return ret;
}
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if defined(HAVE_SSL_OCSP)
/*
* This function load the OCSP Response in DER format contained in file at
* path 'ocsp_path' or base64 in a buffer <buf>
}
#endif
+#ifdef HAVE_SSL_OCSP
/* try to load an ocsp response file */
if (global_ssl.extra_files & SSL_GF_OCSP) {
struct stat st;
*(fp->area + fp->data - strlen(".ocsp")) = '\0';
b_sub(fp, strlen(".ocsp"));
}
-
#ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
/* if no issuer was found, try to load an issuer from the .issuer */
b_sub(fp, strlen(".issuer"));
}
}
+#endif
#endif
ret = 0;
/* We need to properly remove the reference to the corresponding
* certificate_ocsp structure if it exists (which it should).
*/
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
if (data->ocsp_cid) {
struct certificate_ocsp *ocsp = NULL;
unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
dst->sctl = sctl;
}
+#ifdef HAVE_SSL_OCSP
if (src->ocsp_response) {
struct buffer *ocsp_response;
X509_up_ref(src->ocsp_issuer);
dst->ocsp_issuer = src->ocsp_issuer;
}
-
dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
-
+#endif
return dst;
error:
struct cert_exts cert_exts[] = {
{ "", CERT_TYPE_PEM, &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
{ "key", CERT_TYPE_KEY, &ssl_sock_load_key_into_ckch },
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if defined(HAVE_SSL_OCSP)
{ "ocsp", CERT_TYPE_OCSP, &ssl_sock_load_ocsp_response_from_file },
#endif
#ifdef HAVE_SSL_SCTL
*/
static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
{
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
unsigned int key_length = 0;
int i;
*/
static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
{
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
struct show_cert_ctx *ctx = appctx->svcctx;
struct ckch_store *ckchs = ctx->cur_ckchs;
struct buffer *out = alloc_trash_chunk();
goto end;
}
+#if defined(HAVE_SSL_OCSP)
/* Reset the OCSP CID */
if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
cert_ext->type == CERT_TYPE_ISSUER) {
OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
new_ckchs->data->ocsp_cid = NULL;
}
-
+#endif
data = new_ckchs->data;
/* apply the change on the duplicate */
{ "alias", -1, PARSE_TYPE_NONE, NULL, NULL },
{ "crt", offsetof(struct ckch_conf, crt), PARSE_TYPE_STR, ckch_conf_load_pem, ¤t_crtbase },
{ "key", offsetof(struct ckch_conf, key), PARSE_TYPE_STR, ckch_conf_load_key, ¤t_keybase },
+#ifdef HAVE_SSL_OCSP
{ "ocsp", offsetof(struct ckch_conf, ocsp), PARSE_TYPE_STR, ckch_conf_load_ocsp_response, ¤t_crtbase },
+#endif
{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer, ¤t_crtbase },
{ "sctl", offsetof(struct ckch_conf, sctl), PARSE_TYPE_STR, ckch_conf_load_sctl, ¤t_crtbase },
+#if defined(HAVE_SSL_OCSP)
{ "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL },
+#endif
{ NULL, -1, PARSE_TYPE_STR, NULL, NULL }
};
default:
break;
}
+#if defined(HAVE_SSL_OCSP)
/* special case for ocsp-update and default */
if (strcmp(ckch_conf_kws[i].name, "ocsp-update") == 0) {
int o1, o2; /* ocsp-update from the configuration */
ret = 1;
}
}
+#endif
}
out:
.keylog = 0,
#endif
.security_level = -1,
-#ifndef OPENSSL_NO_OCSP
+#ifdef HAVE_SSL_OCSP
.ocsp_update.delay_max = SSL_OCSP_UPDATE_DELAY_MAX,
.ocsp_update.delay_min = SSL_OCSP_UPDATE_DELAY_MIN,
.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF,
#endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
/*
* This function enables the handling of OCSP status extension on 'ctx' if a
* ocsp_response buffer was found in the cert_key_and_chain. To enable OCSP
}
#endif
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if defined(HAVE_SSL_OCSP)
/* Load OCSP Info into context
* If OCSP update mode is set to 'on', an entry will be created in the
* ocsp tree even if no ocsp_response was known during init, unless the
sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
#endif
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
ocsp_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_ocsp_free_func);
#endif
HA_SPIN_INIT(&ckch_lock);
+#if defined(HAVE_SSL_OCSP)
HA_SPIN_INIT(&ocsp_tree_lock);
+#endif
/* Try to register dedicated SSL/TLS protocol message callbacks for
* heartbleed attack (CVE-2014-0160) and clienthello.
#endif
BIO_meth_free(ha_meth);
-#if !defined OPENSSL_NO_OCSP
+#if defined(HAVE_SSL_OCSP)
ssl_destroy_ocsp_update_task();
#endif
}
projects / thirdparty / haproxy.git / commitdiff
