From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 23 Dec 2024 10:04:44 +0000 (+0100)
Subject: MINOR: ssl: rework the error management in the OCSP callback
X-Git-Tag: v3.2-dev2~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e4dd4c64c68a4481fdbd0d4487de76e52e05eaa;p=thirdparty%2Fhaproxy.git

MINOR: ssl: rework the error management in the OCSP callback

Use an error label to fail in the OCSP callback, instead of returns
everywhere.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 872b61b6fd..73f1666894 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -109,15 +109,15 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 
 	ctx = SSL_get_SSL_CTX(ssl);
 	if (!ctx)
-		return SSL_TLSEXT_ERR_NOACK;
+		goto error;
 
 	ocsp_arg = SSL_CTX_get_ex_data(ctx, ocsp_ex_index);
 	if (!ocsp_arg)
-		return SSL_TLSEXT_ERR_NOACK;
+		goto error;
 
 	ssl_pkey = SSL_get_privatekey(ssl);
 	if (!ssl_pkey)
-		return SSL_TLSEXT_ERR_NOACK;
+		goto error;
 
 	key_type = EVP_PKEY_base_id(ssl_pkey);
 
@@ -130,7 +130,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 		index = ssl_sock_get_ocsp_arg_kt_index(key_type);
 
 		if (index < 0)
-			return SSL_TLSEXT_ERR_NOACK;
+			goto error;
 
 		ocsp = ocsp_arg->m_ocsp[index];
 
@@ -140,16 +140,20 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 	    !ocsp->response.area ||
 	    !ocsp->response.data ||
 	    (ocsp->expire < date.tv_sec))
-		return SSL_TLSEXT_ERR_NOACK;
+		goto error;
 
 	ssl_buf = OPENSSL_malloc(ocsp->response.data);
 	if (!ssl_buf)
-		return SSL_TLSEXT_ERR_NOACK;
+		goto error;
+
 
 	memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
 	SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);
 
 	return SSL_TLSEXT_ERR_OK;
+
+error:
+	return SSL_TLSEXT_ERR_NOACK;
 }
 
 #endif /* !defined(OPENSSL_NO_OCSP) */