Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / fb2b9988e84c6d79a1672b8895830bceda20622d^! / .
commitfb2b9988e84c6d79a1672b8895830bceda20622d[log] [tgz]
authorRemi Tricot-Le Breton <rlebreton@haproxy.com>Tue Dec 20 11:11:11 2022 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Wed Dec 21 11:21:07 2022 +0100
tree79a5de3894887f2601c729dfb2acad043debb665
parent03c5ffff8ed173b496156e8b3c6a1164918187a9 [diff]
MINOR: ssl: Store 'ocsp-update' mode in the ckch_data and check for inconsistencies

The 'ocsp-update' option is parsed at the same time as all the other
bind line options but it does not actually have anything to do with the
bind line since it concerns the frontend certificate instead. For that
reason, we should have a mean to identify inconsistencies in the
configuration and raise an error when a given certificate has two
different ocsp-update modes specified in one or more crt-lists.
The simplest way to do it is to store the ocsp update mode directly in
the ckch and not only in the ssl_bind_conf.

diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index eba0b1a..b6cd693 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h

@@ -55,6 +55,7 @@
 	struct buffer *ocsp_response;
 	X509 *ocsp_issuer;
 	OCSP_CERTID *ocsp_cid;
+	int ocsp_update_mode;
 };
 
 /*

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index c532c01..c1b27f4 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c

@@ -563,6 +563,8 @@
 
 				entry->node.key = ckchs;
 				entry->crtlist = newlist;
+				if (entry->ssl_conf)
+					ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 				ebpt_insert(&newlist->entries, &entry->node);
 				LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
 				LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
@@ -611,6 +613,14 @@
 
 					entry_dup->node.key = ckchs;
 					entry_dup->crtlist = newlist;
+					if (entry->ssl_conf) {
+						if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
+						    ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+							cfgerr |= ERR_ALERT;
+						}
+						ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
+					}
 					ebpt_insert(&newlist->entries, &entry_dup->node);
 					LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
 					LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
@@ -634,6 +644,14 @@
 		} else {
 			entry->node.key = ckchs;
 			entry->crtlist = newlist;
+			if (entry->ssl_conf) {
+				if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
+				    ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+					cfgerr |= ERR_ALERT;
+				}
+				ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
+			}
 			ebpt_insert(&newlist->entries, &entry->node);
 			LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
 			LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);