From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 9 Jan 2023 11:02:44 +0000 (+0100)
Subject: MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain
X-Git-Tag: v2.8-dev2~86
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=112b16a4d01b61781b51639715676b18676c3a6f;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain

If the ocsp issuer certificate was actually taken from the certificate
chain in ssl_sock_load_ocsp, we don't need to keep an extra reference on
it since we already keep a reference to the full certificate chain.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bf7bb0135a..efa31eaffe 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1244,8 +1244,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
 		/* Do not insert the same certificate_ocsp structure in the
 		 * update tree more than once. */
 		if (!ocsp) {
-			iocsp->issuer = issuer;
-			X509_up_ref(issuer);
+			/* Issuer certificate is not included in the certificate
+			 * chain, it will have to be treated separately during
+			 * ocsp response validation. */
+			if (issuer == data->ocsp_issuer) {
+				iocsp->issuer = issuer;
+				X509_up_ref(issuer);
+			}
 			if (data->chain)
 				iocsp->chain = X509_chain_up_ref(data->chain);