kozorizki/haproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid

Browse Source 
The only useful information taken out of the ckch_store in order to copy
an OCSP certid into a buffer (later used as a key for entries in the
OCSP response tree) is the ocsp_certid field of the ckch_data structure.
We then don't need to pass a pointer to the full ckch_store to
ckch_store_build_certid or even any information related to the store
itself.
The ckch_store_build_certid is then converted into a helper function
that simply takes an OCSP_CERTID and converts it into a char buffer.
This commit is contained in:
Remi Tricot-Le Breton 2024-02-07 16:38:41 +01:00 committed by William Lallemand
parent 1fda0a5202
commit 28e78a0a74
3 changed files with 36 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_ocsp.h
View File

@ -30,6 +30,8 @@
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
int ssl_ocsp_build_response_key(OCSP_CERTID *ocsp_cid, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length);
int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype);
int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg);

35
src/ssl_ckch.c
View File

@ -34,6 +34,7 @@
#include <haproxy/sc_strm.h>
#include <haproxy/ssl_ckch.h>
#include <haproxy/ssl_sock.h>
#include <haproxy/ssl_ocsp.h>
#include <haproxy/ssl_utils.h>
#include <haproxy/stconn.h>
#include <haproxy/tools.h>
@ -1761,36 +1762,6 @@ end:
return 0;
}
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
/*
* Build the OCSP tree entry's key for a given ckch_store.
* Returns a negative value in case of error.
*/
static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
{
unsigned char *p = NULL;
int i;
if (!key_length)
return -1;
*key_length = 0;
if (!ckch_store->data->ocsp_cid)
return 0;
i = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, NULL);
if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
return 0;
p = certid;
*key_length = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, &p);
end:
return *key_length > 0;
}
#endif
/*
* Dump the OCSP certificate key (if it exists) of certificate <ckch> into
* buffer <out>.
@ -1803,7 +1774,7 @@ static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buf
unsigned int key_length = 0;
int i;
if (ckch_store_build_certid(ckch_store, (unsigned char*)key, &key_length) >= 0) {
if (ssl_ocsp_build_response_key(ckch_store->data->ocsp_cid, (unsigned char*)key, &key_length) >= 0) {
/* Dump the CERTID info */
chunk_appendf(out, "OCSP Response Key: ");
for (i = 0; i < key_length; ++i) {
@ -1890,7 +1861,7 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
unsigned int key_length = 0;
if (ckch_store_build_certid(ckchs, (unsigned char*)key, &key_length) < 0)
if (ssl_ocsp_build_response_key(ckchs->data->ocsp_cid, (unsigned char*)key, &key_length) < 0)
goto end_no_putchk;
if (ssl_get_ocspresponse_detail(key, out))

31
src/ssl_ocsp.c
View File

@ -184,6 +184,37 @@ __decl_thread(HA_SPINLOCK_T ocsp_tree_lock);
struct eb_root ocsp_update_tree = EB_ROOT; /* updatable ocsp responses sorted by next_update in absolute time */
/*
* Convert an OCSP_CERTID structure into a char buffer that can be used as a key
* in the OCSP response tree. It takes an <ocsp_cid> as parameter and builds a
* key of length <key_length> into the <certid> buffer. The key length cannot
* exceed OCSP_MAX_CERTID_ASN1_LENGTH bytes.
* Returns a negative value in case of error.
*/
int ssl_ocsp_build_response_key(OCSP_CERTID *ocsp_cid, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
{
unsigned char *p = NULL;
int i;
if (!key_length)
return -1;
*key_length = 0;
if (!ocsp_cid)
return 0;
i = i2d_OCSP_CERTID(ocsp_cid, NULL);
if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
return 0;
p = certid;
*key_length = i2d_OCSP_CERTID(ocsp_cid, &p);
end:
return *key_length > 0;
}
/* This function starts to check if the OCSP response (in DER format) contained
* in chunk 'ocsp_response' is valid (else exits on error).
* If 'cid' is not NULL, it will be compared to the OCSP certificate ID