BUG/MINOR: ssl: rejects OCSP response without nextupdate.

author Emeric Brun <ebrun@haproxy.com>

Fri, 20 Jun 2014 13:44:34 +0000 (15:44 +0200)

committer Willy Tarreau <w@1wt.eu>

Mon, 23 Jun 2014 10:14:47 +0000 (12:14 +0200)
author Emeric Brun <ebrun@haproxy.com>
Fri, 20 Jun 2014 13:44:34 +0000 (15:44 +0200)
committer Willy Tarreau <w@1wt.eu>
Mon, 23 Jun 2014 10:14:47 +0000 (12:14 +0200)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c

index ad4b1caaa3544e475383f3428f5e746fbf582b2b..278af8bbaf87ec2a6368637c65818c36cf6d4111 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
         OCSP_SINGLERESP *sr;
         unsigned char *p = (unsigned char *)ocsp_response->str;
         int rc , count_sr;
-       ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
+       ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
         int reason;
         int ret = 1;
  
@@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
                 goto out;
         }
  
+       if (!nextupd) {
+               memprintf(err, "OCSP single response: missing nextupdate");
+               goto out;
+       }
+
         rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
         if (!rc) {
                 memprintf(err, "OCSP single response: no longer valid.");
author	Emeric Brun <ebrun@haproxy.com>
	Fri, 20 Jun 2014 13:44:34 +0000 (15:44 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Mon, 23 Jun 2014 10:14:47 +0000 (12:14 +0200)