MINOR: ssl/ocsp: add a function to check the OCSP update configuration
Deduplicate the code which checks the OCSP update in the ckch_store and
in the crtlist_entry.
Also, jump immediatly to error handling when the ERR_FATAL is catched.
diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h
index 6409309..c9b410a 100644
--- a/include/haproxy/ssl_ocsp.h
+++ b/include/haproxy/ssl_ocsp.h
@@ -24,6 +24,8 @@
#ifdef USE_OPENSSL
#include <haproxy/openssl-compat.h>
+#include <haproxy/ssl_ckch-t.h>
+#include <haproxy/ssl_crtlist-t.h>
#include <haproxy/ssl_ocsp-t.h>
#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
@@ -50,6 +52,8 @@
int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
+int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err);
+
#endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
#endif /* USE_OPENSSL */
diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 31428d6..2675703 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -27,6 +27,7 @@
#include <haproxy/sc_strm.h>
#include <haproxy/ssl_ckch.h>
#include <haproxy/ssl_crtlist.h>
+#include <haproxy/ssl_ocsp.h>
#include <haproxy/ssl_sock.h>
#include <haproxy/stconn.h>
#include <haproxy/tools.h>
@@ -618,13 +619,11 @@
entry_dup->node.key = ckchs;
entry_dup->crtlist = newlist;
- if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
- if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
- || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
- memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
- cfgerr |= ERR_ALERT | ERR_FATAL;
- }
- }
+
+ cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
+ if (cfgerr & ERR_FATAL)
+ goto error;
+
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
ebpt_insert(&newlist->entries, &entry_dup->node);
@@ -650,13 +649,11 @@
} else {
entry->node.key = ckchs;
entry->crtlist = newlist;
- if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
- if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
- || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
- memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
- cfgerr |= ERR_ALERT | ERR_FATAL;
- }
- }
+
+ cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
+ if (cfgerr & ERR_FATAL)
+ goto error;
+
if (entry->ssl_conf)
ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
ebpt_insert(&newlist->entries, &entry->node);
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 1271f6e..99edfc8 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1668,6 +1668,20 @@
#endif
}
+/* Check if the ckch_store and the entry does have the same configuration */
+int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
+{
+ int err_code = ERR_NONE;
+
+ if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+ if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+ || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
+ memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+ err_code |= ERR_ALERT | ERR_FATAL;
+ }
+ }
+ return err_code;
+}
static struct cli_kw_list cli_kws = {{ },{
{ { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload> : update a certificate's OCSP Response from a base64-encode DER", cli_parse_set_ocspresponse, NULL },