From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 11 Dec 2024 14:35:58 +0000 (+0100)
Subject: MINOR: ssl: improve HAVE_SSL_OCSP ifdef
X-Git-Tag: v3.2-dev2~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=acb2c9eb8b11fc04d9d01d0170735a2932bca926;p=thirdparty%2Fhaproxy.git

MINOR: ssl: improve HAVE_SSL_OCSP ifdef

Allow to build correctly without OCSP. It could be disabled easily with
OpenSSL build with OPENSSL_NO_OCSP. Or even with
DEFINE="-DOPENSSL_NO_OCSP" on haproxy make line.
---

diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index acbce0c142..8250c2d17d 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -149,6 +149,12 @@
 #define HASSL_DH_up_ref DH_up_ref
 #endif
 
+#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB || AWSLC_API_VERSION >= 29) && (!defined(OPENSSL_NO_OCSP)))
+#define HAVE_SSL_OCSP
+#else
+typedef void OCSP_CERTID;
+#endif
+
 #if ((HA_OPENSSL_VERSION_NUMBER < 0x1000000fL) && !defined(X509_get_X509_PUBKEY))
 #define X509_get_X509_PUBKEY(x) ((x)->cert_info->key)
 #endif
diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h
index aa7086d52e..e0b706220e 100644
--- a/include/haproxy/ssl_ocsp-t.h
+++ b/include/haproxy/ssl_ocsp-t.h
@@ -38,7 +38,7 @@ extern int ocsp_ex_index;
 #define SSL_OCSP_UPDATE_MARGIN 60   /* 1 minute */
 #define SSL_OCSP_HTTP_ERR_REPLAY 60 /* 1 minute */
 
-#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
+#if defined(HAVE_SSL_OCSP)
 /*
  * struct alignment works here such that the key.key is the same as key_data
  * Do not change the placement of key_data
@@ -89,7 +89,7 @@ extern struct task *ocsp_update_task;
 
 __decl_thread(extern HA_SPINLOCK_T ocsp_tree_lock);
 
-#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
+#endif /*  HAVE_SSL_OCSP */
 
 #endif /* USE_OPENSSL */
 #endif /* _HAPROXY_SSL_OCSP_T_H */
diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index f02e464907..b4a7e3af9d 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -136,7 +136,7 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store);
 #ifdef HAVE_SSL_PROVIDERS
 int ssl_init_provider(const char *provider_name);
 #endif
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 int ssl_get_ocspresponse_detail(unsigned char *ocsp_certid, struct buffer *out);
 int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out);
 #endif
diff --git a/src/hlua.c b/src/hlua.c
index 5e70e2bc7e..e1a8b431a6 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -13353,14 +13353,14 @@ __LJMP static int hlua_ckch_set(lua_State *L)
 			errcode |= ERR_ALERT | ERR_FATAL;
 			goto end;
 		}
-
+#ifdef HAVE_SSL_OCSP
 		/* Reset the OCSP CID */
 		if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
 		    cert_ext->type == CERT_TYPE_ISSUER) {
 			OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
 			new_ckchs->data->ocsp_cid = NULL;
 		}
-
+#endif
 		/* apply the change on the duplicate */
 		if (cert_ext->load(filename, payload, data, &err) != 0) {
 			memprintf(&err, "%sCan't load the payload for '%s'", err ? err : "", cert_ext->ext);
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index 75b04db88e..7a454bfd36 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -255,7 +255,7 @@ end:
 	return ret;
 }
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if defined(HAVE_SSL_OCSP)
 /*
  * This function load the OCSP Response in DER format contained in file at
  * path 'ocsp_path' or base64 in a buffer <buf>
@@ -457,6 +457,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
 	}
 #endif
 
+#ifdef HAVE_SSL_OCSP
 	/* try to load an ocsp response file */
 	if (global_ssl.extra_files & SSL_GF_OCSP) {
 		struct stat st;
@@ -478,7 +479,6 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
 		*(fp->area + fp->data - strlen(".ocsp")) = '\0';
 		b_sub(fp, strlen(".ocsp"));
 	}
-
 #ifndef OPENSSL_IS_BORINGSSL /* Useless for BoringSSL */
 	if (data->ocsp_response && (global_ssl.extra_files & SSL_GF_OCSP_ISSUER)) {
 		/* if no issuer was found, try to load an issuer from the .issuer */
@@ -510,6 +510,7 @@ int ssl_sock_load_files_into_ckch(const char *path, struct ckch_data *data, char
 			b_sub(fp, strlen(".issuer"));
 		}
 	}
+#endif
 #endif
 
 	ret = 0;
@@ -767,7 +768,7 @@ void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
 	/* We need to properly remove the reference to the corresponding
 	 * certificate_ocsp structure if it exists (which it should).
 	 */
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	if (data->ocsp_cid) {
 		struct certificate_ocsp *ocsp = NULL;
 		unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
@@ -837,6 +838,7 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
 		dst->sctl = sctl;
 	}
 
+#ifdef HAVE_SSL_OCSP
 	if (src->ocsp_response) {
 		struct buffer *ocsp_response;
 
@@ -852,9 +854,8 @@ struct ckch_data *ssl_sock_copy_cert_key_and_chain(struct ckch_data *src,
 		X509_up_ref(src->ocsp_issuer);
 		dst->ocsp_issuer = src->ocsp_issuer;
 	}
-
 	dst->ocsp_cid = OCSP_CERTID_dup(src->ocsp_cid);
-
+#endif
 	return dst;
 
 error:
@@ -1538,7 +1539,7 @@ int ssl_store_load_locations_file(char *path, int create_if_none, enum cafile_ty
 struct cert_exts cert_exts[] = {
 	{ "",        CERT_TYPE_PEM,      &ssl_sock_load_pem_into_ckch }, /* default mode, no extensions */
 	{ "key",     CERT_TYPE_KEY,      &ssl_sock_load_key_into_ckch },
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if defined(HAVE_SSL_OCSP)
 	{ "ocsp",    CERT_TYPE_OCSP,     &ssl_sock_load_ocsp_response_from_file },
 #endif
 #ifdef HAVE_SSL_SCTL
@@ -2090,7 +2091,7 @@ end:
  */
 static int ckch_store_show_ocsp_certid(struct ckch_store *ckch_store, struct buffer *out)
 {
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	unsigned char key[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
 	unsigned int key_length = 0;
 	int i;
@@ -2163,7 +2164,7 @@ yield:
  */
 static int cli_io_handler_show_cert_ocsp_detail(struct appctx *appctx)
 {
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	struct show_cert_ctx *ctx = appctx->svcctx;
 	struct ckch_store *ckchs = ctx->cur_ckchs;
 	struct buffer *out = alloc_trash_chunk();
@@ -2884,13 +2885,14 @@ static int cli_parse_set_cert(char **args, char *payload, struct appctx *appctx,
 		goto end;
 	}
 
+#if defined(HAVE_SSL_OCSP)
 	/* Reset the OCSP CID */
 	if (cert_ext->type == CERT_TYPE_PEM || cert_ext->type == CERT_TYPE_KEY ||
 	    cert_ext->type == CERT_TYPE_ISSUER) {
 		OCSP_CERTID_free(new_ckchs->data->ocsp_cid);
 		new_ckchs->data->ocsp_cid = NULL;
 	}
-
+#endif
 	data = new_ckchs->data;
 
 	/* apply the change on the duplicate */
@@ -4471,10 +4473,14 @@ struct ckch_conf_kws ckch_conf_kws[] = {
 	{ "alias",                               -1,                 PARSE_TYPE_NONE, NULL,                                  NULL },
 	{ "crt",    offsetof(struct ckch_conf, crt),    PARSE_TYPE_STR, ckch_conf_load_pem,           &current_crtbase },
 	{ "key",    offsetof(struct ckch_conf, key),    PARSE_TYPE_STR, ckch_conf_load_key,           &current_keybase },
+#ifdef HAVE_SSL_OCSP
 	{ "ocsp",   offsetof(struct ckch_conf, ocsp),   PARSE_TYPE_STR, ckch_conf_load_ocsp_response, &current_crtbase },
+#endif
 	{ "issuer", offsetof(struct ckch_conf, issuer), PARSE_TYPE_STR, ckch_conf_load_ocsp_issuer,   &current_crtbase },
 	{ "sctl",   offsetof(struct ckch_conf, sctl),   PARSE_TYPE_STR, ckch_conf_load_sctl,          &current_crtbase },
+#if defined(HAVE_SSL_OCSP)
 	{ "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, NULL   },
+#endif
 	{ NULL,     -1,                                  PARSE_TYPE_STR, NULL,                                  NULL            }
 };
 
@@ -4655,6 +4661,7 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err)
 			default:
 				break;
 		}
+#if defined(HAVE_SSL_OCSP)
 		/* special case for ocsp-update and default */
 		if (strcmp(ckch_conf_kws[i].name, "ocsp-update") == 0) {
 			int o1, o2; /* ocsp-update from the configuration */
@@ -4694,6 +4701,7 @@ int ckch_conf_cmp(struct ckch_conf *prev, struct ckch_conf *new, char **err)
 				ret = 1;
 			}
 		}
+#endif
 	}
 
 out:
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index fdb26e3d26..872b61b6fd 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -62,6 +62,7 @@
 #include <haproxy/ticks.h>
 #include <haproxy/time.h>
 
+#ifdef HAVE_SSL_OCSP
 
 /* ***** READ THIS before adding code here! *****
  *
@@ -2073,6 +2074,8 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 INITCALL1(STG_REGISTER, cfg_register_keywords, &cfg_kws);
 
 REGISTER_CONFIG_POSTPARSER("ocsp-update", ocsp_update_postparser_init);
+
+#endif /* HAVE_SSL_OCSP */
 /*
  * Local variables:
  *  c-indent-level: 8
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f2577f9abf..7e8603a4b0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -137,7 +137,7 @@ struct global_ssl global_ssl = {
 	.keylog = 0,
 #endif
 	.security_level = -1,
-#ifndef OPENSSL_NO_OCSP
+#ifdef HAVE_SSL_OCSP
 	.ocsp_update.delay_max = SSL_OCSP_UPDATE_DELAY_MAX,
 	.ocsp_update.delay_min = SSL_OCSP_UPDATE_DELAY_MIN,
 	.ocsp_update.mode = SSL_SOCK_OCSP_UPDATE_OFF,
@@ -1092,7 +1092,7 @@ static int tlskeys_finalize_config(void)
 #endif /* SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB */
 
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 /*
  * This function enables the handling of OCSP status extension on 'ctx' if a
  * ocsp_response buffer was found in the cert_key_and_chain.  To enable OCSP
@@ -2772,7 +2772,7 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, struct ckch_store *store
 	}
 #endif
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) || defined OPENSSL_IS_BORINGSSL)
+#if defined(HAVE_SSL_OCSP)
 	/* Load OCSP Info into context
 	 * If OCSP update mode is set to 'on', an entry will be created in the
 	 * ocsp tree even if no ocsp_response was known during init, unless the
@@ -6965,7 +6965,7 @@ static void __ssl_sock_init(void)
 	sctl_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_sctl_free_func);
 #endif
 
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
+#if (defined(HAVE_SSL_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	ocsp_ex_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, ssl_sock_ocsp_free_func);
 #endif
 
@@ -7019,7 +7019,9 @@ static void __ssl_sock_init(void)
 
 	HA_SPIN_INIT(&ckch_lock);
 
+#if defined(HAVE_SSL_OCSP)
 	HA_SPIN_INIT(&ocsp_tree_lock);
+#endif
 
 	/* Try to register dedicated SSL/TLS protocol message callbacks for
 	 * heartbleed attack (CVE-2014-0160) and clienthello.
@@ -7159,7 +7161,7 @@ static void __ssl_sock_deinit(void)
 #endif
 	BIO_meth_free(ha_meth);
 
-#if !defined OPENSSL_NO_OCSP
+#if defined(HAVE_SSL_OCSP)
 	ssl_destroy_ocsp_update_task();
 #endif
 }