MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid

The only useful information taken out of the ckch_store in order to copy
an OCSP certid into a buffer (later used as a key for entries in the
OCSP response tree) is the ocsp_certid field of the ckch_data structure.
We then don't need to pass a pointer to the full ckch_store to
ckch_store_build_certid or even any information related to the store
itself.
The ckch_store_build_certid is then converted into a helper function
that simply takes an OCSP_CERTID and converts it into a char buffer.

diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h
index c9b410a9d1c5f4f2d2894d6d072baafd733b0b45..54a1b8831fd449d96d4ca2d432fe80e51940695f 100644 (file)
--- a/include/haproxy/ssl_ocsp.h
+++ b/include/haproxy/ssl_ocsp.h
@@ -30,6 +30,8 @@
 
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 
+int ssl_ocsp_build_response_key(OCSP_CERTID *ocsp_cid, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length);
+
 int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype);
 int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg);
 

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index de37bfb95549dd93063d8cc7ab115c74422678c3..24ff1649a174ec656b6b357c42008175318b0fbe 100644 (file)
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -34,6 +34,7 @@
 #include <haproxy/sc_strm.h>
 #include <haproxy/ssl_ckch.h>
 #include <haproxy/ssl_sock.h>
+#include <haproxy/ssl_ocsp.h>
 #include <haproxy/ssl_utils.h>
 #include <haproxy/stconn.h>
 #include <haproxy/tools.h>
@@ -1761,36 +1762,6 @@ end:
        return 0;
 }
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
-/*
- * Build the OCSP tree entry's key for a given ckch_store.
- * Returns a negative value in case of error.
- */
-static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
-{
-       unsigned char *p = NULL;
-       int i;
-
-       if (!key_length)
-               return -1;
-
-       *key_length = 0;
-
-       if (!ckch_store->data->ocsp_cid)
-               return 0;
-
-       i = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, NULL);
-       if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
-               return 0;
-
-       p = certid;
-       *key_length = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, &p);
-
-end:
-       return *key_length > 0;
-}
-#endif
-
 /*
  * Dump the OCSP certificate key (if it exists) of certificate <ckch> into
  * buffer <out>.
@@ -1803,7 +1774,7 @@ static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buf
        unsigned int key_length = 0;
        int i;
 
-       if (ckch_store_build_certid(ckch_store, (unsigned char*)key, &key_length) >= 0) {
+       if (ssl_ocsp_build_response_key(ckch_store->data->ocsp_cid, (unsigned char*)key, &key_length) >= 0) {
                /* Dump the CERTID info */
                chunk_appendf(out, "OCSP Response Key: ");
                for (i = 0; i < key_length; ++i) {
@@ -1890,7 +1861,7 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
                unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
                unsigned int key_length = 0;
 
-               if (ckch_store_build_certid(ckchs, (unsigned char*)key, &key_length) < 0)
+               if (ssl_ocsp_build_response_key(ckchs->data->ocsp_cid, (unsigned char*)key, &key_length) < 0)
                        goto end_no_putchk;
 
                if (ssl_get_ocspresponse_detail(key, out))

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 8a7cb272765637e100823e84f770ca0bcff97f2a..3e7408a667ec9ebabf2bded5f79b22d658246f75 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -184,6 +184,37 @@ __decl_thread(HA_SPINLOCK_T ocsp_tree_lock);
 
 struct eb_root ocsp_update_tree = EB_ROOT; /* updatable ocsp responses sorted by next_update in absolute time */
 
+/*
+ * Convert an OCSP_CERTID structure into a char buffer that can be used as a key
+ * in the OCSP response tree. It takes an <ocsp_cid> as parameter and builds a
+ * key of length <key_length> into the <certid> buffer. The key length cannot
+ * exceed OCSP_MAX_CERTID_ASN1_LENGTH bytes.
+ * Returns a negative value in case of error.
+ */
+int ssl_ocsp_build_response_key(OCSP_CERTID *ocsp_cid, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
+{
+       unsigned char *p = NULL;
+       int i;
+
+       if (!key_length)
+               return -1;
+
+       *key_length = 0;
+
+       if (!ocsp_cid)
+               return 0;
+
+       i = i2d_OCSP_CERTID(ocsp_cid, NULL);
+       if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
+               return 0;
+
+       p = certid;
+       *key_length = i2d_OCSP_CERTID(ocsp_cid, &p);
+
+end:
+       return *key_length > 0;
+}
+
 /* This function starts to check if the OCSP response (in DER format) contained
  * in chunk 'ocsp_response' is valid (else exits on error).
  * If 'cid' is not NULL, it will be compared to the OCSP certificate ID