From: William Lallemand Date: Tue, 30 Apr 2024 20:20:08 +0000 (+0200) Subject: CLEANUP: ssl: move the global ocsp-update options parsing to ssl_ocsp.c X-Git-Tag: v3.0-dev10~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3a19698b818aaa663935729f3ceb5ab95cc51981;p=thirdparty%2Fhaproxy.git CLEANUP: ssl: move the global ocsp-update options parsing to ssl_ocsp.c Move the global tunel.ssl.ocsp-update option parsing to ssl_ocsp.c. --- diff --git a/src/cfgparse-ssl.c b/src/cfgparse-ssl.c index 29e4e08b17..d57fa8ebce 100644 --- a/src/cfgparse-ssl.c +++ b/src/cfgparse-ssl.c @@ -2175,89 +2175,6 @@ static int ssl_parse_skip_self_issued_ca(char **args, int section_type, struct p } -static int ssl_parse_global_ocsp_maxdelay(char **args, int section_type, struct proxy *curpx, - const struct proxy *defpx, const char *file, int line, - char **err) -{ - int value = 0; - - if (*(args[1]) == 0) { - memprintf(err, "'%s' expects an integer argument.", args[0]); - return -1; - } - - value = atoi(args[1]); - if (value < 0) { - memprintf(err, "'%s' expects a positive numeric value.", args[0]); - return -1; - } - - if (global_ssl.ocsp_update.delay_min > value) { - memprintf(err, "'%s' can not be lower than tune.ssl.ocsp-update.mindelay.", args[0]); - return -1; - } - - global_ssl.ocsp_update.delay_max = value; - - return 0; -} - -static int ssl_parse_global_ocsp_mindelay(char **args, int section_type, struct proxy *curpx, - const struct proxy *defpx, const char *file, int line, - char **err) -{ - int value = 0; - - if (*(args[1]) == 0) { - memprintf(err, "'%s' expects an integer argument.", args[0]); - return -1; - } - - value = atoi(args[1]); - if (value < 0) { - memprintf(err, "'%s' expects a positive numeric value.", args[0]); - return -1; - } - - if (value > global_ssl.ocsp_update.delay_max) { - memprintf(err, "'%s' can not be higher than tune.ssl.ocsp-update.maxdelay.", args[0]); - return -1; - } - - global_ssl.ocsp_update.delay_min = value; - - return 0; -} - -static int ssl_parse_global_ocsp_update_mode(char **args, int section_type, struct proxy *curpx, - const struct proxy *defpx, const char *file, int line, - char **err) -{ - int ret = 0; - - if (!*args[1]) { - memprintf(err, "'%s' : expecting ", args[0]); - return ERR_ALERT | ERR_FATAL; - } - - if (strcmp(args[1], "on") == 0) - global_ssl.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_ON; - else if (strcmp(args[1], "off") == 0) - global_ssl.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF; - else { - memprintf(err, "'%s' : expecting ", args[0]); - return ERR_ALERT | ERR_FATAL; - } - - if (global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_OFF) { - /* We might need to create the main ocsp update task */ - ret = ssl_create_ocsp_update_task(err); - } - - return ret; -} - - /* Note: must not be declared as its list will be overwritten. @@ -2445,11 +2362,6 @@ static struct cfg_kw_list cfg_kws = {ILH, { { CFG_GLOBAL, "ssl-default-server-ciphersuites", ssl_parse_global_ciphersuites }, { CFG_GLOBAL, "ssl-load-extra-files", ssl_parse_global_extra_files }, { CFG_GLOBAL, "ssl-load-extra-del-ext", ssl_parse_global_extra_noext }, -#ifndef OPENSSL_NO_OCSP - { CFG_GLOBAL, "tune.ssl.ocsp-update.maxdelay", ssl_parse_global_ocsp_maxdelay }, - { CFG_GLOBAL, "tune.ssl.ocsp-update.mindelay", ssl_parse_global_ocsp_mindelay }, - { CFG_GLOBAL, "tune.ssl.ocsp-update.mode", ssl_parse_global_ocsp_update_mode }, -#endif { 0, NULL, NULL }, }}; diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 5bf264319b..648771beeb 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1894,6 +1894,90 @@ static void cli_release_show_ocsp_updates(struct appctx *appctx) HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); } +static int ssl_parse_global_ocsp_maxdelay(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + int value = 0; + + if (*(args[1]) == 0) { + memprintf(err, "'%s' expects an integer argument.", args[0]); + return -1; + } + + value = atoi(args[1]); + if (value < 0) { + memprintf(err, "'%s' expects a positive numeric value.", args[0]); + return -1; + } + + if (global_ssl.ocsp_update.delay_min > value) { + memprintf(err, "'%s' can not be lower than tune.ssl.ocsp-update.mindelay.", args[0]); + return -1; + } + + global_ssl.ocsp_update.delay_max = value; + + return 0; +} + +static int ssl_parse_global_ocsp_mindelay(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + int value = 0; + + if (*(args[1]) == 0) { + memprintf(err, "'%s' expects an integer argument.", args[0]); + return -1; + } + + value = atoi(args[1]); + if (value < 0) { + memprintf(err, "'%s' expects a positive numeric value.", args[0]); + return -1; + } + + if (value > global_ssl.ocsp_update.delay_max) { + memprintf(err, "'%s' can not be higher than tune.ssl.ocsp-update.maxdelay.", args[0]); + return -1; + } + + global_ssl.ocsp_update.delay_min = value; + + return 0; +} + +static int ssl_parse_global_ocsp_update_mode(char **args, int section_type, struct proxy *curpx, + const struct proxy *defpx, const char *file, int line, + char **err) +{ + int ret = 0; + + if (!*args[1]) { + memprintf(err, "'%s' : expecting ", args[0]); + return ERR_ALERT | ERR_FATAL; + } + + if (strcmp(args[1], "on") == 0) + global_ssl.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_ON; + else if (strcmp(args[1], "off") == 0) + global_ssl.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF; + else { + memprintf(err, "'%s' : expecting ", args[0]); + return ERR_ALERT | ERR_FATAL; + } + + if (global_ssl.ocsp_update.mode != SSL_SOCK_OCSP_UPDATE_OFF) { + /* We might need to create the main ocsp update task */ + ret = ssl_create_ocsp_update_task(err); + } + + return ret; +} + + + static int ocsp_update_parse_global_http_proxy(char **args, int section_type, struct proxy *curpx, const struct proxy *defpx, const char *file, int line, char **err) @@ -1937,7 +2021,12 @@ static struct cli_kw_list cli_kws = {{ },{ INITCALL1(STG_REGISTER, cli_register_kw, &cli_kws); static struct cfg_kw_list cfg_kws = {ILH, { +#ifndef OPENSSL_NO_OCSP + { CFG_GLOBAL, "tune.ssl.ocsp-update.maxdelay", ssl_parse_global_ocsp_maxdelay }, + { CFG_GLOBAL, "tune.ssl.ocsp-update.mindelay", ssl_parse_global_ocsp_mindelay }, + { CFG_GLOBAL, "tune.ssl.ocsp-update.mode", ssl_parse_global_ocsp_update_mode }, { CFG_GLOBAL, "ocsp_update.http_proxy", ocsp_update_parse_global_http_proxy }, +#endif { 0, NULL, NULL }, }};