Merge pull request #2055 from nghttp2/bssl-ocsp

nghttpx: Set ocsp response to SSL in case of boringssl
nghttp2 · Feb 6, 2024 · 41ac5f7 · 41ac5f7
2 parents f7de260 + 343dbaf
commit 41ac5f7
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 28 deletions.
diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc
@@ -739,40 +739,31 @@ void ConnectionHandler::handle_ocsp_complete() {
     // that case we get nullptr.
     auto quic_ssl_ctx = quic_all_ssl_ctx_[ocsp_.next];
     if (quic_ssl_ctx) {
-#  ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
       auto quic_tls_ctx_data = static_cast<tls::TLSContextData *>(
           SSL_CTX_get_app_data(quic_ssl_ctx));
-#    ifdef HAVE_ATOMIC_STD_SHARED_PTR
+#  ifdef HAVE_ATOMIC_STD_SHARED_PTR
       std::atomic_store_explicit(
           &quic_tls_ctx_data->ocsp_data,
           std::make_shared<std::vector<uint8_t>>(ocsp_.resp),
           std::memory_order_release);
-#    else  // !HAVE_ATOMIC_STD_SHARED_PTR
+#  else  // !HAVE_ATOMIC_STD_SHARED_PTR
       std::lock_guard<std::mutex> g(quic_tls_ctx_data->mu);
       quic_tls_ctx_data->ocsp_data =
           std::make_shared<std::vector<uint8_t>>(ocsp_.resp);
-#    endif // !HAVE_ATOMIC_STD_SHARED_PTR
-#  else    // NGHTTP2_OPENSSL_IS_BORINGSSL
-      SSL_CTX_set_ocsp_response(quic_ssl_ctx, ocsp_.resp.data(),
-                                ocsp_.resp.size());
-#  endif   // NGHTTP2_OPENSSL_IS_BORINGSSL
+#  endif // !HAVE_ATOMIC_STD_SHARED_PTR
     }
 #endif // ENABLE_HTTP3
 
-#ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
-#  ifdef HAVE_ATOMIC_STD_SHARED_PTR
+#ifdef HAVE_ATOMIC_STD_SHARED_PTR
     std::atomic_store_explicit(
         &tls_ctx_data->ocsp_data,
         std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp)),
         std::memory_order_release);
-#  else  // !HAVE_ATOMIC_STD_SHARED_PTR
+#else  // !HAVE_ATOMIC_STD_SHARED_PTR
     std::lock_guard<std::mutex> g(tls_ctx_data->mu);
     tls_ctx_data->ocsp_data =
         std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp));
-#  endif // !HAVE_ATOMIC_STD_SHARED_PTR
-#else    // NGHTTP2_OPENSSL_IS_BORINGSSL
-    SSL_CTX_set_ocsp_response(ssl_ctx, ocsp_.resp.data(), ocsp_.resp.size());
-#endif   // NGHTTP2_OPENSSL_IS_BORINGSSL
+#endif // !HAVE_ATOMIC_STD_SHARED_PTR
   }
 
   ++ocsp_.next;

diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc
@@ -157,6 +157,35 @@ int ssl_pem_passwd_cb(char *buf, int size, int rwflag, void *user_data) {
 }
 } // namespace
 
+namespace {
+std::shared_ptr<std::vector<uint8_t>>
+get_ocsp_data(TLSContextData *tls_ctx_data) {
+#ifdef HAVE_ATOMIC_STD_SHARED_PTR
+  return std::atomic_load_explicit(&tls_ctx_data->ocsp_data,
+                                   std::memory_order_acquire);
+#else  // !HAVE_ATOMIC_STD_SHARED_PTR
+  std::lock_guard<std::mutex> g(tls_ctx_data->mu);
+  return tls_ctx_data->ocsp_data;
+#endif // !HAVE_ATOMIC_STD_SHARED_PTR
+}
+} // namespace
+
+namespace {
+void set_ocsp_response(SSL *ssl) {
+#ifdef NGHTTP2_OPENSSL_IS_BORINGSSL
+  auto tls_ctx_data =
+      static_cast<TLSContextData *>(SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl)));
+  auto data = get_ocsp_data(tls_ctx_data);
+
+  if (!data) {
+    return;
+  }
+
+  SSL_set_ocsp_response(ssl, data->data(), data->size());
+#endif // NGHTTP2_OPENSSL_IS_BORINGSSL
+}
+} // namespace
+
 namespace {
 // *al is set to SSL_AD_UNRECOGNIZED_NAME by openssl, so we don't have
 // to set it explicitly.
@@ -167,12 +196,16 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 
   auto rawhost = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
   if (rawhost == nullptr) {
+    set_ocsp_response(ssl);
+
     return SSL_TLSEXT_ERR_NOACK;
   }
 
   auto len = strlen(rawhost);
   // NI_MAXHOST includes terminal NULL.
   if (len == 0 || len + 1 > NI_MAXHOST) {
+    set_ocsp_response(ssl);
+
     return SSL_TLSEXT_ERR_NOACK;
   }
 
@@ -194,6 +227,8 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 
   auto idx = cert_tree->lookup(hostname);
   if (idx == -1) {
+    set_ocsp_response(ssl);
+
     return SSL_TLSEXT_ERR_NOACK;
   }
 
@@ -290,24 +325,13 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 
   SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
 
+  set_ocsp_response(ssl);
+
   return SSL_TLSEXT_ERR_OK;
 }
 } // namespace
 
 #ifndef NGHTTP2_OPENSSL_IS_BORINGSSL
-namespace {
-std::shared_ptr<std::vector<uint8_t>>
-get_ocsp_data(TLSContextData *tls_ctx_data) {
-#  ifdef HAVE_ATOMIC_STD_SHARED_PTR
-  return std::atomic_load_explicit(&tls_ctx_data->ocsp_data,
-                                   std::memory_order_acquire);
-#  else  // !HAVE_ATOMIC_STD_SHARED_PTR
-  std::lock_guard<std::mutex> g(tls_ctx_data->mu);
-  return tls_ctx_data->ocsp_data;
-#  endif // !HAVE_ATOMIC_STD_SHARED_PTR
-}
-} // namespace
-
 namespace {
 int ocsp_resp_cb(SSL *ssl, void *arg) {
   auto ssl_ctx = SSL_get_SSL_CTX(ssl);