From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 21 Jan 2022 14:53:56 +0000 (+0100)
Subject: dnsdist: Add DISABLE_OCSP_STAPLING
X-Git-Tag: rec-4.7.0-beta1~7^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2ba75ea744aa3d3f9498c118b9b2e26d843493e4;p=thirdparty%2Fpdns.git

dnsdist: Add DISABLE_OCSP_STAPLING
---

diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc
index 2f8d858c9b..14be047c2d 100644
--- a/pdns/dnsdist-lua.cc
+++ b/pdns/dnsdist-lua.cc
@@ -2768,7 +2768,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
   luaCtx.writeFunction("setAllowEmptyResponse", [](bool allow) { g_allowEmptyResponse = allow; });
   luaCtx.writeFunction("setDropEmptyQueries", [](bool drop) { extern bool g_dropEmptyQueries; g_dropEmptyQueries = drop; });
 
-#if defined(HAVE_LIBSSL) && defined(HAVE_OCSP_BASIC_SIGN)
+#if defined(HAVE_LIBSSL) && defined(HAVE_OCSP_BASIC_SIGN) && !defined(DISABLE_OCSP_STAPLING)
   luaCtx.writeFunction("generateOCSPResponse", [client](const std::string& certFile, const std::string& caCert, const std::string& caKey, const std::string& outFile, int ndays, int nmin) {
     if (client) {
       return;
@@ -2776,7 +2776,7 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
 
     libssl_generate_ocsp_response(certFile, caCert, caKey, outFile, ndays, nmin);
   });
-#endif /* HAVE_LIBSSL && HAVE_OCSP_BASIC_SIGN*/
+#endif /* HAVE_LIBSSL && HAVE_OCSP_BASIC_SIGN && !DISABLE_OCSP_STAPLING */
 
   luaCtx.writeFunction("addCapabilitiesToRetain", [](LuaTypeOrArrayOf<std::string> caps) {
     setLuaSideEffect();
diff --git a/pdns/dnsdistdist/docs/install.rst b/pdns/dnsdistdist/docs/install.rst
index 35f2925c6c..39119d43a0 100644
--- a/pdns/dnsdistdist/docs/install.rst
+++ b/pdns/dnsdistdist/docs/install.rst
@@ -119,6 +119,7 @@ Our ``configure`` script provides a fair number of options with regard to which
 * ``DISABLE_DEPRECATED_DYNBLOCK`` for legacy dynamic blocks not using the new ``DynBlockRulesGroup`` interface
 * ``DISABLE_ECS_ACTIONS`` to disable actions altering EDNS Client Subnet
 * ``DISABLE_LUA_WEB_HANDLERS`` for custom Lua web handlers support
+* ``DISABLE_OCSP_STAPLING`` for OCSP stapling
 * ``DISABLE_PROMETHEUS`` for prometheus
 * ``DISABLE_PROTOBUF`` for protocol-buffer support, including dnstap
 * ``DISABLE_RECVMMSG`` for ``recvmmsg`` support
diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 7021684685..a03e842a2c 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -1387,6 +1387,7 @@ static int create_listener(const ComboAddress& addr, std::shared_ptr<DOHServerCo
   return 0;
 }
 
+#ifndef DISABLE_OCSP_STAPLING
 static int ocsp_stapling_callback(SSL* ssl, void* arg)
 {
   if (ssl == nullptr || arg == nullptr) {
@@ -1395,6 +1396,7 @@ static int ocsp_stapling_callback(SSL* ssl, void* arg)
   const auto ocspMap = reinterpret_cast<std::map<int, std::string>*>(arg);
   return libssl_ocsp_stapling_callback(ssl, *ocspMap);
 }
+#endif /* DISABLE_OCSP_STAPLING */
 
 static int ticket_key_callback(SSL *s, unsigned char keyName[TLS_TICKETS_KEY_NAME_SIZE], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
 {
@@ -1434,10 +1436,12 @@ static void setupTLSContext(DOHAcceptContext& acceptCtx,
     libssl_set_ticket_key_callback_data(ctx.get(), &acceptCtx);
   }
 
+#ifndef DISABLE_OCSP_STAPLING
   if (!acceptCtx.d_ocspResponses.empty()) {
     SSL_CTX_set_tlsext_status_cb(ctx.get(), &ocsp_stapling_callback);
     SSL_CTX_set_tlsext_status_arg(ctx.get(), &acceptCtx.d_ocspResponses);
   }
+#endif /* DISABLE_OCSP_STAPLING */
 
   libssl_set_error_counters_callback(ctx, &counters);
 
diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index f2ee87073f..fe6d226b51 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -16,7 +16,9 @@
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
+#ifndef DISABLE_OCSP_STAPLING
 #include <openssl/ocsp.h>
+#endif /* DISABLE_OCSP_STAPLING */
 #include <openssl/pkcs12.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
@@ -293,6 +295,7 @@ void libssl_set_error_counters_callback(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX
   SSL_CTX_set_info_callback(ctx.get(), libssl_info_callback);
 }
 
+#ifndef DISABLE_OCSP_STAPLING
 int libssl_ocsp_stapling_callback(SSL* ssl, const std::map<int, std::string>& ocspMap)
 {
   auto pkey = SSL_get_privatekey(ssl);
@@ -401,25 +404,6 @@ std::map<int, std::string> libssl_load_ocsp_responses(const std::vector<std::str
   return ocspResponses;
 }
 
-int libssl_get_last_key_type(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx)
-{
-#ifdef HAVE_SSL_CTX_GET0_PRIVATEKEY
-  auto pkey = SSL_CTX_get0_privatekey(ctx.get());
-#else
-  auto temp = std::unique_ptr<SSL, void(*)(SSL*)>(SSL_new(ctx.get()), SSL_free);
-  if (!temp) {
-    return -1;
-  }
-  auto pkey = SSL_get_privatekey(temp.get());
-#endif
-
-  if (!pkey) {
-    return -1;
-  }
-
-  return EVP_PKEY_base_id(pkey);
-}
-
 #ifdef HAVE_OCSP_BASIC_SIGN
 bool libssl_generate_ocsp_response(const std::string& certFile, const std::string& caCert, const std::string& caKey, const std::string& outFile, int ndays, int nmin)
 {
@@ -466,6 +450,26 @@ bool libssl_generate_ocsp_response(const std::string& certFile, const std::strin
   return true;
 }
 #endif /* HAVE_OCSP_BASIC_SIGN */
+#endif /* DISABLE_OCSP_STAPLING */
+
+static int libssl_get_last_key_type(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx)
+{
+#ifdef HAVE_SSL_CTX_GET0_PRIVATEKEY
+  auto pkey = SSL_CTX_get0_privatekey(ctx.get());
+#else
+  auto temp = std::unique_ptr<SSL, void(*)(SSL*)>(SSL_new(ctx.get()), SSL_free);
+  if (!temp) {
+    return -1;
+  }
+  auto pkey = SSL_get_privatekey(temp.get());
+#endif
+
+  if (!pkey) {
+    return -1;
+  }
+
+  return EVP_PKEY_base_id(pkey);
+}
 
 LibsslTLSVersion libssl_tls_version_from_string(const std::string& str)
 {
@@ -843,6 +847,7 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
     keyTypes.push_back(keyType);
  }
 
+#ifndef DISABLE_OCSP_STAPLING
   if (!config.d_ocspFiles.empty()) {
     try {
       ocspResponses = libssl_load_ocsp_responses(config.d_ocspFiles, keyTypes);
@@ -851,6 +856,7 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
       throw std::runtime_error("Unable to load OCSP responses: " + std::string(e.what()));
     }
   }
+#endif /* DISABLE_OCSP_STAPLING */
 
   if (!config.d_ciphers.empty() && SSL_CTX_set_cipher_list(ctx.get(), config.d_ciphers.c_str()) != 1) {
     throw std::runtime_error("The TLS ciphers could not be set: " + config.d_ciphers);
diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index aeb4059ef5..99cc5c8b38 100644
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -120,14 +120,15 @@ void* libssl_get_ticket_key_callback_data(SSL* s);
 void libssl_set_ticket_key_callback_data(SSL_CTX* ctx, void* data);
 int libssl_ticket_key_callback(SSL *s, OpenSSLTLSTicketKeysRing& keyring, unsigned char keyName[TLS_TICKETS_KEY_NAME_SIZE], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
 
+#ifndef DISABLE_OCSP_STAPLING
 int libssl_ocsp_stapling_callback(SSL* ssl, const std::map<int, std::string>& ocspMap);
 
 std::map<int, std::string> libssl_load_ocsp_responses(const std::vector<std::string>& ocspFiles, std::vector<int> keyTypes);
-int libssl_get_last_key_type(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx);
 
 #ifdef HAVE_OCSP_BASIC_SIGN
 bool libssl_generate_ocsp_response(const std::string& certFile, const std::string& caCert, const std::string& caKey, const std::string& outFile, int ndays, int nmin);
 #endif
+#endif /* DISABLE_OCSP_STAPLING */
 
 void libssl_set_error_counters_callback(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, TLSErrorCounters* counters);
 
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 84ac3aef76..7e8f6142a9 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -587,10 +587,12 @@ public:
       libssl_set_ticket_key_callback_data(d_feContext->d_tlsCtx.get(), d_feContext.get());
     }
 
+#ifndef DISABLE_OCSP_STAPLING
     if (!d_feContext->d_ocspResponses.empty()) {
       SSL_CTX_set_tlsext_status_cb(d_feContext->d_tlsCtx.get(), &OpenSSLTLSIOCtx::ocspStaplingCb);
       SSL_CTX_set_tlsext_status_arg(d_feContext->d_tlsCtx.get(), &d_feContext->d_ocspResponses);
     }
+#endif /* DISABLE_OCSP_STAPLING */
 
     libssl_set_error_counters_callback(d_feContext->d_tlsCtx, &fe.d_tlsCounters);
 
@@ -722,6 +724,7 @@ public:
     return ret;
   }
 
+#ifndef DISABLE_OCSP_STAPLING
   static int ocspStaplingCb(SSL* ssl, void* arg)
   {
     if (ssl == nullptr || arg == nullptr) {
@@ -730,6 +733,7 @@ public:
     const auto ocspMap = reinterpret_cast<std::map<int, std::string>*>(arg);
     return libssl_ocsp_stapling_callback(ssl, *ocspMap);
   }
+#endif /* DISABLE_OCSP_STAPLING */
 
   static int newTicketFromServerCb(SSL* ssl, SSL_SESSION* session)
   {
@@ -1539,6 +1543,7 @@ public:
       }
     }
 
+#ifndef DISABLE_OCSP_STAPLING
     size_t count = 0;
     for (const auto& file : fe.d_tlsConfig.d_ocspFiles) {
       rc = gnutls_certificate_set_ocsp_status_request_file(d_creds.get(), file.c_str(), count);
@@ -1547,6 +1552,7 @@ public:
       }
       ++count;
     }
+#endif /* DISABLE_OCSP_STAPLING */
 
 #if GNUTLS_VERSION_NUMBER >= 0x030600
     rc = gnutls_certificate_set_known_dh_params(d_creds.get(), GNUTLS_SEC_PARAM_HIGH);