From 112b16a4d01b61781b51639715676b18676c3a6f Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Mon, 9 Jan 2023 12:02:44 +0100 Subject: [PATCH] MINOR: ssl: Only set ocsp->issuer if issuer not in cert chain If the ocsp issuer certificate was actually taken from the certificate chain in ssl_sock_load_ocsp, we don't need to keep an extra reference on it since we already keep a reference to the full certificate chain. --- src/ssl_sock.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index bf7bb01..efa31ea 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1244,8 +1244,13 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, struct ckch_data *data, STACK_OF(X50 /* Do not insert the same certificate_ocsp structure in the * update tree more than once. */ if (!ocsp) { - iocsp->issuer = issuer; - X509_up_ref(issuer); + /* Issuer certificate is not included in the certificate + * chain, it will have to be treated separately during + * ocsp response validation. */ + if (issuer == data->ocsp_issuer) { + iocsp->issuer = issuer; + X509_up_ref(issuer); + } if (data->chain) iocsp->chain = X509_chain_up_ref(data->chain); -- 1.7.10.4