From ad8c5bec2667cd5932a80d4d0ce8deba3926ed20 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sat, 13 Apr 2024 14:19:41 +0200
Subject: Merging upstream version 2.9.6.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 src/ssl_ckch.c | 23 ++------------
 src/ssl_ocsp.c | 94 +++++++++++++++++++---------------------------------------
 src/ssl_sock.c | 12 ++------
 3 files changed, 36 insertions(+), 93 deletions(-)

(limited to 'src')

diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index ab39755..afe6ff6 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -721,27 +721,8 @@ void ssl_sock_free_cert_key_and_chain_contents(struct ckch_data *data)
 		X509_free(data->ocsp_issuer);
 	data->ocsp_issuer = NULL;
 
-
-	/* We need to properly remove the reference to the corresponding
-	 * certificate_ocsp structure if it exists (which it should).
-	 */
-#if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
-	if (data->ocsp_cid) {
-		struct certificate_ocsp *ocsp = NULL;
-		unsigned char certid[OCSP_MAX_CERTID_ASN1_LENGTH] = {};
-		unsigned int certid_length = 0;
-
-		if (ssl_ocsp_build_response_key(data->ocsp_cid, (unsigned char*)certid, &certid_length) >= 0) {
-			HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
-			ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, certid, OCSP_MAX_CERTID_ASN1_LENGTH);
-			HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
-			ssl_sock_free_ocsp(ocsp);
-		}
-
-		OCSP_CERTID_free(data->ocsp_cid);
-		data->ocsp_cid = NULL;
-	}
-#endif
+	OCSP_CERTID_free(data->ocsp_cid);
+	data->ocsp_cid = NULL;
 }
 
 /*
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 1adddc4..3e7408a 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -392,9 +392,8 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
 		return;
 
 	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
-	ocsp->refcount_store--;
-	if (ocsp->refcount_store <= 0) {
-		BUG_ON(ocsp->refcount_instance > 0);
+	ocsp->refcount--;
+	if (ocsp->refcount <= 0) {
 		ebmb_delete(&ocsp->key);
 		eb64_delete(&ocsp->next_update);
 		X509_free(ocsp->issuer);
@@ -412,19 +411,6 @@ void ssl_sock_free_ocsp(struct certificate_ocsp *ocsp)
 	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 }
 
-void ssl_sock_free_ocsp_instance(struct certificate_ocsp *ocsp)
-{
-	if (!ocsp)
-		return;
-
-	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
-	ocsp->refcount_instance--;
-	if (ocsp->refcount_instance <= 0) {
-		eb64_delete(&ocsp->next_update);
-	}
-	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
-}
-
 
 /*
  * This function dumps the details of an OCSP_CERTID. It is based on
@@ -640,13 +626,13 @@ void ssl_sock_ocsp_free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int id
 		ocsp_arg = ptr;
 
 		if (ocsp_arg->is_single) {
-			ssl_sock_free_ocsp_instance(ocsp_arg->s_ocsp);
+			ssl_sock_free_ocsp(ocsp_arg->s_ocsp);
 			ocsp_arg->s_ocsp = NULL;
 		} else {
 			int i;
 
 			for (i = 0; i < SSL_SOCK_NUM_KEYTYPES; i++) {
-				ssl_sock_free_ocsp_instance(ocsp_arg->m_ocsp[i]);
+				ssl_sock_free_ocsp(ocsp_arg->m_ocsp[i]);
 				ocsp_arg->m_ocsp[i] = NULL;
 			}
 		}
@@ -981,6 +967,12 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
  */
 int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
 {
+	/* This entry was only supposed to be updated once, it does not need to
+	 * be reinserted into the update tree.
+	 */
+	if (ocsp->update_once)
+		return 0;
+
 	/* Set next_update based on current time and the various OCSP
 	 * minimum/maximum update times.
 	 */
@@ -989,12 +981,7 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
 	ocsp->fail_count = 0;
 
 	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
-	ocsp->updating = 0;
-	/* An entry with update_once set to 1 was only supposed to be updated
-	 * once, it does not need to be reinserted into the update tree.
-	 */
-	if (!ocsp->update_once)
-		eb64_insert(&ocsp_update_tree, &ocsp->next_update);
+	eb64_insert(&ocsp_update_tree, &ocsp->next_update);
 	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 
 	return 0;
@@ -1011,6 +998,12 @@ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp)
 {
 	int replay_delay = 0;
 
+	/* This entry was only supposed to be updated once, it does not need to
+	 * be reinserted into the update tree.
+	 */
+	if (ocsp->update_once)
+		return 0;
+
 	/*
 	 * Set next_update based on current time and the various OCSP
 	 * minimum/maximum update times.
@@ -1033,12 +1026,7 @@ int ssl_ocsp_update_insert_after_error(struct certificate_ocsp *ocsp)
 		ocsp->next_update.key = date.tv_sec + replay_delay;
 
 	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
-	ocsp->updating = 0;
-	/* An entry with update_once set to 1 was only supposed to be updated
-	 * once, it does not need to be reinserted into the update tree.
-	 */
-	if (!ocsp->update_once)
-		eb64_insert(&ocsp_update_tree, &ocsp->next_update);
+	eb64_insert(&ocsp_update_tree, &ocsp->next_update);
 	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 
 	return 0;
@@ -1201,7 +1189,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
 			/* Reinsert the entry into the update list so that it can be updated later */
 			ssl_ocsp_update_insert(ocsp);
 			/* Release the reference kept on the updated ocsp response. */
-			ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
+			ssl_sock_free_ocsp(ctx->cur_ocsp);
 			ctx->cur_ocsp = NULL;
 
 			HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
@@ -1244,8 +1232,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
 		 * reinserted after the response is processed. */
 		eb64_delete(&ocsp->next_update);
 
-		ocsp->updating = 1;
-		ocsp->refcount_instance++;
+		++ocsp->refcount;
 		ctx->cur_ocsp = ocsp;
 		ocsp->last_update_status = OCSP_UPDT_UNKNOWN;
 
@@ -1312,7 +1299,7 @@ leave:
 		++ctx->cur_ocsp->num_failure;
 		ssl_ocsp_update_insert_after_error(ctx->cur_ocsp);
 		/* Release the reference kept on the updated ocsp response. */
-		ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
+		ssl_sock_free_ocsp(ctx->cur_ocsp);
 		ctx->cur_ocsp = NULL;
 	}
 	if (hc)
@@ -1341,7 +1328,7 @@ http_error:
 	if (hc)
 		httpclient_stop_and_destroy(hc);
 	/* Release the reference kept on the updated ocsp response. */
-	ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
+	ssl_sock_free_ocsp(ctx->cur_ocsp);
 	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
 	/* Set next_wakeup to the new first entry of the tree */
 	eb = eb64_first(&ocsp_update_tree);
@@ -1426,24 +1413,13 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
 		goto end;
 	}
 
-	/* No need to try to update this response, it is already being updated. */
-	if (!ocsp->updating) {
-		update_once = (ocsp->next_update.node.leaf_p == NULL);
-		eb64_delete(&ocsp->next_update);
+	update_once = (ocsp->next_update.node.leaf_p == NULL);
+	eb64_delete(&ocsp->next_update);
 
-		/* Insert the entry at the beginning of the update tree.
-		 * We don't need to increase the reference counter on the
-		 * certificate_ocsp structure because we would not have a way to
-		 * decrease it afterwards since this update operation is asynchronous.
-		 * If the corresponding entry were to be destroyed before the update can
-		 * be performed, which is pretty unlikely, it would not be such a
-		 * problem because that would mean that the OCSP response is not
-		 * actually used.
-		 */
-		ocsp->next_update.key = 0;
-		eb64_insert(&ocsp_update_tree, &ocsp->next_update);
-		ocsp->update_once = update_once;
-	}
+	/* Insert the entry at the beginning of the update tree. */
+	ocsp->next_update.key = 0;
+	eb64_insert(&ocsp_update_tree, &ocsp->next_update);
+	ocsp->update_once = update_once;
 
 	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 
@@ -1569,7 +1545,7 @@ static int cli_parse_show_ocspresponse(char **args, char *payload, struct appctx
 			HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 			return cli_err(appctx, "Certificate ID or path does not match any certificate.\n");
 		}
-		ocsp->refcount_instance++;
+		++ocsp->refcount;
 		HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 
 		ctx->ocsp = ocsp;
@@ -1670,7 +1646,7 @@ yield:
 	free_trash_chunk(tmp);
 	BIO_free(bio);
 
-	ocsp->refcount_instance++;
+	++ocsp->refcount;
 	ctx->ocsp = ocsp;
 	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 	return 0;
@@ -1679,14 +1655,6 @@ yield:
 #endif
 }
 
-static void cli_release_show_ocspresponse(struct appctx *appctx)
-{
-	struct show_ocspresp_cli_ctx *ctx = appctx->svcctx;
-
-	if (ctx)
-		ssl_sock_free_ocsp(ctx->ocsp);
-}
-
 /* Check if the ckch_store and the entry does have the same configuration */
 int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
 {
@@ -1947,7 +1915,7 @@ smp_fetch_ssl_ocsp_success_cnt(const struct arg *args, struct sample *smp, const
 static struct cli_kw_list cli_kws = {{ },{
 	{ { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload>       : update a certificate's OCSP Response from a base64-encode DER",      cli_parse_set_ocspresponse, NULL },
 
-	{ { "show", "ssl", "ocsp-response", NULL },"show ssl ocsp-response [[text|base64] id]  : display the IDs of the OCSP responses used in memory, or the details of a single OCSP response (in text or base64 format)", cli_parse_show_ocspresponse, cli_io_handler_show_ocspresponse, cli_release_show_ocspresponse },
+	{ { "show", "ssl", "ocsp-response", NULL },"show ssl ocsp-response [[text|base64] id]  : display the IDs of the OCSP responses used in memory, or the details of a single OCSP response (in text or base64 format)", cli_parse_show_ocspresponse, cli_io_handler_show_ocspresponse, NULL },
 	{ { "show", "ssl", "ocsp-updates", NULL }, "show ssl ocsp-updates                      : display information about the next 'nb' ocsp responses that will be updated automatically", cli_parse_show_ocsp_updates, cli_io_handler_show_ocsp_updates, cli_release_show_ocsp_updates },
 #if ((defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) && !defined OPENSSL_IS_BORINGSSL)
 	{ { "update", "ssl", "ocsp-response", NULL }, "update ssl ocsp-response <certfile>     : send ocsp request and update stored ocsp response",                  cli_parse_update_ocsp_response, NULL, NULL },
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6fbabb4..c7403b8 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1128,7 +1128,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
 	struct buffer *ocsp_uri = get_trash_chunk();
 	char *err = NULL;
 	size_t path_len;
-	int inc_refcount_store = 0;
 
 	x = data->cert;
 	if (!x)
@@ -1164,10 +1163,8 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
 	if (!issuer)
 		goto out;
 
-	if (!data->ocsp_cid) {
+	if (!data->ocsp_cid)
 		data->ocsp_cid = OCSP_cert_to_id(0, x, issuer);
-		inc_refcount_store = 1;
-	}
 	if (!data->ocsp_cid)
 		goto out;
 
@@ -1194,9 +1191,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
 #endif
 	SSL_CTX_get_tlsext_status_cb(ctx, &callback);
 
-	if (inc_refcount_store)
-		iocsp->refcount_store++;
-
 	if (!callback) {
 		struct ocsp_cbk_arg *cb_arg;
 		EVP_PKEY *pkey;
@@ -1207,7 +1201,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
 
 		cb_arg->is_single = 1;
 		cb_arg->s_ocsp = iocsp;
-		iocsp->refcount_instance++;
+		iocsp->refcount++;
 
 		pkey = X509_get_pubkey(x);
 		cb_arg->single_kt = EVP_PKEY_base_id(pkey);
@@ -1247,7 +1241,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_data *
 		index = ssl_sock_get_ocsp_arg_kt_index(key_type);
 		if (index >= 0 && !cb_arg->m_ocsp[index]) {
 			cb_arg->m_ocsp[index] = iocsp;
-			iocsp->refcount_instance++;
+			iocsp->refcount++;
 		}
 	}
 	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
-- 
cgit v1.2.3