mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-20 13:21:29 +02:00
Code Issues Projects Releases Wiki Activity

Revert "BUG/MINOR: ocsp: Crash when updating CA during ocsp updates"

Browse Source 
This reverts commit 167ea8fc7b0cf9d1bf71ec03d7eac3141fbe0080.

The patch was backported by mistake.
This commit is contained in:
Christopher Faulet 2025-09-15 10:16:20 +02:00
parent 167ea8fc7b
commit b582fd41c2
3 changed files with 15 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/ssl_ocsp.h
View File

@ -53,7 +53,7 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
int ssl_create_ocsp_update_task(char **err);
void ssl_destroy_ocsp_update_task(void);
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking);
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);

6
src/ssl_ocsp.c
View File

@ -1048,7 +1048,7 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
* defined in order to avoid updating too often responses that have a really
* short expire time or even no 'Next Update' at all.
*/
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
{
/* Set next_update based on current time and the various OCSP
* minimum/maximum update times.
@ -1057,7 +1057,6 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
ocsp->fail_count = 0;
if (needs_locking)
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
ocsp->updating = 0;
/* An entry with update_once set to 1 was only supposed to be updated
@ -1065,7 +1064,6 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
*/
if (!ocsp->update_once)
eb64_insert(&ocsp_update_tree, &ocsp->next_update);
if (needs_locking)
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
return 0;
@ -1294,7 +1292,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
ssl_ocsp_send_log();
/* Reinsert the entry into the update list so that it can be updated later */
ssl_ocsp_update_insert(ocsp, 0);
ssl_ocsp_update_insert(ocsp);
/* Release the reference kept on the updated ocsp response. */
ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
ctx->cur_ocsp = NULL;

14
src/ssl_sock.c
View File

@ -1499,7 +1499,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
memcpy(iocsp->path, path, path_len + 1);
if (enable_auto_update) {
ssl_ocsp_update_insert(iocsp, 1);
ssl_ocsp_update_insert(iocsp);
/* If we are during init the update task is not
* scheduled yet so a wakeup won't do anything.
* Otherwise, if the OCSP was added through the CLI, we
@ -1517,16 +1517,8 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
* prior to the activation of the ocsp auto update and in such a
* case we must "force" insertion in the auto update tree.
*/
HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
if (iocsp->next_update.node.leaf_p == NULL) {
/* We might be facing an entry that is currently being
* updated, which can take some time (especially if the
* ocsp responder is unreachable).
* The entry will be reinserted by the update task, it
* mustn't be reinserted here.
*/
if (!iocsp->updating) {
ssl_ocsp_update_insert(iocsp, 0);
ssl_ocsp_update_insert(iocsp);
/* If we are during init the update task is not
* scheduled yet so a wakeup won't do anything.
* Otherwise, if the OCSP was added through the CLI, we
@ -1538,8 +1530,6 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
}
}
HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
}
out:
if (ret && data->ocsp_cid) {