From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Tue, 10 Jan 2023 10:44:15 +0000 (+0100)
Subject: BUG/MINOR: ssl: Missing ssl_conf pointer check when checking ocsp update inconsistencies
X-Git-Tag: v2.8-dev2~57
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8c99081d38eb294f4ec21bc6ed85d8cd85b4cd70;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Missing ssl_conf pointer check when checking ocsp update inconsistencies

The ssl_conf might be NULL when processing ocsp_update option in
crt-lists.

This patch fixes GitHub issue #1995.
It does not need to be backported.
---

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index e76fb9a112..bf32de11fc 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -615,7 +615,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 					entry_dup->crtlist = newlist;
 					if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 						if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-						    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+						    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 							cfgerr |= ERR_ALERT;
 						}
@@ -647,7 +647,7 @@ int crtlist_parse_file(char *file, struct bind_conf *bind_conf, struct proxy *cu
 			entry->crtlist = newlist;
 			if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 				if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-				    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+				    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 					cfgerr |= ERR_ALERT;
 				}