From 76770e71ed472d79de1cb51724dbff6768e493f7 Mon Sep 17 00:00:00 2001
From: Emmanuel Hocdet <manu@gandi.net>
Date: Wed, 29 Mar 2017 16:33:07 +0200
Subject: [PATCH] MINOR: boringssl: basic support for OCSP Stapling

Use boringssl SSL_CTX_set_ocsp_response to set OCSP response from file with
'.ocsp' extension. CLI update is not supported.
---
 src/ssl_sock.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 03d6a94..a911a0d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -943,6 +943,43 @@ out:
 
 #endif
 
+#ifdef OPENSSL_IS_BORINGSSL
+static int ssl_sock_set_ocsp_response_from_file(SSL_CTX *ctx, const char *cert_path)
+{
+	char ocsp_path[MAXPATHLEN+1];
+	struct stat st;
+	int fd = -1, r = 0;
+
+	snprintf(ocsp_path, MAXPATHLEN+1, "%s.ocsp", cert_path);
+	if (stat(ocsp_path, &st))
+		return 0;
+
+	fd = open(ocsp_path, O_RDONLY);
+	if (fd == -1) {
+		Warning("Error opening OCSP response file %s.\n", ocsp_path);
+		return -1;
+	}
+
+	trash.len = 0;
+	while (trash.len < trash.size) {
+		r = read(fd, trash.str + trash.len, trash.size - trash.len);
+		if (r < 0) {
+			if (errno == EINTR)
+				continue;
+			Warning("Error reading OCSP response from file %s.\n", ocsp_path);
+			close(fd);
+			return -1;
+		}
+		else if (r == 0) {
+			break;
+		}
+		trash.len += r;
+	}
+	close(fd);
+	return SSL_CTX_set_ocsp_response(ctx, (const uint8_t *)trash.str, trash.len);
+}
+#endif
+
 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
 
 #define CT_EXTENSION_TYPE 18
@@ -2569,6 +2606,8 @@ static int ssl_sock_load_multi_cert(const char *path, struct bind_conf *bind_con
 						rv = 1;
 						goto end;
 					}
+#elif (defined OPENSSL_IS_BORINGSSL)
+					ssl_sock_set_ocsp_response_from_file(cur_ctx, cur_file);
 #endif
 				}
 			}
@@ -2822,6 +2861,8 @@ static int ssl_sock_load_cert_file(const char *path, struct bind_conf *bind_conf
 				  *err ? *err : "", path);
 		return 1;
 	}
+#elif (defined OPENSSL_IS_BORINGSSL)
+	ssl_sock_set_ocsp_response_from_file(ctx, path);
 #endif
 
 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
-- 
2.1.4