summaryrefslogtreecommitdiffstats
path: root/src/ssl_ocsp.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:19:40 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 12:19:40 +0000
commitb4d309b1855bdbfe38f90baf64e2763035d9fbe7 (patch)
treebbc8a269fd308a5974b03743c497ff880e2a0e89 /src/ssl_ocsp.c
parentAdding upstream version 2.9.5. (diff)
downloadhaproxy-b4d309b1855bdbfe38f90baf64e2763035d9fbe7.tar.xz
haproxy-b4d309b1855bdbfe38f90baf64e2763035d9fbe7.zip
Adding upstream version 2.9.6.upstream/2.9.6
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/ssl_ocsp.c')
-rw-r--r--src/ssl_ocsp.c94
1 files changed, 31 insertions, 63 deletions
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 1adddc4..3e7408a 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -392,9 +392,8 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
return;
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
- ocsp->refcount_store--;
- if (ocsp->refcount_store <= 0) {
- BUG_ON(ocsp->refcount_instance > 0);
+ ocsp->refcount--;
+ if (ocsp->refcount <= 0) {
ebmb_delete(&ocsp->key);
eb64_delete(&ocsp->next_update);
X509_free(ocsp->issuer);
@@ -412,19 +411,6 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
}
-void ssl_sock_free_ocsp_instance(struct certificate_ocsp *ocsp)
-{
- if (!ocsp)
- return;
-
- HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
- ocsp->refcount_instance--;
- if (ocsp->refcount_instance <= 0) {
- eb64_delete(&ocsp->next_update);
- }
- HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
-}
-
/*
* This function dumps the details of an OCSP_CERTID. It is based on
@@ -640,13 +626,13 @@ void ssl_sock_ocsp_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int id
ocsp_arg = ptr;
if (ocsp_arg->is_single) {
- ssl_sock_free_ocsp_instance(ocsp_arg->s_ocsp);
+ ssl_sock_free_ocsp(ocsp_arg->s_ocsp);
ocsp_arg->s_ocsp = NULL;
} else {
int i;
for (i = 0; i < SSL_SOCK_NUM_KEYTYPES; i++) {
- ssl_sock_free_ocsp_instance(ocsp_arg->m_ocsp[i]);
+ ssl_sock_free_ocsp(ocsp_arg->m_ocsp[i]);
ocsp_arg->m_ocsp[i] = NULL;
}
}
@@ -981,6 +967,12 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
*/
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
{
+ /* This entry was only supposed to be updated once, it does not need to
+ * be reinserted into the update tree.
+ */
+ if (ocsp->update_once)
+ return 0;
+
/* Set next_update based on current time and the various OCSP
* minimum/maximum update times.
*/
@@ -989,12 +981,7 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
ocsp->fail_count = 0;
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
- ocsp->updating = 0;
- /* An entry with update_once set to 1 was only supposed to be updated
- * once, it does not need to be reinserted into the update tree.
- */
- if (!ocsp->update_once)
- eb64_insert(&ocsp_update_tree, &ocsp->next_update);
+ eb64_insert(&ocsp_update_tree, &ocsp->next_update);
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
return 0;
@@ -1011,6 +998,12 @@ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp)
{
int replay_delay = 0;
+ /* This entry was only supposed to be updated once, it does not need to
+ * be reinserted into the update tree.
+ */
+ if (ocsp->update_once)
+ return 0;
+
/*
* Set next_update based on current time and the various OCSP
* minimum/maximum update times.
@@ -1033,12 +1026,7 @@ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp)
ocsp->next_update.key = date.tv_sec + replay_delay;
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
- ocsp->updating = 0;
- /* An entry with update_once set to 1 was only supposed to be updated
- * once, it does not need to be reinserted into the update tree.
- */
- if (!ocsp->update_once)
- eb64_insert(&ocsp_update_tree, &ocsp->next_update);
+ eb64_insert(&ocsp_update_tree, &ocsp->next_update);
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
return 0;
@@ -1201,7 +1189,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
/* Reinsert the entry into the update list so that it can be updated later */
ssl_ocsp_update_insert(ocsp);
/* Release the reference kept on the updated ocsp response. */
- ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
+ ssl_sock_free_ocsp(ctx->cur_ocsp);
ctx->cur_ocsp = NULL;
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
@@ -1244,8 +1232,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
* reinserted after the response is processed. */
eb64_delete(&ocsp->next_update);
- ocsp->updating = 1;
- ocsp->refcount_instance++;
+ ++ocsp->refcount;
ctx->cur_ocsp = ocsp;
ocsp->last_update_status = OCSP_UPDT_UNKNOWN;
@@ -1312,7 +1299,7 @@ leave:
++ctx->cur_ocsp->num_failure;
ssl_ocsp_update_insert_after_error(ctx->cur_ocsp);
/* Release the reference kept on the updated ocsp response. */
- ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
+ ssl_sock_free_ocsp(ctx->cur_ocsp);
ctx->cur_ocsp = NULL;
}
if (hc)
@@ -1341,7 +1328,7 @@ http_error:
if (hc)
httpclient_stop_and_destroy(hc);
/* Release the reference kept on the updated ocsp response. */
- ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
+ ssl_sock_free_ocsp(ctx->cur_ocsp);
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
/* Set next_wakeup to the new first entry of the tree */
eb = eb64_first(&ocsp_update_tree);
@@ -1426,24 +1413,13 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
goto end;
}
- /* No need to try to update this response, it is already being updated. */
- if (!ocsp->updating) {
- update_once = (ocsp->next_update.node.leaf_p == NULL);
- eb64_delete(&ocsp->next_update);
+ update_once = (ocsp->next_update.node.leaf_p == NULL);
+ eb64_delete(&ocsp->next_update);
- /* Insert the entry at the beginning of the update tree.
- * We don't need to increase the reference counter on the
- * certificate_ocsp structure because we would not have a way to
- * decrease it afterwards since this update operation is asynchronous.
- * If the corresponding entry were to be destroyed before the update can
- * be performed, which is pretty unlikely, it would not be such a
- * problem because that would mean that the OCSP response is not
- * actually used.
- */
- ocsp->next_update.key = 0;
- eb64_insert(&ocsp_update_tree, &ocsp->next_update);
- ocsp->update_once = update_once;
- }
+ /* Insert the entry at the beginning of the update tree. */
+ ocsp->next_update.key = 0;
+ eb64_insert(&ocsp_update_tree, &ocsp->next_update);
+ ocsp->update_once = update_once;
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
@@ -1569,7 +1545,7 @@ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
return cli_err(appctx, "Certificate ID or path does not match any certificate.\n");
}
- ocsp->refcount_instance++;
+ ++ocsp->refcount;
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
ctx->ocsp = ocsp;
@@ -1670,7 +1646,7 @@ yield:
free_trash_chunk(tmp);
BIO_free(bio);
- ocsp->refcount_instance++;
+ ++ocsp->refcount;
ctx->ocsp = ocsp;
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
return 0;
@@ -1679,14 +1655,6 @@ yield:
#endif
}
-static void cli_release_show_ocspresponse(struct appctx *appctx)
-{
- struct show_ocspresp_cli_ctx *ctx = appctx->svcctx;
-
- if (ctx)
- ssl_sock_free_ocsp(ctx->ocsp);
-}
-
/* Check if the ckch_store and the entry does have the same configuration */
int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
{
@@ -1947,7 +1915,7 @@ smp_fetch_ssl_ocsp_success_cnt(const struct arg *args, struct sample *smp, const
static struct cli_kw_list cli_kws = {{ },{
{ { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload> : update a certificate's OCSP Response from a base64-encode DER", cli_parse_set_ocspresponse, NULL },
- { { "show", "ssl", "ocsp-response", NULL },"show ssl ocsp-response [[text|base64] id] : display the IDs of the OCSP responses used in memory, or the details of a single OCSP response (in text or base64 format)", cli_parse_show_ocspresponse, cli_io_handler_show_ocspresponse, cli_release_show_ocspresponse },
+ { { "show", "ssl", "ocsp-response", NULL },"show ssl ocsp-response [[text|base64] id] : display the IDs of the OCSP responses used in memory, or the details of a single OCSP response (in text or base64 format)", cli_parse_show_ocspresponse, cli_io_handler_show_ocspresponse, NULL },
{ { "show", "ssl", "ocsp-updates", NULL }, "show ssl ocsp-updates : display information about the next 'nb' ocsp responses that will be updated automatically", cli_parse_show_ocsp_updates, cli_io_handler_show_ocsp_updates, cli_release_show_ocsp_updates },
#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
{ { "update", "ssl", "ocsp-response", NULL }, "update ssl ocsp-response <certfile> : send ocsp request and update stored ocsp response", cli_parse_update_ocsp_response, NULL, NULL },