diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h index c7526bf11..e7828b6f0 100644 --- a/include/haproxy/ssl_ocsp.h +++ b/include/haproxy/ssl_ocsp.h @@ -53,7 +53,7 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer, int ssl_create_ocsp_update_task(char **err); void ssl_destroy_ocsp_update_task(void); -int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking); +int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp); int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index 52a245a65..c2fe8d105 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1048,7 +1048,7 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp) * defined in order to avoid updating too often responses that have a really * short expire time or even no 'Next Update' at all. */ -int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking) +int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp) { /* Set next_update based on current time and the various OCSP * minimum/maximum update times. @@ -1057,16 +1057,14 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking) ocsp->fail_count = 0; - if (needs_locking) - HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); + HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); ocsp->updating = 0; /* An entry with update_once set to 1 was only supposed to be updated * once, it does not need to be reinserted into the update tree. */ if (!ocsp->update_once) eb64_insert(&ocsp_update_tree, &ocsp->next_update); - if (needs_locking) - HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); + HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); return 0; } @@ -1294,7 +1292,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, ssl_ocsp_send_log(); /* Reinsert the entry into the update list so that it can be updated later */ - ssl_ocsp_update_insert(ocsp, 0); + ssl_ocsp_update_insert(ocsp); /* Release the reference kept on the updated ocsp response. */ ssl_sock_free_ocsp_instance(ctx->cur_ocsp); ctx->cur_ocsp = NULL; diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 6dce3cb98..ecaf24ee9 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1499,7 +1499,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store memcpy(iocsp->path, path, path_len + 1); if (enable_auto_update) { - ssl_ocsp_update_insert(iocsp, 1); + ssl_ocsp_update_insert(iocsp); /* If we are during init the update task is not * scheduled yet so a wakeup won't do anything. * Otherwise, if the OCSP was added through the CLI, we @@ -1517,28 +1517,18 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store * prior to the activation of the ocsp auto update and in such a * case we must "force" insertion in the auto update tree. */ - HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock); if (iocsp->next_update.node.leaf_p == NULL) { - /* We might be facing an entry that is currently being - * updated, which can take some time (especially if the - * ocsp responder is unreachable). - * The entry will be reinserted by the update task, it - * mustn't be reinserted here. + ssl_ocsp_update_insert(iocsp); + /* If we are during init the update task is not + * scheduled yet so a wakeup won't do anything. + * Otherwise, if the OCSP was added through the CLI, we + * wake the task up to manage the case of a new entry + * that needs to be updated before the previous first + * entry. */ - if (!iocsp->updating) { - ssl_ocsp_update_insert(iocsp, 0); - /* If we are during init the update task is not - * scheduled yet so a wakeup won't do anything. - * Otherwise, if the OCSP was added through the CLI, we - * wake the task up to manage the case of a new entry - * that needs to be updated before the previous first - * entry. - */ - if (ocsp_update_task) - task_wakeup(ocsp_update_task, TASK_WOKEN_MSG); - } + if (ocsp_update_task) + task_wakeup(ocsp_update_task, TASK_WOKEN_MSG); } - HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock); } out: