From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Wed, 7 Feb 2024 15:38:41 +0000 (+0100)
Subject: MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid
X-Git-Tag: v3.0-dev3~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28e78a0a74e0b3007e0e01753bd6703c219f7ade;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid

The only useful information taken out of the ckch_store in order to copy
an OCSP certid into a buffer (later used as a key for entries in the
OCSP response tree) is the ocsp_certid field of the ckch_data structure.
We then don't need to pass a pointer to the full ckch_store to
ckch_store_build_certid or even any information related to the store
itself.
The ckch_store_build_certid is then converted into a helper function
that simply takes an OCSP_CERTID and converts it into a char buffer.
---

diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h
index c9b410a9d1..54a1b8831f 100644
--- a/include/haproxy/ssl_ocsp.h
+++ b/include/haproxy/ssl_ocsp.h
@@ -30,6 +30,8 @@
 
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
 
+int ssl_ocsp_build_response_key(OCSP_CERTID *ocsp_cid, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length);
+
 int ssl_sock_get_ocsp_arg_kt_index(int evp_keytype);
 int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg);
 
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index de37bfb955..24ff1649a1 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -34,6 +34,7 @@
 #include <haproxy/sc_strm.h>
 #include <haproxy/ssl_ckch.h>
 #include <haproxy/ssl_sock.h>
+#include <haproxy/ssl_ocsp.h>
 #include <haproxy/ssl_utils.h>
 #include <haproxy/stconn.h>
 #include <haproxy/tools.h>
@@ -1761,36 +1762,6 @@ end:
 	return 0;
 }
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
-/*
- * Build the OCSP tree entry's key for a given ckch_store.
- * Returns a negative value in case of error.
- */
-static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
-{
-	unsigned char *p = NULL;
-	int i;
-
-	if (!key_length)
-		return -1;
-
-	*key_length = 0;
-
-	if (!ckch_store->data->ocsp_cid)
-		return 0;
-
-	i = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, NULL);
-	if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
-		return 0;
-
-	p = certid;
-	*key_length = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, &p);
-
-end:
-	return *key_length > 0;
-}
-#endif
-
 /*
  * Dump the OCSP certificate key (if it exists) of certificate <ckch> into
  * buffer <out>.
@@ -1803,7 +1774,7 @@ static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buf
 	unsigned int key_length = 0;
 	int i;
 
-	if (ckch_store_build_certid(ckch_store, (unsigned char*)key, &key_length) >= 0) {
+	if (ssl_ocsp_build_response_key(ckch_store->data->ocsp_cid, (unsigned char*)key, &key_length) >= 0) {
 		/* Dump the CERTID info */
 		chunk_appendf(out, "OCSP Response Key: ");
 		for (i = 0; i < key_length; ++i) {
@@ -1890,7 +1861,7 @@ static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
 		unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
 		unsigned int key_length = 0;
 
-		if (ckch_store_build_certid(ckchs, (unsigned char*)key, &key_length) < 0)
+		if (ssl_ocsp_build_response_key(ckchs->data->ocsp_cid, (unsigned char*)key, &key_length) < 0)
 			goto end_no_putchk;
 
 		if (ssl_get_ocspresponse_detail(key, out))
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 8a7cb27276..3e7408a667 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -184,6 +184,37 @@ __decl_thread(HA_SPINLOCK_T ocsp_tree_lock);
 
 struct eb_root ocsp_update_tree = EB_ROOT; /* updatable ocsp responses sorted by next_update in absolute time */
 
+/*
+ * Convert an OCSP_CERTID structure into a char buffer that can be used as a key
+ * in the OCSP response tree. It takes an <ocsp_cid> as parameter and builds a
+ * key of length <key_length> into the <certid> buffer. The key length cannot
+ * exceed OCSP_MAX_CERTID_ASN1_LENGTH bytes.
+ * Returns a negative value in case of error.
+ */
+int ssl_ocsp_build_response_key(OCSP_CERTID *ocsp_cid, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
+{
+	unsigned char *p = NULL;
+	int i;
+
+	if (!key_length)
+		return -1;
+
+	*key_length = 0;
+
+	if (!ocsp_cid)
+		return 0;
+
+	i = i2d_OCSP_CERTID(ocsp_cid, NULL);
+	if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
+		return 0;
+
+	p = certid;
+	*key_length = i2d_OCSP_CERTID(ocsp_cid, &p);
+
+end:
+	return *key_length > 0;
+}
+
 /* This function starts to check if the OCSP response (in DER format) contained
  * in chunk 'ocsp_response' is valid (else exits on error).
  * If 'cid' is not NULL, it will be compared to the OCSP certificate ID