From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 9 Jan 2023 11:02:47 +0000 (+0100)
Subject: BUG/MINOR: ssl: Fix OCSP_CERTID leak when same certificate is used multiple times
X-Git-Tag: v2.8-dev2~83
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d1daa8095023dde8738ed4d8b62bc5ad436a8bb;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Fix OCSP_CERTID leak when same certificate is used multiple times

If a given certificate is used multiple times in a configuration, the
ocsp_cid field would have been overwritten during each
ssl_sock_load_ocsp call even if it was previously filled.

This patch does not need to be backported.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index efa31eaffe..18d006feb5 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1150,7 +1150,8 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50
 	if (!issuer)
 		goto out;
 
-	data->ocsp_cid = OCSP_cert_to_id(0, x, issuer);
+	if (!data->ocsp_cid)
+		data->ocsp_cid = OCSP_cert_to_id(0, x, issuer);
 	if (!data->ocsp_cid)
 		goto out;