if (data->ocsp_issuer)
X509_free(data->ocsp_issuer);
data->ocsp_issuer = NULL;
+
+ OCSP_CERTID_free(data->ocsp_cid);
+ data->ocsp_cid = NULL;
}
/*
dst->ocsp_issuer = src->ocsp_issuer;
}
+ dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
+
return dst;
error:
* Build the OCSP tree entry's key for a given ckch_store.
* Returns a negative value in case of error.
*/
-static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[128], unsigned int *key_length)
+static int ckch_store_build_certid(struct ckch_store *ckch_store, unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH], unsigned int *key_length)
{
- OCSP_RESPONSE *resp;
- OCSP_BASICRESP *bs = NULL;
- OCSP_SINGLERESP *sr;
- OCSP_CERTID *id;
unsigned char *p = NULL;
+ int i;
if (!key_length)
return -1;
*key_length = 0;
- if (!ckch_store->data->ocsp_response)
+ if (!ckch_store->data->ocsp_cid)
return 0;
- p = (unsigned char *) ckch_store->data->ocsp_response->area;
-
- resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **)&p,
- ckch_store->data->ocsp_response->data);
- if (!resp) {
- goto end;
- }
-
- bs = OCSP_response_get1_basic(resp);
- if (!bs) {
- goto end;
- }
-
- sr = OCSP_resp_get0(bs, 0);
- if (!sr) {
- goto end;
- }
-
- id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
+ i = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, NULL);
+ if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
+ return 0;
p = certid;
- *key_length = i2d_OCSP_CERTID(id, &p);
+ *key_length = i2d_OCSP_CERTID(ckch_store->data->ocsp_cid, &p);
end:
return *key_length > 0;
* Returns 1 if no ".ocsp" file found, 0 if OCSP status extension is
* successfully enabled, or -1 in other error case.
*/
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
{
X509 *x, *issuer;
- OCSP_CERTID *cid = NULL;
int i, ret = -1;
struct certificate_ocsp *ocsp = NULL, *iocsp;
char *warn = NULL;
if (!issuer)
goto out;
- cid = OCSP_cert_to_id(0, x, issuer);
- if (!cid)
+ data->ocsp_cid = OCSP_cert_to_id(0, x, issuer);
+ if (!data->ocsp_cid)
goto out;
- i = i2d_OCSP_CERTID(cid, NULL);
+ i = i2d_OCSP_CERTID(data->ocsp_cid, NULL);
if (!i || (i > OCSP_MAX_CERTID_ASN1_LENGTH))
goto out;
goto out;
p = ocsp->key_data;
- ocsp->key_length = i2d_OCSP_CERTID(cid, &p);
+ ocsp->key_length = i2d_OCSP_CERTID(data->ocsp_cid, &p);
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
iocsp = (struct certificate_ocsp *)ebmb_insert(&cert_ocsp_tree, &ocsp->key, OCSP_MAX_CERTID_ASN1_LENGTH);
ret = 0;
warn = NULL;
- if (ssl_sock_load_ocsp_response(data->ocsp_response, iocsp, cid, &warn)) {
+ if (ssl_sock_load_ocsp_response(data->ocsp_response, iocsp, data->ocsp_cid, &warn)) {
memprintf(&warn, "Loading: %s. Content will be ignored", warn ? warn : "failure");
ha_warning("%s.\n", warn);
}
out:
- if (cid)
- OCSP_CERTID_free(cid);
+ if (ret && data->ocsp_cid)
+ OCSP_CERTID_free(data->ocsp_cid);
+
+ if (!ret && data->ocsp_response) {
+ ha_free(&data->ocsp_response->area);
+ ha_free(&data->ocsp_response);
+ }
if (ocsp)
ssl_sock_free_ocsp(ocsp);
#endif
#ifdef OPENSSL_IS_BORINGSSL
-static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct ckch_data *data, STACK_OF(X509) *chain)
+static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X509) *chain)
{
return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)ckch->ocsp_response->area, ckch->ocsp_response->data);
}
* The value 0 means there is no error nor warning and
* the operation succeed.
*/
-static int ssl_sock_put_ckch_into_ctx(const char *path, const struct ckch_data *data, SSL_CTX *ctx, char **err)
+static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_data *data, SSL_CTX *ctx, char **err)
{
int errcode = 0;
STACK_OF(X509) *find_chain = NULL;
projects / thirdparty / haproxy.git / commitdiff
