From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 21 Mar 2023 09:26:20 +0000 (+0100)
Subject: BUG/MINOR: ssl: Remove dead code in cli_parse_update_ocsp_response
X-Git-Tag: v2.8-dev7~135
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae5187721f93ab03049dba2442e119a44ce760f2;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Remove dead code in cli_parse_update_ocsp_response

This patch removes dead code from the cli_parse_update_ocsp_response
function. The 'end' label in only used in case of error so the check of
the 'errcode' variable and the errcode variable itself become useless.

This patch does not need to be backported.
It fixes GitHub issue #2077.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 20ae5c9d91..979a87b21c 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1341,7 +1341,6 @@ REGISTER_PRE_CHECK(ssl_ocsp_update_precheck);
 
 static int cli_parse_update_ocsp_response(char **args, char *payload, struct appctx *appctx, void *private)
 {
-	int errcode = 0;
 	char *err = NULL;
 	struct ckch_store *ckch_store = NULL;
 	struct certificate_ocsp *ocsp = NULL;
@@ -1358,7 +1357,6 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
 	 * manipulate ckch_store and ckch_inst */
 	if (HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) {
 		memprintf(&err, "%sCan't update the certificate!\nOperations on certificates are currently locked!\n", err ? err : "");
-		errcode |= ERR_ALERT | ERR_FATAL;
 		goto end;
 	}
 
@@ -1366,7 +1364,6 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
 
 	if (!ckch_store) {
 		memprintf(&err, "%sUnknown certificate! 'update ssl ocsp-response' expects an already known certificate file name.\n", err ? err : "");
-		errcode |= ERR_ALERT | ERR_FATAL;
 		HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
 		goto end;
 	}
@@ -1381,7 +1378,6 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
 	ocsp = (struct certificate_ocsp *)ebmb_lookup(&cert_ocsp_tree, key, OCSP_MAX_CERTID_ASN1_LENGTH);
 	if (!ocsp) {
 		memprintf(&err, "%s'update ssl ocsp-response' only works on certificates that already have a known OCSP response.\n", err ? err : "");
-		errcode |= ERR_ALERT | ERR_FATAL;
 		HA_SPIN_UNLOCK(OCSP_LOCK, &ocsp_tree_lock);
 		goto end;
 	}
@@ -1404,10 +1400,7 @@ static int cli_parse_update_ocsp_response(char **args, char *payload, struct app
 	return 0;
 
 end:
-	if (errcode & ERR_CODE) {
-		return cli_dynerr(appctx, memprintf(&err, "%sCan't send ocsp request for %s!\n", err ? err : "", args[3]));
-	}
-	return cli_dynmsg(appctx, LOG_NOTICE, err);
+	return cli_dynerr(appctx, memprintf(&err, "%sCan't send ocsp request for %s!\n", err ? err : "", args[3]));
 }
 
 #endif  /* !defined OPENSSL_IS_BORINGSSL */