From: Frederik Deweerdt <fdeweerdt@fastly.com>
Date: Mon, 16 Oct 2017 14:37:31 +0000 (-0700)
Subject: BUG/MEDIUM: ssl: fix OCSP expiry calculation
X-Git-Tag: v1.8-dev3~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=953917abc9fb72c49fa49cb41bc2cdbecd7c9e93;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl: fix OCSP expiry calculation

The hour part of the timezone offset was multiplied by 60 instead of
3600, resulting in an inaccurate expiry. This bug was introduced in
1.6-dev1 by commit 4f3c87a ("BUG/MEDIUM: ssl: Fix to not serve expired
OCSP responses."), so this fix must be backported into 1.7 and 1.6.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 989d7e1cff..774a5a683d 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -546,12 +546,12 @@ nosec:
 	else if (p[0] == '+') {
 		if (end - p != 5) return -1;
 		/* Apply timezone offset */
-		return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
+		return epoch - ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
 	}
 	else if (p[0] == '-') {
 		if (end - p != 5) return -1;
 		/* Apply timezone offset */
-		return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
+		return epoch + ((10 * (p[1] - '0') + p[2] - '0') * 60 * 60 + (10 * (p[3] - '0') + p[4] - '0')) * 60;
 	}
 
 	return -1;