From: William Lallemand Date: Tue, 30 Apr 2024 19:55:45 +0000 (+0200) Subject: MINOR: ssl/ocsp: use 'ocsp-update' in crt-store X-Git-Tag: v3.0-dev12~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b6b7fea58999ddfcab3f59046887a30125a3b3e;p=thirdparty%2Fhaproxy.git MINOR: ssl/ocsp: use 'ocsp-update' in crt-store Use the ocsp-update keyword in the crt-store section. This is not used as an exception in the crtlist code anymore. This patch introduces the "ocsp_update_mode" variable in the ckch_conf structure. The SSL_SOCK_OCSP_UPDATE_* enum was changed to a define to match the ckch_conf on/off parser so we can have off to -1. --- diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h index de375392ef..e01d65c8ba 100644 --- a/include/haproxy/ssl_ckch-t.h +++ b/include/haproxy/ssl_ckch-t.h @@ -65,6 +65,7 @@ struct ckch_conf { char *ocsp; char *issuer; char *sctl; + int ocsp_update_mode; }; /* diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h index 449530bc1f..001f85d591 100644 --- a/include/haproxy/ssl_ocsp.h +++ b/include/haproxy/ssl_ocsp.h @@ -55,6 +55,7 @@ void ssl_destroy_ocsp_update_task(void); int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp); +int ocsp_update_init(void *value, char *buf, struct ckch_data *d, char **err); #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */ diff --git a/include/haproxy/ssl_sock-t.h b/include/haproxy/ssl_sock-t.h index ade1779856..0c44a1ea55 100644 --- a/include/haproxy/ssl_sock-t.h +++ b/include/haproxy/ssl_sock-t.h @@ -105,11 +105,9 @@ enum { }; /* bind ocsp update mode */ -enum { - SSL_SOCK_OCSP_UPDATE_DFLT = 0, - SSL_SOCK_OCSP_UPDATE_OFF = 1, - SSL_SOCK_OCSP_UPDATE_ON = 2, -}; +#define SSL_SOCK_OCSP_UPDATE_OFF -1 +#define SSL_SOCK_OCSP_UPDATE_DFLT 0 +#define SSL_SOCK_OCSP_UPDATE_ON 1 /* states of the CLI IO handler for 'set ssl cert' */ enum { diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index e593d32a22..b918fc1333 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -4032,6 +4032,7 @@ struct ckch_conf_kws ckch_conf_kws[] = { { "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ckch_conf_load_ocsp_response, ¤t_crtbase }, { "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer, ¤t_crtbase }, { "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ckch_conf_load_sctl, ¤t_crtbase }, + { "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL }, { NULL, -1, PARSE_TYPE_STR, NULL, NULL } }; diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 04715e297f..6e8af70cfe 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1974,6 +1974,19 @@ static int ocsp_update_parse_global_http_proxy(char **args, int section_type, st return 0; } +int ocsp_update_init(void *value, char *buf, struct ckch_data *d, char **err) +{ + int ocsp_update_mode = *(int *)value; + int ret = 0; + + if (ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) { + /* We might need to create the main ocsp update task */ + ret = ssl_create_ocsp_update_task(err); + } + + return ret; +} + static struct cli_kw_list cli_kws = {{ },{ { { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response : update a certificate's OCSP Response from a base64-encode DER", cli_parse_set_ocspresponse, NULL }, diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 0018af981b..b72cd81084 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1127,7 +1127,9 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store char *err = NULL; size_t path_len; int inc_refcount_store = 0; - int enable_auto_update = 0; + int enable_auto_update = (store->conf.ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON) || + (store->conf.ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_DFLT && + global_ssl.ocsp_update.mode == SSL_SOCK_OCSP_UPDATE_ON); x = data->cert; if (!x)