MINOR: ssl: Add certificate's path to certificate_ocsp structure

In order to have some information about the frontend certificate when
dumping the contents of the ocsp update tree from the cli, we could
either keep a reference to a ckch_store in the certificate_ocsp
structure, which might cause some dangling reference problems, or
simply copy the path to the certificate in the ocsp response structure.
This latter solution was chosen because of its simplicity.

diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h
index b3304f7a3d3ca36d650d1267ed7cc0e0a8b3cc7d..599d68afd5c1f52623a060a4f674975a5c7c99f9 100644 (file)
--- a/include/haproxy/ssl_ocsp-t.h
+++ b/include/haproxy/ssl_ocsp-t.h
@@ -55,6 +55,8 @@ struct certificate_ocsp {
        unsigned int last_update_status;/* Status of the last OCSP update */
        unsigned int num_success;       /* Number of successful updates */
        unsigned int num_failure;       /* Number of failed updates */
+       unsigned int fail_count;        /* Number of successive failures */
+       char path[VAR_ARRAY];
 };
 
 struct ocsp_cbk_arg {

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7c3c152a578304ed4441e556915f6b2800449e8c..2d4ededf12d6eb91face6fe6f82a1c51026a32a8 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1099,7 +1099,7 @@ static int tlskeys_finalize_config(void)
  * Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
  * successfully enabled, or -1 in other error case.
  */
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
 {
        X509 *x, *issuer;
        int i, ret = -1;
@@ -1159,7 +1159,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
        if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
                goto out;
 
-       ocsp = calloc(1, sizeof(*ocsp));
+       ocsp = calloc(1, sizeof(*ocsp)+strlen(path)+1);
        if (!ocsp)
                goto out;
 
@@ -1261,6 +1261,8 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
                                goto out;
                        }
 
+                       strcpy(iocsp->path, path);
+
                        ssl_ocsp_update_insert(iocsp);
                }
        }
@@ -1286,7 +1288,7 @@ out:
 #endif
 
 #ifdef OPENSSL_IS_BORINGSSL
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
 {
        return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
 }
@@ -3462,7 +3464,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data,
         * ocsp tree even if no ocsp_response was known during init, unless the
         * frontend's conf disables ocsp update explicitely.
         */
-       if (ssl_sock_load_ocsp(ctx, data, find_chain) < 0) {
+       if (ssl_sock_load_ocsp(path, ctx, data, find_chain) < 0) {
                if (data->ocsp_response)
                        memprintf(err, "%s '%s.ocsp' is present and activates OCSP but it is impossible to compute the OCSP certificate ID (maybe the issuer could not be found)'.\n",
                                  err && *err ? *err : "", path);