From fb2b9988e84c6d79a1672b8895830bceda20622d Mon Sep 17 00:00:00 2001
From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 20 Dec 2022 11:11:11 +0100
Subject: [PATCH] MINOR: ssl: Store 'ocsp-update' mode in the ckch_data and
 check for inconsistencies

The 'ocsp-update' option is parsed at the same time as all the other
bind line options but it does not actually have anything to do with the
bind line since it concerns the frontend certificate instead. For that
reason, we should have a mean to identify inconsistencies in the
configuration and raise an error when a given certificate has two
different ocsp-update modes specified in one or more crt-lists.
The simplest way to do it is to store the ocsp update mode directly in
the ckch and not only in the ssl_bind_conf.
---
 include/haproxy/ssl_ckch-t.h |  1 +
 src/ssl_crtlist.c            | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/include/haproxy/ssl_ckch-t.h b/include/haproxy/ssl_ckch-t.h
index eba0b1a368..b6cd6935d6 100644
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@@ -55,6 +55,7 @@ struct ckch_data {
 	struct buffer *ocsp_response;
 	X509 *ocsp_issuer;
 	OCSP_CERTID *ocsp_cid;
+	int ocsp_update_mode;
 };
 
 /*
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index c532c01f60..c1b27f4940 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -563,6 +563,8 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
 				entry->node.key = ckchs;
 				entry->crtlist = newlist;
+				if (entry->ssl_conf)
+					ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 				ebpt_insert(&newlist->entries, &entry->node);
 				LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
 				LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
@@ -611,6 +613,14 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
 					entry_dup->node.key = ckchs;
 					entry_dup->crtlist = newlist;
+					if (entry->ssl_conf) {
+						if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
+						    ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+							cfgerr |= ERR_ALERT;
+						}
+						ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
+					}
 					ebpt_insert(&newlist->entries, &entry_dup->node);
 					LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
 					LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
@@ -634,6 +644,14 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 		} else {
 			entry->node.key = ckchs;
 			entry->crtlist = newlist;
+			if (entry->ssl_conf) {
+				if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
+				    ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+					cfgerr |= ERR_ALERT;
+				}
+				ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
+			}
 			ebpt_insert(&newlist->entries, &entry->node);
 			LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
 			LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);
-- 
2.47.2