MINOR: ssl/ocsp: add a function to check the OCSP update configuration

Deduplicate the code which checks the OCSP update in the ckch_store and
in the crtlist_entry.

Also, jump immediatly to error handling when the ERR_FATAL is catched.

include/haproxy/ssl_ocsp.h

@@ -24,6 +24,8 @@
 #ifdef USE_OPENSSL
 
 #include <haproxy/openssl-compat.h>
+#include <haproxy/ssl_ckch-t.h>
+#include <haproxy/ssl_crtlist-t.h>
 #include <haproxy/ssl_ocsp-t.h>
 
 #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
@@ -50,6 +52,8 @@ void ssl_destroy_ocsp_update_task(void);
 
 int ssl_ocsp_update_insert(struct certificate_ocsp *ocsp);
 
+int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err);
+
 #endif /* (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) */
 
 #endif /* USE_OPENSSL */

src/ssl_crtlist.c

@@ -27,6 +27,7 @@
 #include <haproxy/sc_strm.h>
 #include <haproxy/ssl_ckch.h>
 #include <haproxy/ssl_crtlist.h>
+#include <haproxy/ssl_ocsp.h>
 #include <haproxy/ssl_sock.h>
 #include <haproxy/stconn.h>
 #include <haproxy/tools.h>
@@ -618,13 +619,11 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 
 					entry_dup->node.key = ckchs;
 					entry_dup->crtlist = newlist;
-					if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
-						if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-						    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
-							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
-							cfgerr |= ERR_ALERT | ERR_FATAL;
-						}
-					}
+
+					cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
+					if (cfgerr & ERR_FATAL)
+						goto error;
+
 					if (entry->ssl_conf)
 						ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 					ebpt_insert(&newlist->entries, &entry_dup->node);
@@ -650,13 +649,11 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 		} else {
 			entry->node.key = ckchs;
 			entry->crtlist = newlist;
-			if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
-				if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-				    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
-					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
-					cfgerr |= ERR_ALERT | ERR_FATAL;
-				}
-			}
+
+			cfgerr |= ocsp_update_check_cfg_consistency(ckchs, entry, crt_path, err);
+			if (cfgerr & ERR_FATAL)
+				goto error;
+
 			if (entry->ssl_conf)
 				ckchs->data->ocsp_update_mode = entry->ssl_conf->ocsp_update;
 			ebpt_insert(&newlist->entries, &entry->node);

src/ssl_ocsp.c

@@ -1668,6 +1668,20 @@ yield:
 #endif
 }
 
+/* Check if the ckch_store and the entry does have the same configuration */
+int ocsp_update_check_cfg_consistency(struct ckch_store *store, struct crtlist_entry *entry, char *crt_path, char **err)
+{
+	int err_code = ERR_NONE;
+
+	if (store->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
+		if ((!entry->ssl_conf && store->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
+		    || (entry->ssl_conf && store->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
+			memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
+			err_code |= ERR_ALERT | ERR_FATAL;
+		}
+	}
+	return err_code;
+}
 
 static struct cli_kw_list cli_kws = {{ },{
 	{ { "set", "ssl", "ocsp-response", NULL }, "set ssl ocsp-response <resp|payload>    : update a certificate's OCSP Response from a base64-encode DER",      cli_parse_set_ocspresponse, NULL },