From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 9 Jan 2023 11:02:46 +0000 (+0100)
Subject: MINOR: ssl: Detect more OCSP update inconsistencies
X-Git-Tag: v2.8-dev2~84
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc92b8bda549632985f9d861165975290cfa7791;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Detect more OCSP update inconsistencies

If a configuration such as the following was included in a crt-list
file, it would not have raised a warning about 'ocsp-update'
inconsistencies for the concerned certificate:
    cert.pem [ocsp-update on]
    cert.pem
because the second line as a NULL entry->ssl_conf.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index c1b27f4940..9027d0eba1 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -613,14 +613,15 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
 					entry_dup->node.key = ckchs;
 					entry_dup->crtlist = newlist;
-					if (entry->ssl_conf) {
-						if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
-						    ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+					if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+						if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+						    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
 							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 							cfgerr |= ERR_ALERT;
 						}
-						ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 					}
+					if (entry->ssl_conf)
+						ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 					ebpt_insert(&newlist->entries, &entry_dup->node);
 					LIST_APPEND(&newlist->ord_entries, &entry_dup->by_crtlist);
 					LIST_APPEND(&ckchs->crtlist_entry, &entry_dup->by_ckch_store);
@@ -644,14 +645,15 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 		} else {
 			entry->node.key = ckchs;
 			entry->crtlist = newlist;
-			if (entry->ssl_conf) {
-				if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT &&
-				    ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+			if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+				if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+				    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
 					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 					cfgerr |= ERR_ALERT;
 				}
-				ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 			}
+			if (entry->ssl_conf)
+				ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 			ebpt_insert(&newlist->entries, &entry->node);
 			LIST_APPEND(&newlist->ord_entries, &entry->by_crtlist);
 			LIST_APPEND(&ckchs->crtlist_entry, &entry->by_ckch_store);