From: Emeric Brun <ebrun@haproxy.com>
Date: Fri, 20 Jun 2014 13:44:34 +0000 (+0200)
Subject: BUG/MINOR: ssl: rejects OCSP response without nextupdate.
X-Git-Tag: v1.6-dev1~398
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13a6b48e241c0a50b501446992ab4fda2529f317;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: rejects OCSP response without nextupdate.

To cache an OCSP Response without expiration time is not safe.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ad4b1caaa3..278af8bbaf 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 	OCSP_SINGLERESP *sr;
 	unsigned char *p = (unsigned char *)ocsp_response->str;
 	int rc , count_sr;
-	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
+	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
 	int reason;
 	int ret = 1;
 
@@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 		goto out;
 	}
 
+	if (!nextupd) {
+		memprintf(err, "OCSP single response: missing nextupdate");
+		goto out;
+	}
+
 	rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
 	if (!rc) {
 		memprintf(err, "OCSP single response: no longer valid.");