Revert "BUG/MINOR: ocsp: Crash when updating CA during ocsp updates"

This reverts commit 167ea8fc7b0cf9d1bf71ec03d7eac3141fbe0080.

The patch was backported by mistake.

include/haproxy/ssl_ocsp.h

@@ -53,7 +53,7 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
 int ssl_create_ocsp_update_task(char **err);
 void ssl_destroy_ocsp_update_task(void);
 
-int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking);
+int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
 
 int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);
 

src/ssl_ocsp.c

@@ -1048,7 +1048,7 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
  * defined in order to avoid updating too often responses that have a really
  * short expire time or even no 'Next Update' at all.
  */
-int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
+int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
 {
 	/* Set next_update based on current time and the various OCSP
 	 * minimum/maximum update times.
@@ -1057,16 +1057,14 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
 
 	ocsp->fail_count = 0;
 
-	if (needs_locking)
-		HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
+	HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
 	ocsp->updating = 0;
 	/* An entry with update_once set to 1 was only supposed to be updated
 	 * once, it does not need to be reinserted into the update tree.
 	 */
 	if (!ocsp->update_once)
 		eb64_insert(&ocsp_update_tree, &ocsp->next_update);
-	if (needs_locking)
-		HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
+	HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 
 	return 0;
 }
@@ -1294,7 +1292,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
 			ssl_ocsp_send_log();
 
 			/* Reinsert the entry into the update list so that it can be updated later */
-			ssl_ocsp_update_insert(ocsp, 0);
+			ssl_ocsp_update_insert(ocsp);
 			/* Release the reference kept on the updated ocsp response. */
 			ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
 			ctx->cur_ocsp = NULL;

src/ssl_sock.c

@@ -1499,7 +1499,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
 		memcpy(iocsp->path, path, path_len + 1);
 
 		if (enable_auto_update) {
-			ssl_ocsp_update_insert(iocsp, 1);
+			ssl_ocsp_update_insert(iocsp);
 			/* If we are during init the update task is not
 			 * scheduled yet so a wakeup won't do anything.
 			 * Otherwise, if the OCSP was added through the CLI, we
@@ -1517,28 +1517,18 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
 		 * prior to the activation of the ocsp auto update and in such a
 		 * case we must "force" insertion in the auto update tree.
 		 */
-		HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
 		if (iocsp->next_update.node.leaf_p == NULL) {
-			/* We might be facing an entry that is currently being
-			 * updated, which can take some time (especially if the
-			 * ocsp responder is unreachable).
-			 * The entry will be reinserted by the update task, it
-			 * mustn't be reinserted here.
+			ssl_ocsp_update_insert(iocsp);
+			/* If we are during init the update task is not
+			 * scheduled yet so a wakeup won't do anything.
+			 * Otherwise, if the OCSP was added through the CLI, we
+			 * wake the task up to manage the case of a new entry
+			 * that needs to be updated before the previous first
+			 * entry.
 			 */
-			if (!iocsp->updating) {
-				ssl_ocsp_update_insert(iocsp, 0);
-				/* If we are during init the update task is not
-				 * scheduled yet so a wakeup won't do anything.
-				 * Otherwise, if the OCSP was added through the CLI, we
-				 * wake the task up to manage the case of a new entry
-				 * that needs to be updated before the previous first
-				 * entry.
-				 */
-				if (ocsp_update_task)
-					task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
-			}
+			if (ocsp_update_task)
+				task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
 		}
-		HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 	}
 
 out: