mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-20 13:21:29 +02:00
Code Issues Projects Releases Wiki Activity

Revert "BUG/MINOR: ocsp: Crash when updating CA during ocsp updates"

Browse Source 
This reverts commit 167ea8fc7b0cf9d1bf71ec03d7eac3141fbe0080.

The patch was backported by mistake.
This commit is contained in:
Christopher Faulet 2025-09-15 10:16:20 +02:00
parent 167ea8fc7b
commit b582fd41c2
3 changed files with 15 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_ocsp.h
View File

@ -53,7 +53,7 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
int ssl_create_ocsp_update_task(char **err); int ssl_create_ocsp_update_task(char **err);
void ssl_destroy_ocsp_update_task(void); void ssl_destroy_ocsp_update_task(void);
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking); int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err); int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);

10
src/ssl_ocsp.c
View File

@ -1048,7 +1048,7 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
* defined in order to avoid updating too often responses that have a really * defined in order to avoid updating too often responses that have a really
* short expire time or even no 'Next Update' at all. * short expire time or even no 'Next Update' at all.
*/ */
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking) int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
{ {
/* Set next_update based on current time and the various OCSP /* Set next_update based on current time and the various OCSP
* minimum/maximum update times. * minimum/maximum update times.
@ -1057,16 +1057,14 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
ocsp->fail_count = 0; ocsp->fail_count = 0;
if (needs_locking) HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
ocsp->updating = 0; ocsp->updating = 0;
/* An entry with update_once set to 1 was only supposed to be updated /* An entry with update_once set to 1 was only supposed to be updated
* once, it does not need to be reinserted into the update tree. * once, it does not need to be reinserted into the update tree.
*/ */
if (!ocsp->update_once) if (!ocsp->update_once)
eb64_insert(&ocsp_update_tree, &ocsp->next_update); eb64_insert(&ocsp_update_tree, &ocsp->next_update);
if (needs_locking) HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
return 0; return 0;
} }
@ -1294,7 +1292,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
ssl_ocsp_send_log(); ssl_ocsp_send_log();
/* Reinsert the entry into the update list so that it can be updated later */ /* Reinsert the entry into the update list so that it can be updated later */
ssl_ocsp_update_insert(ocsp, 0); ssl_ocsp_update_insert(ocsp);
/* Release the reference kept on the updated ocsp response. */ /* Release the reference kept on the updated ocsp response. */
ssl_sock_free_ocsp_instance(ctx->cur_ocsp); ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
ctx->cur_ocsp = NULL; ctx->cur_ocsp = NULL;

30
src/ssl_sock.c
View File

@ -1499,7 +1499,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
memcpy(iocsp->path, path, path_len + 1); memcpy(iocsp->path, path, path_len + 1);
if (enable_auto_update) { if (enable_auto_update) {
ssl_ocsp_update_insert(iocsp, 1); ssl_ocsp_update_insert(iocsp);
/* If we are during init the update task is not /* If we are during init the update task is not
* scheduled yet so a wakeup won't do anything. * scheduled yet so a wakeup won't do anything.
* Otherwise, if the OCSP was added through the CLI, we * Otherwise, if the OCSP was added through the CLI, we
@ -1517,28 +1517,18 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
* prior to the activation of the ocsp auto update and in such a * prior to the activation of the ocsp auto update and in such a
* case we must "force" insertion in the auto update tree. * case we must "force" insertion in the auto update tree.
*/ */
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
if (iocsp->next_update.node.leaf_p == NULL) { if (iocsp->next_update.node.leaf_p == NULL) {
/* We might be facing an entry that is currently being ssl_ocsp_update_insert(iocsp);
* updated, which can take some time (especially if the /* If we are during init the update task is not
* ocsp responder is unreachable). * scheduled yet so a wakeup won't do anything.
* The entry will be reinserted by the update task, it * Otherwise, if the OCSP was added through the CLI, we
* mustn't be reinserted here. * wake the task up to manage the case of a new entry
* that needs to be updated before the previous first
* entry.
*/ */
if (!iocsp->updating) { if (ocsp_update_task)
ssl_ocsp_update_insert(iocsp, 0); task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
/* If we are during init the update task is not
* scheduled yet so a wakeup won't do anything.
* Otherwise, if the OCSP was added through the CLI, we
* wake the task up to manage the case of a new entry
* that needs to be updated before the previous first
* entry.
*/
if (ocsp_update_task)
task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
}
} }
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
} }
out: out: