RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-18 01:14:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

CLEANUP: ssl/ocsp: remove the deprecated parsing code for "ocsp-update"

Browse Source 
Remove the "ocsp-update" keyword handling from the crt-list.

The code was made as an exception everywhere so we could activate the
ocsp-update for an individual certificate.

The feature will still exists but will be parsed as a "crt-store"
keyword which will still be usable in a "crt-list". This will appear in
future commits.

This commit also disable the reg-tests for now.
This commit is contained in:
William Lallemand 2024-04-30 19:29:24 +02:00
parent d616932076
commit db09c2168f
10 changed files with 4 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/listener-t.h
View File

@ -139,7 +139,6 @@ struct ssl_bind_conf {
unsigned int verify:3; /* verify method (set of SSL_VERIFY_* flags) */
unsigned int no_ca_names:1;/* do not send ca names to clients (ca_file related) */
unsigned int early_data:1; /* early data allowed */
unsigned int ocsp_update:2;/* enable OCSP auto update */
char *ca_file; /* CAfile to use on verify and ca-names */
char *ca_verify_file; /* CAverify file to use on verify only */
char *crl_file; /* CRLfile to use on verify */

1
include/haproxy/ssl_ckch-t.h
View File

@ -55,7 +55,6 @@ struct ckch_data {
struct buffer *ocsp_response;
X509 *ocsp_issuer;
OCSP_CERTID *ocsp_cid;
int ocsp_update_mode;
};
/* configuration for the ckch_store */

1
include/haproxy/ssl_ocsp.h
View File

@ -55,7 +55,6 @@ void ssl_destroy_ocsp_update_task(void);
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err);
#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */

2
reg-tests/ssl/ocsp_auto_update.vtc
View File

@ -1,4 +1,4 @@
#REGTEST_TYPE=slow
#REGTEST_TYPE=broken
# reg-test is around ~2.5s
# broken with BoringSSL.

2
reg-tests/ssl/ocsp_compat_check.vtc
View File

@ -1,4 +1,4 @@
#REGTEST_TYPE=devel
#REGTEST_TYPE=broken
# broken with BoringSSL.
#

30
src/cfgparse-ssl.c
View File

@ -1473,35 +1473,6 @@ static int bind_parse_no_ca_names(char **args, int cur_arg, struct proxy *px, st
return ssl_bind_parse_no_ca_names(args, cur_arg, px, &conf->ssl_conf, 0, err);
}
static int ssl_bind_parse_ocsp_update(char **args, int cur_arg, struct proxy *px,
struct ssl_bind_conf *ssl_conf, int from_cli, char **err)
{
if (!*args[cur_arg + 1]) {
memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (strcmp(args[cur_arg + 1], "on") == 0)
ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_ON;
else if (strcmp(args[cur_arg + 1], "off") == 0)
ssl_conf->ocsp_update = SSL_SOCK_OCSP_UPDATE_OFF;
else {
memprintf(err, "'%s' : expecting <on|off>", args[cur_arg]);
return ERR_ALERT | ERR_FATAL;
}
if (ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) {
/* We might need to create the main ocsp update task */
int ret = ssl_create_ocsp_update_task(err);
if (ret)
return ret;
}
return 0;
}
/***************************** "server" keywords Parsing ********************************************/
/* parse the "npn" bind keyword */
@ -2205,7 +2176,6 @@ struct ssl_crtlist_kw ssl_crtlist_kws[] = {
{ "ssl-min-ver", ssl_bind_parse_tls_method_minmax,1 }, /* minimum version */
{ "ssl-max-ver", ssl_bind_parse_tls_method_minmax,1 }, /* maximum version */
{ "verify", ssl_bind_parse_verify, 1 }, /* set SSL verify method */
{ "ocsp-update", ssl_bind_parse_ocsp_update, 1 }, /* ocsp update mode (on or off) */
{ NULL, NULL, 0 },
};

4
src/ssl_ckch.c
View File

@ -356,8 +356,6 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
goto end;
}
data->ocsp_update_mode = global_ssl.ocsp_update.mode;
/* remove the ".crt" extension */
if (global_ssl.extra_files_noext) {
char *ext;
@ -829,8 +827,6 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
dst->ocsp_update_mode = src->ocsp_update_mode;
return dst;
error:

39
src/ssl_crtlist.c
View File

@ -620,10 +620,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
entry->node.key = ckchs;
entry->crtlist = newlist;
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
ebpt_insert(&newlist->entries, &entry->node);
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
@ -680,14 +676,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
entry_dup->node.key = ckchs;
entry_dup->crtlist = newlist;
cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
if (cfgerr & ERR_FATAL)
goto error;
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
ebpt_insert(&newlist->entries, &entry_dup->node);
LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
@ -712,14 +700,6 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
entry->node.key = ckchs;
entry->crtlist = newlist;
cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
if (cfgerr & ERR_FATAL)
goto error;
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
if (ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
ckchs->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
ebpt_insert(&newlist->entries, &entry->node);
LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
@ -978,12 +958,7 @@ static void dump_crtlist_sslconf(struct buffer *buf, const struct ssl_bind_conf
space++;
}
if (conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_DFLT) {
if (space) chunk_appendf(buf, " ");
chunk_appendf(buf, "ocsp-update %s",
conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_OFF ? "off" : "on");
space++;
}
/* FIXME: dump crt-store keywords */
chunk_appendf(buf, "]");
@ -1388,18 +1363,6 @@ static int cli_parse_add_crtlist(char **args, char *payload, struct appctx *appc
goto error;
}
/* No need to check 'ocsp-update' inconsistency on a store that is not
* used yet (it was just added through the CLI for instance).
*/
if (!LIST_ISEMPTY(&store->ckch_inst) &&
ocsp_update_check_cfg_consistency(store, entry, cert_path, &err))
goto error;
if (entry->ssl_conf)
store->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
if (store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT)
store->data->ocsp_update_mode = global_ssl.ocsp_update.mode;
/* check if it's possible to insert this new crtlist_entry */
entry->node.key = store;
inserted = ebpt_insert(&crtlist->entries, &entry->node);

33
src/ssl_ocsp.c
View File

@ -1707,39 +1707,6 @@ static void cli_release_show_ocspresponse(struct appctx *appctx)
ssl_sock_free_ocsp_instance(ctx->ocsp);
}
/* Check if the ckch_store and the entry do have the same configuration. Also
* ensure that those options are compatible with the global ocsp-update mode. */
int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
{
int err_code = ERR_NONE;
int incompat_found = 0;
switch(store->data->ocsp_update_mode) {
case SSL_SOCK_OCSP_UPDATE_DFLT:
if (entry && entry->ssl_conf && entry->ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON &&
global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_ON)
incompat_found = 1;
break;
case SSL_SOCK_OCSP_UPDATE_OFF:
if ((entry && entry->ssl_conf && entry->ssl_conf->ocsp_update == SSL_SOCK_OCSP_UPDATE_ON) ||
((!entry || !entry->ssl_conf) && global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON))
incompat_found = 1;
break;
case SSL_SOCK_OCSP_UPDATE_ON:
if ((entry && entry->ssl_conf && entry->ssl_conf->ocsp_update != SSL_SOCK_OCSP_UPDATE_ON) ||
((!entry || !entry->ssl_conf) && global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_ON))
incompat_found = 1;
break;
}
if (incompat_found) {
memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
err_code |= ERR_ALERT | ERR_FATAL;
}
return err_code;
}
struct show_ocsp_updates_ctx {
struct certificate_ocsp *cur_ocsp;
};

15
src/ssl_sock.c
View File

@ -1126,9 +1126,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
char *err = NULL;
size_t path_len;
int inc_refcount_store = 0;
int enable_auto_update = (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON ||
(data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT &&
global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON));
int enable_auto_update = 0;
x = data->cert;
if (!x)
@ -1143,11 +1141,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
ret = 0;
goto out;
}
} else {
/* If we have an OCSP response provided and the ocsp auto update
* enabled, we must raise an error if no OCSP URI was found. */
if (data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON && b_data(ocsp_uri) == 0)
goto out;
}
issuer = data->ocsp_issuer;
@ -3848,12 +3841,6 @@ int ssl_sock_load_cert(char *path, struct bind_conf *bind_conf, int is_default,
/* we found the ckchs in the tree, we can use it directly */
cfgerr |= ssl_sock_load_ckchs(path, ckchs, bind_conf, NULL, NULL, 0, is_default, &ckch_inst, err);
/* The ckch_store might have been created through a crt-list
* line so we must check that the ocsp-update modes are still
* compatible between the global mode and the explicit one from
* the crt-list. */
cfgerr |= ocsp_update_check_cfg_consistency(ckchs, NULL, path, err);
found++;
} else if (stat(path, &buf) == 0) {
found++;