From: Emmanuel Hocdet Date: Mon, 26 Oct 2020 12:55:30 +0000 (+0100) Subject: BUG/MEDIUM: ssl: OCSP must work with BoringSSL X-Git-Tag: v2.3-dev9~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a73a222a9863e5f6763786845c1ff9e7e1038c3c;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: ssl: OCSP must work with BoringSSL It's a regression from b3201a3e "BUG/MINOR: disable dynamic OCSP load with BoringSSL". The origin bug is link to 76b4a12 "BUG/MEDIUM: ssl: memory leak of ocsp data at SSL_CTX_free()": ssl_sock_free_ocsp() shoud be in #ifndef OPENSSL_IS_BORINGSSL. To avoid long #ifdef for small code, the BoringSSL part for ocsp load is isolated in a simple #ifdef. This must be backported in 2.2 and 2.1 --- diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 2c146488bd..0fb2198739 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1314,7 +1314,6 @@ static void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp) * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is * successfully enabled, or -1 in other error case. */ -#ifndef OPENSSL_IS_BORINGSSL static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain) { X509 *x, *issuer; @@ -1444,15 +1443,15 @@ out: return ret; } -#else /* OPENSSL_IS_BORINGSSL */ +#endif + +#ifdef OPENSSL_IS_BORINGSSL static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckch, STACK_OF(X509) *chain) { return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data); } #endif -#endif - #if (HA_OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL) @@ -3138,7 +3137,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an } #endif -#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL) +#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL) /* Load OCSP Info into context */ if (ckch->ocsp_response) { if (ssl_sock_load_ocsp(ctx, ckch, find_chain) < 0) {