From 4a66013069ab4195acabb212b39345fd41eda075 Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 14 Oct 2019 14:51:41 +0200
Subject: [PATCH] BUG/MINOR: ssl: fix OCSP build with BoringSSL

246c024 broke the build of the OCSP code with BoringSSL.

Rework it a little so it could load the OCSP buffer of the ckch.

Issue #322.
---
 src/ssl_sock.c | 56 +++++++++++++-------------------------------------
 1 file changed, 14 insertions(+), 42 deletions(-)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c9e9b0287..ef9182154 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -870,6 +870,9 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err)
 	return ssl_sock_load_ocsp_response(ocsp_response, NULL, NULL, err);
 }
 
+#endif
+
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
 /*
  * This function load the OCSP Resonse in DER format contained in file at
  * path 'ocsp_path'
@@ -1170,6 +1173,9 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 	return SSL_TLSEXT_ERR_OK;
 }
 
+#endif
+
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
 /*
  * This function enables the handling of OCSP status extension on 'ctx' if a
  * ocsp_response buffer was found in the cert_key_and_chain.  To enable OCSP
@@ -1184,9 +1190,9 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
  * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
  * successfully enabled, or -1 in other error case.
  */
+#ifndef OPENSSL_IS_BORINGSSL
 static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch)
 {
-
 	X509 *x = NULL, *issuer = NULL;
 	OCSP_CERTID *cid = NULL;
 	char ocsp_path[MAXPATHLEN+1];
@@ -1299,50 +1305,18 @@ out:
 	if (warn)
 		free(warn);
 
-
 	return ret;
 }
-
-#endif
-
-#ifdef OPENSSL_IS_BORINGSSL
-static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_path)
+#else /* OPENSSL_IS_BORINGSSL */
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch)
 {
-	char ocsp_path[MAXPATHLEN+1];
-	struct stat st;
-	int fd = -1, r = 0;
-
-	snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
-	if (stat(ocsp_path, &st))
-		return 0;
-
-	fd = open(ocsp_path, O_RDONLY);
-	if (fd == -1) {
-		ha_warning("Error opening OCSP response file %s.\n", ocsp_path);
-		return -1;
-	}
-
-	trash.data = 0;
-	while (trash.data < trash.size) {
-		r = read(fd, trash.area + trash.data, trash.size - trash.data);
-		if (r < 0) {
-			if (errno == EINTR)
-				continue;
-			ha_warning("Error reading OCSP response from file %s.\n", ocsp_path);
-			close(fd);
-			return -1;
-		}
-		else if (r == 0) {
-			break;
-		}
-		trash.data += r;
-	}
-	close(fd);
-	return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *) trash.area,
-					 trash.data);
+	return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
 }
 #endif
 
+#endif
+
+
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL)
 
 #define CT_EXTENSION_TYPE 18
@@ -3142,7 +3116,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 	}
 #endif
 
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
 	/* Load OCSP Info into context */
 	if (ckch->ocsp_response) {
 		if (ssl_sock_load_ocsp(ctx, ckch) < 0) {
@@ -3152,8 +3126,6 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 			return 1;
 		}
 	}
-#elif (defined OPENSSL_IS_BORINGSSL)
-	ssl_sock_set_ocsp_response_from_file(cur_ctx, cur_file);
 #endif
 
 	return 0;