SNOW-1300480: fix missing part for ocsp (#710)

Harry Xi · web-flow · commit 047785ea9bba · 2024-04-26T07:53:46.000-07:00
diff --git a/deps/curl/lib/url.c b/deps/curl/lib/url.c
@@ -1403,6 +1403,18 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
   conn->connect_only = data->set.connect_only;
   conn->transport = TRNSPRT_TCP; /* most of them are TCP streams */
 
+  conn->ssl_config.sf_ocsp_check = data->set.ssl.primary.sf_ocsp_check;
+  conn->ssl_config.sf_ocsp_failopen = data->set.ssl.primary.sf_ocsp_failopen;
+  conn->ssl_config.sf_oob_enable = data->set.ssl.primary.sf_oob_enable;
+#ifndef CURL_DISABLE_PROXY
+  conn->proxy_ssl_config.sf_ocsp_check =
+    data->set.proxy_ssl.primary.sf_ocsp_check;
+  conn->proxy_ssl_config.sf_ocsp_failopen =
+    data->set.proxy_ssl.primary.sf_ocsp_failopen;
+  conn->proxy_ssl_config.sf_oob_enable =
+    data->set.proxy_ssl.primary.sf_oob_enable;
+#endif
+
 #if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \
     defined(NTLM_WB_ENABLED)
   conn->ntlm.ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
diff --git a/deps/curl/lib/vtls/sf_ocsp.c b/deps/curl/lib/vtls/sf_ocsp.c
@@ -836,7 +836,7 @@ static OCSP_RESPONSE * queryResponderUsingCurl(char *url, OCSP_CERTID *certid, c
             strcpy(last_timeout_host, host);
           }
           snprintf(error_msg, OCSP_TELEMETRY_ERROR_MSG_MAX_LEN,
-                  "OCSP checking curl_easy_perform() failed: %s\n",
+                  "OCSP checking curl_easy_perform() failed: %s",
                   curl_easy_strerror(res));
           sf_otd_set_error_msg(error_msg, ocsp_log_data);
           sf_otd_set_event_sub_type(OCSP_RESPONSE_FETCH_FAILURE, ocsp_log_data);
@@ -1866,7 +1866,8 @@ CURLcode checkOneCert(X509 *cert, X509 *issuer,
         {
           sendOOBevent(ocsp_log_str);
         }
-        infof(data, ocsp_log_str);
+        // multiple line logging is not allowed in curl
+        // infof(data, ocsp_log_str);
         if(ocsp_log_str) sf_curl_cJSON_free(ocsp_log_str);
       }
     }
diff --git a/deps/curl/lib/vtls/vtls.c b/deps/curl/lib/vtls/vtls.c
@@ -373,6 +373,9 @@ void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)
     dest->verifyhost = src->verifyhost;
     dest->verifypeer = src->verifypeer;
     dest->verifystatus = src->verifystatus;
+    dest->sf_ocsp_check = src->sf_ocsp_check;
+    dest->sf_ocsp_failopen = src->sf_ocsp_failopen;
+    dest->sf_oob_enable = src->sf_oob_enable;
   }
 }
 
diff --git a/scripts/build_curl.bat b/scripts/build_curl.bat
@@ -11,7 +11,7 @@
 
 @echo off
 set CURL_SRC_VERSION=8.7.1
-set CURL_BUILD_VERSION=2
+set CURL_BUILD_VERSION=4
 set CURL_VERSION=%CURL_SRC_VERSION%.%CURL_BUILD_VERSION%
 call %*
 goto :EOF
diff --git a/scripts/build_curl.sh b/scripts/build_curl.sh
@@ -13,7 +13,7 @@ function usage() {
 set -o pipefail
 
 CURL_SRC_VERSION=8.7.1
-CURL_BUILD_VERSION=2
+CURL_BUILD_VERSION=4
 CURL_VERSION=${CURL_SRC_VERSION}.${CURL_BUILD_VERSION}
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
diff --git a/tests/unit_test_ocsp/test_ocsp.c b/tests/unit_test_ocsp/test_ocsp.c
@@ -141,7 +141,7 @@ static void dieIfNotSuccess(CURLcode ret)
 }
 
 static void
-checkCertificateRevocationStatus(char *host, char *port, char *cacert, char *proxy, char *no_proxy, int oob_enable, int failopen)
+checkCertificateRevocationStatus(char *host, char *port, char *cacert, char *proxy, char *no_proxy, int oob_enable, int failopen, int expect_fail)
 {
     CURL *ch;
     struct configData config;
@@ -198,7 +198,19 @@ checkCertificateRevocationStatus(char *host, char *port, char *cacert, char *pro
         dieIfNotSuccess(curl_easy_setopt(ch, CURLOPT_SSL_SF_OCSP_FAIL_OPEN, 0));
     }
 
-    dieIfNotSuccess(curl_easy_perform(ch));
+    CURLcode ret = curl_easy_perform(ch);
+    if (expect_fail == 0)
+    {
+        dieIfNotSuccess(ret);
+    }
+    else
+    {
+        if (ret == CURLE_OK)
+        {
+            fprintf(stderr, "FAILED!\n");
+            exit(1);
+        }        
+    }
 
     curl_easy_cleanup(ch);
     curl_global_cleanup();
@@ -269,29 +281,36 @@ int main(int argc, char **argv)
         return 2;
     }
     printf("host: %s, port: %s, cacert: %s\n", host, port, cacert);
+#ifdef __linux__
     sprintf(cache_file, "%s/.cache/snowflake/ocsp_response_cache.json",
             getenv("HOME"));
+#elif defined(__APPLE__)
+    sprintf(cache_file, "%s/Library/Caches//Snowflake/ocsp_response_cache.json",
+            getenv("HOME"));
+#else
+    return 0;
+#endif
 
     printf("===> Case 1: whatever default\n");
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0, 0);
 
     printf("===> Case 2: Delete file cache and No Use Cache Server\n");
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "false", 1);
     unlink(cache_file);
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0, 0);
 
     printf("===> Case 3: Delete file cache and Use Cache Server\n");
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "true", 1);
     unlink(cache_file);
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0, 0);
 
     printf("===> Case 4: No Delete file cache and No Use Cache Server\n");
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "false", 1);
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0, 0);
 
     printf("===> Case 5: No Delete file cache and No Use Cache Server\n");
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "false", 1);
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0, 0);
 
     if (getenv("all_proxy") || getenv("https_proxy") ||
         getenv("http_proxy"))
@@ -305,14 +324,14 @@ int main(int argc, char **argv)
     setenv("http_proxy", "a.b.c", 1);
     setenv("https_proxy", "a.b.c", 1);
     unlink(cache_file);
-    checkCertificateRevocationStatus(host, port, cacert, "", "", 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, "", "", 0, 0, 0);
 
     printf("===> Case 7: Delete file cache and overwrite invalid proxy with no_proxy\n");
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "true", 1);
     setenv("http_proxy", "a.b.c", 1);
     setenv("https_proxy", "a.b.c", 1);
     unlink(cache_file);
-    checkCertificateRevocationStatus(host, port, cacert, "a.b.c", "*", 0, 0);
+    checkCertificateRevocationStatus(host, port, cacert, "a.b.c", "*", 0, 0, 0);
 
     unsetenv("http_proxy");
     unsetenv("https_proxy");
@@ -326,7 +345,7 @@ int main(int argc, char **argv)
     // use random IP address so it will get connection timeout
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_URL", "http://10.24.123.89/ocsp_response_cache.json", 1);
     unlink(cache_file);
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 1, 1);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 1, 1, 0);
 
     printf("===> Case 10: Delete file cache with invalid cache server URL to test delay on failure and OOB disabled\n");
     setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "false", 1);
@@ -335,7 +354,7 @@ int main(int argc, char **argv)
     unlink(cache_file);
 
     time_t start_time = time(NULL);
-    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 1);
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 1, 0);
     time_t end_time = time(NULL);
     // should be around 5 seconds but no longer than 10.
     if ((end_time - start_time) > 10)
@@ -348,6 +367,14 @@ int main(int argc, char **argv)
         fprintf(stderr, "Delay check OK\n");
     }
 
+    printf("===> Case 11: Delete file cache with invalid cache server URL test with fail close\n");
+    setenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED", "true", 1);
+    // use random IP address so it will get connection timeout
+    setenv("SF_OCSP_RESPONSE_CACHE_SERVER_URL", "http://10.24.123.89/ocsp_response_cache.json", 1);
+    unlink(cache_file);
+
+    checkCertificateRevocationStatus(host, port, cacert, NULL, NULL, 0, 0, 1);
+
     unsetenv("SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED");
     unsetenv("SF_OCSP_RESPONSE_CACHE_SERVER_URL");
 

Original file line number	Diff line number	Diff line change
`@@ -836,7 +836,7 @@ static OCSP_RESPONSE * queryResponderUsingCurl(char url, OCSP_CERTID certid, c`
`836`	`836`	`strcpy(last_timeout_host, host);`
`837`	`837`	`}`
`838`	`838`	`snprintf(error_msg, OCSP_TELEMETRY_ERROR_MSG_MAX_LEN,`
`839`		`- "OCSP checking curl_easy_perform() failed: %s\n",`
	`839`	`+ "OCSP checking curl_easy_perform() failed: %s",`
`840`	`840`	`curl_easy_strerror(res));`
`841`	`841`	`sf_otd_set_error_msg(error_msg, ocsp_log_data);`
`842`	`842`	`sf_otd_set_event_sub_type(OCSP_RESPONSE_FETCH_FAILURE, ocsp_log_data);`
`@@ -1866,7 +1866,8 @@ CURLcode checkOneCert(X509 cert, X509 issuer,`
`1866`	`1866`	`{`
`1867`	`1867`	`sendOOBevent(ocsp_log_str);`
`1868`	`1868`	`}`
`1869`		`- infof(data, ocsp_log_str);`
	`1869`	`+ // multiple line logging is not allowed in curl`
	`1870`	`+ // infof(data, ocsp_log_str);`
`1870`	`1871`	`if(ocsp_log_str) sf_curl_cJSON_free(ocsp_log_str);`
`1871`	`1872`	`}`
`1872`	`1873`	`}`
Original file line number	Diff line number	Diff line change
`@@ -373,6 +373,9 @@ void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)`
`373`	`373`	`dest->verifyhost = src->verifyhost;`
`374`	`374`	`dest->verifypeer = src->verifypeer;`
`375`	`375`	`dest->verifystatus = src->verifystatus;`
	`376`	`+ dest->sf_ocsp_check = src->sf_ocsp_check;`
	`377`	`+ dest->sf_ocsp_failopen = src->sf_ocsp_failopen;`
	`378`	`+ dest->sf_oob_enable = src->sf_oob_enable;`
`376`	`379`	`}`
`377`	`380`	`}`
`378`	`381`