From: Emmanuel Hocdet <manu@gandi.net>
Date: Thu, 24 Oct 2019 16:33:10 +0000 (+0200)
Subject: BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for openssl < 1.0.2
X-Git-Tag: v2.2-dev1~227
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=140b64fb562fb08cecf93ca6bec99822f7d556fb;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: fix SSL_CTX_set1_chain compatibility for openssl < 1.0.2

Commit 1c65fdd5 "MINOR: ssl: add extra chain compatibility" really implement
SSL_CTX_set0_chain. Since ckch can be used to init more than one ctx with
openssl < 1.0.2 (commit 89f58073 for X509_chain_up_ref compatibility),
SSL_CTX_set1_chain compatibility is required.

This patch must be backported to 2.1.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8512f05d0d..e36c03e631 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3552,11 +3552,14 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 #else
 	{ /* legacy compat (< openssl 1.0.2) */
 		X509 *ca;
-		while ((ca = sk_X509_shift(ckch->chain)))
+		STACK_OF(X509) *chain;
+		chain = X509_chain_up_ref(ckch->chain);
+		while ((ca = sk_X509_shift(chain)))
 			if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) {
 				memprintf(err, "%sunable to load chain certificate into SSL Context '%s'.\n",
 					  err && *err ? *err : "", path);
 				X509_free(ca);
+				sk_X509_pop_free(chain, X509_free);
 				errcode |= ERR_ALERT | ERR_FATAL;
 				goto end;
 			}