Revert "BUG/MINOR: ocsp: Crash when updating CA during ocsp updates"

This reverts commit 167ea8fc7b0cf9d1bf71ec03d7eac3141fbe0080.

The patch was backported by mistake.

diff --git a/include/haproxy/ssl_ocsp.h b/include/haproxy/ssl_ocsp.h
index c7526bf11f38dd3f6b0ad4505cacfef60916394d..e7828b6f0f87a462ab25f7ebc03711a28801e332 100644 (file)
--- a/include/haproxy/ssl_ocsp.h
+++ b/include/haproxy/ssl_ocsp.h
@@ -53,7 +53,7 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer,
 int ssl_create_ocsp_update_task(char **err);
 void ssl_destroy_ocsp_update_task(void);
 
-int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking);
+int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
 
 int ocsp_update_init(void *value, char *buf, struct ckch_data *d, int cli, const char *filename, int linenum, char **err);
 

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 52a245a659387f22ae9b1b94bfae05d4543bce9a..c2fe8d105dc948aa45644c8661bed4eee519e8df 100644 (file)
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1048,7 +1048,7 @@ static inline void ssl_ocsp_set_next_update(struct certificate_ocsp *ocsp)
  * defined in order to avoid updating too often responses that have a really
  * short expire time or even no 'Next Update' at all.
  */
-int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
+int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp)
 {
        /* Set next_update based on current time and the various OCSP
         * minimum/maximum update times.
@@ -1057,16 +1057,14 @@ int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp, int needs_locking)
 
        ocsp->fail_count = 0;
 
-       if (needs_locking)
-               HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
+       HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
        ocsp->updating = 0;
        /* An entry with update_once set to 1 was only supposed to be updated
         * once, it does not need to be reinserted into the update tree.
         */
        if (!ocsp->update_once)
                eb64_insert(&ocsp_update_tree, &ocsp->next_update);
-       if (needs_locking)
-               HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
+       HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 
        return 0;
 }
@@ -1294,7 +1292,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
                        ssl_ocsp_send_log();
 
                        /* Reinsert the entry into the update list so that it can be updated later */
-                       ssl_ocsp_update_insert(ocsp, 0);
+                       ssl_ocsp_update_insert(ocsp);
                        /* Release the reference kept on the updated ocsp response. */
                        ssl_sock_free_ocsp_instance(ctx->cur_ocsp);
                        ctx->cur_ocsp = NULL;

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 6dce3cb98e4fb266bf403c56bcbfcdb7cdf9c3b7..ecaf24ee955ce7b7e5596bb9f1c63c77180000b3 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1499,7 +1499,7 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
                memcpy(iocsp->path, path, path_len + 1);
 
                if (enable_auto_update) {
-                       ssl_ocsp_update_insert(iocsp, 1);
+                       ssl_ocsp_update_insert(iocsp);
                        /* If we are during init the update task is not
                         * scheduled yet so a wakeup won't do anything.
                         * Otherwise, if the OCSP was added through the CLI, we
@@ -1517,28 +1517,18 @@ static int ssl_sock_load_ocsp(const char *path, SSL_CTX *ctx, struct ckch_store
                 * prior to the activation of the ocsp auto update and in such a
                 * case we must "force" insertion in the auto update tree.
                 */
-               HA_SPIN_LOCK(OCSP_LOCK, &ocsp_tree_lock);
                if (iocsp->next_update.node.leaf_p == NULL) {
-                       /* We might be facing an entry that is currently being
-                        * updated, which can take some time (especially if the
-                        * ocsp responder is unreachable).
-                        * The entry will be reinserted by the update task, it
-                        * mustn't be reinserted here.
+                       ssl_ocsp_update_insert(iocsp);
+                       /* If we are during init the update task is not
+                        * scheduled yet so a wakeup won't do anything.
+                        * Otherwise, if the OCSP was added through the CLI, we
+                        * wake the task up to manage the case of a new entry
+                        * that needs to be updated before the previous first
+                        * entry.
                         */
-                       if (!iocsp->updating) {
-                               ssl_ocsp_update_insert(iocsp, 0);
-                               /* If we are during init the update task is not
-                                * scheduled yet so a wakeup won't do anything.
-                                * Otherwise, if the OCSP was added through the CLI, we
-                                * wake the task up to manage the case of a new entry
-                                * that needs to be updated before the previous first
-                                * entry.
-                                */
-                               if (ocsp_update_task)
-                                       task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
-                       }
+                       if (ocsp_update_task)
+                               task_wakeup(ocsp_update_task, TASK_WOKEN_MSG);
                }
-               HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
        }
 
 out: