MINOR: ssl: OCSP functions can load from file or buffer

The ssl_sock_load_ocsp_response_from_file() function was modified to
fill directly a struct cert_key_and_chain.

The function prototype was normalized in order to be used with the CLI
payload parser.

This function either read a base64 from a buffer or read a binary file
on the filesystem.

It fills the ocsp_response buffer of the struct cert_key_and_chain.

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index fa98d8099cde4c5bf705105f987a8ed359ee14dd..cfa910ba64452a6a6d0ce6a43274f7206226a678 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -875,48 +875,72 @@ int ssl_sock_update_ocsp_response(struct buffer *ocsp_response, char **err)
 #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
 /*
  * This function load the OCSP Resonse in DER format contained in file at
- * path 'ocsp_path'
+ * path 'ocsp_path' or base64 in a buffer <buf>
  *
  * Returns 0 on success, 1 in error case.
  */
-static int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, struct buffer **ocsp_response, char **err)
+static int ssl_sock_load_ocsp_response_from_file(const char *ocsp_path, char *buf, struct cert_key_and_chain *ckch, char **err)
 {
        int fd = -1;
        int r = 0;
        int ret = 1;
+       struct buffer *ocsp_response;
+       struct buffer *src = NULL;
 
-       fd = open(ocsp_path, O_RDONLY);
-       if (fd == -1) {
-               memprintf(err, "Error opening OCSP response file");
-               goto end;
-       }
+       if (buf) {
+               int i, j;
+               /* if it's from a buffer it will be base64 */
 
-       trash.data = 0;
-       while (trash.data < trash.size) {
-               r = read(fd, trash.area + trash.data, trash.size - trash.data);
-               if (r < 0) {
-                       if (errno == EINTR)
+               /* remove \r and \n from the payload */
+               for (i = 0, j = 0; buf[i]; i++) {
+                       if (buf[i] == '\r' || buf[i] == '\n')
                                continue;
+                       buf[j++] = buf[i];
+               }
+               buf[j] = 0;
 
-                       memprintf(err, "Error reading OCSP response from file");
+               ret = base64dec(buf, j, trash.area, trash.size);
+               if (ret < 0) {
+                       memprintf(err, "Error reading OCSP response in base64 format");
                        goto end;
                }
-               else if (r == 0) {
-                       break;
+               trash.data = ret;
+               src = &trash;
+       } else {
+               fd = open(ocsp_path, O_RDONLY);
+               if (fd == -1) {
+                       memprintf(err, "Error opening OCSP response file");
+                       goto end;
                }
-               trash.data += r;
+
+               trash.data = 0;
+               while (trash.data < trash.size) {
+                       r = read(fd, trash.area + trash.data, trash.size - trash.data);
+                       if (r < 0) {
+                               if (errno == EINTR)
+                                       continue;
+
+                               memprintf(err, "Error reading OCSP response from file");
+                               goto end;
+                       }
+                       else if (r == 0) {
+                               break;
+                       }
+                       trash.data += r;
+               }
+               close(fd);
+               fd = -1;
+               src = &trash;
        }
 
-       *ocsp_response = calloc(1, sizeof(**ocsp_response));
-       if (!chunk_dup(*ocsp_response, &trash)) {
-               free(*ocsp_response);
-               *ocsp_response = NULL;
+       ocsp_response = calloc(1, sizeof(*ocsp_response));
+       if (!chunk_dup(ocsp_response, src)) {
+               free(ocsp_response);
+               ocsp_response = NULL;
                goto end;
        }
 
-       close(fd);
-       fd = -1;
-
+       ckch->ocsp_response = ocsp_response;
        ret = 0;
 end:
        if (fd != -1)
@@ -1196,7 +1220,6 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
 {
        X509 *x = NULL, *issuer = NULL;
        OCSP_CERTID *cid = NULL;
-       char ocsp_path[MAXPATHLEN+1];
        int i, ret = -1;
        struct certificate_ocsp *ocsp = NULL, *iocsp;
        char *warn = NULL;
@@ -1292,7 +1315,7 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
 
        warn = NULL;
        if (ssl_sock_load_ocsp_response(ckch->ocsp_response, ocsp, cid, &warn)) {
-               memprintf(&warn, "Loading '%s': %s. Content will be ignored", ocsp_path, warn ? warn : "failure");
+               memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure");
                ha_warning("%s.\n", warn);
        }
 
@@ -3029,7 +3052,7 @@ static int ssl_sock_load_crt_file_into_ckch(const char *path, BIO *buf, struct c
 
                snprintf(fp, MAXPATHLEN+1, "%s.ocsp", path);
                if (stat(fp, &st) == 0) {
-                       if (ssl_sock_load_ocsp_response_from_file(fp, &ckch->ocsp_response, err)) {
+                       if (ssl_sock_load_ocsp_response_from_file(fp, NULL, ckch, err)) {
                                ret = 1;
                                goto end;
                        }