MINOR: ssl: Detect more OCSP update inconsistencies

If a configuration such as the following was included in a crt-list
file, it would not have raised a warning about 'ocsp-update'
inconsistencies for the concerned certificate:
    cert.pem [ocsp-update on]
    cert.pem
because the second line as a NULL entry->ssl_conf.

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index c1b27f494031c8a3617eec0d64a719018932cd90..9027d0eba1c84cc6b5e8ca6576d17ebe1585d03f 100644 (file)
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -613,14 +613,15 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
                                        entry_dup->node.key = ckchs;
                                        entry_dup->crtlist = newlist;
-                                       if (entry->ssl_conf) {
-                                               if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
-                                                   ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+                                       if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+                                               if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+                                                   || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
                                                        memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
                                                        cfgerr |= ERR_ALERT;
                                                }
-                                               ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
                                        }
+                                       if (entry->ssl_conf)
+                                               ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
                                        ebpt_insert(&newlist->entries, &entry_dup->node);
                                        LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
                                        LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
@@ -644,14 +645,15 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
                } else {
                        entry->node.key = ckchs;
                        entry->crtlist = newlist;
-                       if (entry->ssl_conf) {
-                               if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
-                                   ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+                       if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+                               if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+                                   || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
                                        memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
                                        cfgerr |= ERR_ALERT;
                                }
-                               ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
                        }
+                       if (entry->ssl_conf)
+                               ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
                        ebpt_insert(&newlist->entries, &entry->node);
                        LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
                        LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);