RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-23 21:22:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: ssl: resolve ocsp_issuer later

Browse Source 
The goal is to use the ckch to store data from PEM files or <payload> and
only for that. This patch adresses the ckch->ocsp_issuer case. It finds
issuers chain if no chain is present in the ckch in ssl_sock_put_ckch_into_ctx(),
filling the ocsp_issuer from the chain must be done after.
It changes the way '.issuer' is managed: it tries to load '.issuer' in
ckch->ocsp_issuer first and then look for the issuer in the chain later
(in ssl_sock_load_ocsp() ). "ssl-load-extra-files" without the "issuer"
parameter can negate extra '.issuer' file check.
This commit is contained in:
Emmanuel Hocdet 2020-02-18 15:56:39 +01:00 committed by William Lallemand
parent b90d2cbc42
commit 6f507c7c5d
1 changed files with 15 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
src/ssl_sock.c
View File

@ -1404,9 +1404,9 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
* successfully enabled, or -1 in other error case.
*/
#ifndef OPENSSL_IS_BORINGSSL
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch)
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
{
X509 *x = NULL, *issuer = NULL;
X509 *x, *issuer;
OCSP_CERTID *cid = NULL;
int i, ret = -1;
struct certificate_ocsp *ocsp = NULL, *iocsp;
@ -1420,6 +1420,17 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
goto out;
issuer = ckch->ocsp_issuer;
/* take issuer from chain over ocsp_issuer, is what is done historicaly */
if (chain) {
/* check if one of the certificate of the chain is the issuer */
for (i = 0; i < sk_X509_num(chain); i++) {
X509 *ti = sk_X509_value(chain, i);
if (X509_check_issued(ti, x) == X509_V_OK) {
issuer = ti;
break;
}
}
}
if (!issuer)
goto out;
@ -1520,7 +1531,7 @@ out:
return ret;
}
#else /* OPENSSL_IS_BORINGSSL */
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch)
static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain)
{
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
}
@ -3291,7 +3302,6 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
{
BIO *in = NULL;
int ret = 1;
int i;
X509 *ca;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
@ -3390,15 +3400,6 @@ static int ssl_sock_load_pem_into_ckch(const char *path, char *buf, struct cert_
SWAP(ckch->cert, cert);
SWAP(ckch->chain, chain);
/* check if one of the certificate of the chain is the issuer */
for (i = 0; i < sk_X509_num(ckch->chain); i++) {
X509 *issuer = sk_X509_value(ckch->chain, i);
if (X509_check_issued(issuer, ckch->cert) == X509_V_OK) {
ckch->ocsp_issuer = issuer;
X509_up_ref(issuer);
break;
}
}
ret = 0;
end:
@ -3574,11 +3575,6 @@ static int ssl_sock_load_files_into_ckch(const char *path, struct cert_key_and_c
ret = 1;
goto end;
}
} else {
memprintf(err, "%sNo issuer found, cannot use the OCSP response'.\n",
err && *err ? *err : "");
ret = 1;
goto end;
}
}
}
@ -3687,7 +3683,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
/* Load OCSP Info into context */
if (ckch->ocsp_response) {
if (ssl_sock_load_ocsp(ctx, ckch) < 0) {
if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {
memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
err && *err ? *err : "", path);
errcode |= ERR_ALERT | ERR_FATAL;