From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Thu, 12 Jan 2023 08:49:10 +0000 (+0100)
Subject: MINOR: ssl: Do not wake ocsp update task if update tree empty
X-Git-Tag: v2.8-dev2~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c647adf465006dd95bc6bec4e46eb70f073f071;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Do not wake ocsp update task if update tree empty

In the unlikely event that the ocsp update task is started but the
update tree is empty, put the update task to sleep indefinitely.
The only way this can happen is if the same certificate is loaded under
two different names while the second one has the 'ocsp-update on'
option. Since the certificate names are distinct we will have two
ckch_stores but a single certificate_ocsp because they are identified by
the OCSP_CERTID which is built out of the issuer certificate and the
certificate id (which are the same regardless of the .pem file name).
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 53afaae868..8f0e5ffcc1 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1040,7 +1040,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context,
 		eb = eb64_first(&ocsp_update_tree);
 		if (!eb) {
 			HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
-			goto leave;
+			goto wait;
 		}
 
 		if (eb->key > now.tv_sec) {