BUG/MEDIUM: ssl-gencert: Unlock LRU cache if failing to generate certificate

In ssl_sock_generate_certificate(), if the LRU cache for generated
certificates is used, the LRU tree is not unlocked on cache miss if the
certificate generation failed. So let's unlock it on error path.

The bug was introduced by the commit fbc98ebcd ("BUG/MEDIUM: ssl: fix error
path on generate-certificates"). So this patch must be backported with the
commit above, so to all stable versions.

diff --git a/src/ssl_gencert.c b/src/ssl_gencert.c
index 5ee9b8bcd417abcde40f4a783ebeeeb08c5c33fc..459c0bafd365d61a67e586d942c47a3b6718158a 100644 (file)
--- a/src/ssl_gencert.c
+++ b/src/ssl_gencert.c
@@ -356,8 +356,10 @@ int ssl_sock_generate_certificate(const char *servername, struct bind_conf *bind
                        ssl_ctx = (SSL_CTX *)lru->data;
                if (!ssl_ctx && lru) {
                        ssl_ctx = ssl_sock_do_create_cert(servername, bind_conf, ssl);
-                       if (!ssl_ctx)
+                       if (!ssl_ctx) {
+                               HA_RWLOCK_WRUNLOCK(SSL_GEN_CERTS_LOCK, &ssl_ctx_lru_rwlock);
                                goto error;
+                       }
                        lru64_commit(lru, ssl_ctx, cacert, 0, (void (*)(void *))SSL_CTX_free);
                }
                SSL_set_SSL_CTX(ssl, ssl_ctx);