116da441c9df446^! / .
commit2c32d8f3793b2413e09f85361116da441c9df446[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Mon May 22 14:58:00 2017 +0200
committerWilly Tarreau <w@1wt.eu>Sat May 27 07:59:34 2017 +0200
treea4fe6c112f65f86a4215251128a7e2c6199e6b05
parent3854e0102b9ebc444b4a58ebd51b05721e9ce2ef [diff]
MINOR: boringssl: basic support for OCSP Stapling

Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with
'.ocsp' extension. CLI update is not supported.

diff --git a/doc/management.txt b/doc/management.txt
index 565813e..64d6a2d 100644
--- a/doc/management.txt
+++ b/doc/management.txt

@@ -1658,7 +1658,8 @@
   This command is used to update an OCSP Response for a certificate (see "crt"
   on "bind" lines). Same controls are performed as during the initial loading of
   the response. The <response> must be passed as a base64 encoded string of the
-  DER encoded response from the OCSP server.
+  DER encoded response from the OCSP server. This command is not supported with
+  BoringSSL.
 
   Example:
     openssl ocsp -issuer issuer.pem -cert server.pem \

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index dd63c19..831bb5f 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -1117,6 +1117,43 @@
 
 #endif
 
+#ifdef OPENSSL_IS_BORINGSSL
+static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_path)
+{
+	char ocsp_path[MAXPATHLEN+1];
+	struct stat st;
+	int fd = -1, r = 0;
+
+	snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
+	if (stat(ocsp_path, &st))
+		return 0;
+
+	fd = open(ocsp_path, O_RDONLY);
+	if (fd == -1) {
+		Warning("Error opening OCSP response file %s.\n", ocsp_path);
+		return -1;
+	}
+
+	trash.len = 0;
+	while (trash.len < trash.size) {
+		r = read(fd, trash.str + trash.len, trash.size - trash.len);
+		if (r < 0) {
+			if (errno == EINTR)
+				continue;
+			Warning("Error reading OCSP response from file %s.\n", ocsp_path);
+			close(fd);
+			return -1;
+		}
+		else if (r == 0) {
+			break;
+		}
+		trash.len += r;
+	}
+	close(fd);
+	return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)trash.str, trash.len);
+}
+#endif
+
 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
 
 #define CT_EXTENSION_TYPE 18
@@ -2743,6 +2780,8 @@
 						rv = 1;
 						goto end;
 					}
+#elif (defined OPENSSL_IS_BORINGSSL)
+					ssl_sock_set_ocsp_response_from_file(cur_ctx, cur_file);
 #endif
 				}
 			}
@@ -2996,6 +3035,8 @@
 				  *err ? *err : "", path);
 		return 1;
 	}
+#elif (defined OPENSSL_IS_BORINGSSL)
+	ssl_sock_set_ocsp_response_from_file(ctx, path);
 #endif
 
 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)