MINOR: ssl: Move OCSP code to a dedicated source file

This is a simple cleanup that moves OCSP related code to a dedicated
file instead of interlacing it in some pure ssl connection code.

Makefile

@@ -591,7 +591,7 @@ endif
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
-OPTIONS_OBJS  += src/ssl_sock.o src/ssl_ckch.o src/ssl_sample.o src/ssl_crtlist.o src/cfgparse-ssl.o src/ssl_utils.o src/jwt.o
+OPTIONS_OBJS  += src/ssl_sock.o src/ssl_ckch.o src/ssl_sample.o src/ssl_crtlist.o src/cfgparse-ssl.o src/ssl_utils.o src/jwt.o src/ssl_ocsp.o
 endif
 
 ifneq ($(USE_OPENSSL_WOLFSSL),)

include/haproxy/ssl_ocsp-t.h

@@ -0,0 +1,76 @@
+/*
+ * include/haproxy/ssl_ocsp-t.h
+ * SSL structures related to OCSP
+ *
+ * Copyright (C) 2022 Remi Tricot-Le Breton - rlebreton@haproxy.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef _HAPROXY_SSL_OCSP_T_H
+#define _HAPROXY_SSL_OCSP_T_H
+#ifdef USE_OPENSSL
+
+#include <import/ebtree-t.h>
+
+#include <haproxy/buf-t.h>
+#include <haproxy/openssl-compat.h>
+
+#ifndef OPENSSL_NO_OCSP
+extern int ocsp_ex_index;
+#endif
+
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
+/*
+ * struct alignment works here such that the key.key is the same as key_data
+ * Do not change the placement of key_data
+ */
+struct certificate_ocsp {
+	struct ebmb_node key;
+	unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
+	unsigned int key_length;
+	struct buffer response;
+	int refcount;
+	long expire;
+	X509 *issuer;
+	STACK_OF(X509) *chain;
+	struct eb64_node next_update;	/* Key of items inserted in ocsp_update_tree (sorted by absolute date) */
+	struct buffer *uri;	/* First OCSP URI contained in the corresponding certificate */
+};
+
+struct ocsp_cbk_arg {
+	int is_single;
+	int single_kt;
+	union {
+		struct certificate_ocsp *s_ocsp;
+		/*
+		 * m_ocsp will have multiple entries dependent on key type
+		 * Entry 0 - DSA
+		 * Entry 1 - ECDSA
+		 * Entry 2 - RSA
+		 */
+		struct certificate_ocsp *m_ocsp[SSL_SOCK_NUM_KEYTYPES];
+	};
+};
+
+extern struct eb_root cert_ocsp_tree;
+extern struct eb_root ocsp_update_tree;
+
+__decl_thread(extern HA_SPINLOCK_T ocsp_tree_lock);
+
+#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
+
+#endif /* USE_OPENSSL */
+#endif /* _HAPROXY_SSL_OCSP_T_H */

include/haproxy/ssl_ocsp.h

@@ -0,0 +1,63 @@
+/*
+ * include/haproxy/ssl_ocsp.h
+ * This file contains definition for ssl OCSP operations
+ *
+ * Copyright (C) 2022 Remi Tricot-Le Breton - rlebreton@haproxy.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation, version 2.1
+ * exclusively.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef _HAPROXY_SSL_OCSP_H
+#define _HAPROXY_SSL_OCSP_H
+#ifdef USE_OPENSSL
+
+#include <haproxy/openssl-compat.h>
+#include <haproxy/ssl_ocsp-t.h>
+
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
+
+int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype);
+int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg);
+
+void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp);
+
+int ssl_sock_load_ocsp_response(struct buffer *ocsp_response,
+                                struct certificate_ocsp *ocsp,
+                                OCSP_CERTID *cid, char **err);
+int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err);
+void ssl_sock_ocsp_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void *argp);
+
+int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err);
+int ssl_ocsp_create_request_details(const OCSP_CERTID *certid, struct buffer *req_url,
+                                    struct buffer *req_body, char **err);
+int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
+                            struct buffer *respbuf, char **err);
+
+int ssl_create_ocsp_update_task(char **err);
+void ssl_destroy_ocsp_update_task(void);
+
+int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
+
+#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
+
+#endif /* USE_OPENSSL */
+#endif /* _HAPROXY_SSL_OCSP_H */
+
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ * End:
+ */

include/haproxy/ssl_sock.h

@@ -85,16 +85,6 @@ int ssl_sock_get_remote_common_name(struct connection *conn,
 				    struct buffer *out);
 int ssl_sock_get_pkey_algo(struct connection *conn, struct buffer *out);
 unsigned int ssl_sock_get_verify_result(struct connection *conn);
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
-int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err);
-int ssl_ocsp_get_uri_from_cert(X509 *cert, struct buffer *out, char **err);
-int ssl_ocsp_create_request_details(const OCSP_CERTID *certid, struct buffer *req_url,
-                                    struct buffer *req_body, char **err);
-int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
-                            struct buffer *respbuf, char **err);
-struct task *ssl_ocsp_update_responses(struct task *task, void *context, unsigned int state);
-int ssl_create_ocsp_update_task(char **err);
-#endif
 #if (defined SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB && TLS_TICKETS_NO > 0)
 int ssl_sock_update_tlskey_ref(struct tls_keys_ref *ref,
 				struct buffer *tlskey);

include/haproxy/ssl_utils.h

@@ -43,6 +43,7 @@ unsigned int openssl_version_parser(const char *version);
 void exclude_tls_grease(char *input, int len, struct buffer *output);
 int x509_v_err_str_to_int(const char *str);
 const char *x509_v_err_int_to_str(int code);
+long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d);
 
 #endif /* _HAPROXY_SSL_UTILS_H */
 #endif /* USE_OPENSSL */

src/cfgparse-ssl.c

@@ -40,6 +40,7 @@
 #include <haproxy/ssl_utils.h>
 #include <haproxy/tools.h>
 #include <haproxy/ssl_ckch.h>
+#include <haproxy/ssl_ocsp.h>
 
 
 /****************** Global Section Parsing ********************************************/

src/ssl_utils.c

@@ -588,3 +588,86 @@ void init_x509_v_err_tab(void)
 }
 
 INITCALL0(STG_REGISTER, init_x509_v_err_tab);
+
+
+/*
+ *  This function returns the number of seconds  elapsed
+ *  since the Epoch, 1970-01-01 00:00:00 +0000 (UTC) and the
+ *  date presented un ASN1_GENERALIZEDTIME.
+ *
+ *  In parsing error case, it returns -1.
+ */
+long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d)
+{
+	long epoch;
+	char *p, *end;
+	const unsigned short month_offset[12] = {
+		0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
+	};
+	unsigned long year, month;
+
+	if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
+
+	p = (char *)d->data;
+	end = p + d->length;
+
+	if (end - p < 4) return -1;
+	year = 1000 * (p[0] - '0') + 100 * (p[1] - '0') + 10 * (p[2] - '0') + p[3] - '0';
+	p += 4;
+	if (end - p < 2) return -1;
+	month = 10 * (p[0] - '0') + p[1] - '0';
+	if (month < 1 || month > 12) return -1;
+	/* Compute the number of seconds since 1 jan 1970 and the beginning of current month
+	   We consider leap years and the current month (<marsh or not) */
+	epoch = (  ((year - 1970) * 365)
+		 + ((year - (month < 3)) / 4 - (year - (month < 3)) / 100 + (year - (month < 3)) / 400)
+		 - ((1970 - 1) / 4 - (1970 - 1) / 100 + (1970 - 1) / 400)
+		 + month_offset[month-1]
+		) * 24 * 60 * 60;
+	p += 2;
+	if (end - p < 2) return -1;
+	/* Add the number of seconds of completed days of current month */
+	epoch += (10 * (p[0] - '0') + p[1] - '0' - 1) * 24 * 60 * 60;
+	p += 2;
+	if (end - p < 2) return -1;
+	/* Add the completed hours of the current day */
+	epoch += (10 * (p[0] - '0') + p[1] - '0') * 60 * 60;
+	p += 2;
+	if (end - p < 2) return -1;
+	/* Add the completed minutes of the current hour */
+	epoch += (10 * (p[0] - '0') + p[1] - '0') * 60;
+	p += 2;
+	if (p == end) return -1;
+	/* Test if there is available seconds */
+	if (p[0] < '0' || p[0] > '9')
+		goto nosec;
+	if (end - p < 2) return -1;
+	/* Add the seconds of the current minute */
+	epoch += 10 * (p[0] - '0') + p[1] - '0';
+	p += 2;
+	if (p == end) return -1;
+	/* Ignore seconds float part if present */
+	if (p[0] == '.') {
+		do {
+			if (++p == end) return -1;
+		} while (p[0] >= '0' && p[0] <= '9');
+	}
+
+nosec:
+	if (p[0] == 'Z') {
+		if (end - p != 1) return -1;
+		return epoch;
+	}
+	else if (p[0] == '+') {
+		if (end - p != 5) return -1;
+		/* Apply timezone offset */
+		return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
+	}
+	else if (p[0] == '-') {
+		if (end - p != 5) return -1;
+		/* Apply timezone offset */
+		return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
+	}
+
+	return -1;
+}