MINOR: ssl/ocsp: add a function to check the OCSP update configuration

Deduplicate the code which checks the OCSP update in the ckch_store and
in the crtlist_entry.

Also, jump immediatly to error handling when the ERR_FATAL is catched.

diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h
index 6409309bbb7c53fd3d2f4a5bb5d22bf2b603332f..c9b410a9d1c5f4f2d2894d6d072baafd733b0b45 100644 (file)
--- a/include/haproxy/ssl_ocsp.h
+++ b/include/haproxy/ssl_ocsp.h
@@ -24,6 +24,8 @@
 #ifdef USE_OPENSSL
 
 #include <haproxy/openssl-compat.h>
+#include <haproxy/ssl_ckch-t.h>
+#include <haproxy/ssl_crtlist-t.h>
 #include <haproxy/ssl_ocsp-t.h>
 
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
@@ -50,6 +52,8 @@ void ssl_destroy_ocsp_update_task(void);
 
 int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
 
+int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err);
+
 #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
 
 #endif /* USE_OPENSSL */

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index 31428d63b5ad13e22f93ebcefe0157b907782033..2675703a4122e9e576ce6b43b197be35ace77d7b 100644 (file)
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -27,6 +27,7 @@
 #include <haproxy/sc_strm.h>
 #include <haproxy/ssl_ckch.h>
 #include <haproxy/ssl_crtlist.h>
+#include <haproxy/ssl_ocsp.h>
 #include <haproxy/ssl_sock.h>
 #include <haproxy/stconn.h>
 #include <haproxy/tools.h>
@@ -618,13 +619,11 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
                                        entry_dup->node.key = ckchs;
                                        entry_dup->crtlist = newlist;
-                                       if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
-                                               if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-                                                   || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
-                                                       memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
-                                                       cfgerr |= ERR_ALERT | ERR_FATAL;
-                                               }
-                                       }
+
+                                       cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
+                                       if (cfgerr & ERR_FATAL)
+                                               goto error;
+
                                        if (entry->ssl_conf)
                                                ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
                                        ebpt_insert(&newlist->entries, &entry_dup->node);
@@ -650,13 +649,11 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
                } else {
                        entry->node.key = ckchs;
                        entry->crtlist = newlist;
-                       if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
-                               if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-                                   || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
-                                       memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
-                                       cfgerr |= ERR_ALERT | ERR_FATAL;
-                               }
-                       }
+
+                       cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
+                       if (cfgerr & ERR_FATAL)
+                               goto error;
+
                        if (entry->ssl_conf)
                                ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
                        ebpt_insert(&newlist->entries, &entry->node);

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 1271f6e406a1282769eed84676afc5700e4d02b5..99edfc8750410da3aedf427aba2f0e30737c6403 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1668,6 +1668,20 @@ yield:
 #endif
 }
 
+/* Check if the ckch_store and the entry does have the same configuration */
+int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
+{
+       int err_code = ERR_NONE;
+
+       if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+               if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+                   || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
+                       memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+                       err_code |= ERR_ALERT | ERR_FATAL;
+               }
+       }
+       return err_code;
+}
 
 static struct cli_kw_list cli_kws = {{ },{
        { { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload>    : update a certificate's OCSP Response from a base64-encode DER",      cli_parse_set_ocspresponse, NULL },