From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Thu, 2 Mar 2023 14:49:55 +0000 (+0100)
Subject: BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback
X-Git-Tag: v2.8-dev5~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c20a74c90964b7bd76144fe8dbde15f227d9a04;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: Use 'date' instead of 'now' in ocsp stapling callback

In the OCSP response callback, instead of using the actual date of the
system, the scheduler's 'now' timer is used when checking a response's
validity.

This patch can be backported to all stable versions.
---

diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index 9ad81b28eb..9e507997c9 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -160,7 +160,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 	if (!ocsp ||
 	    !ocsp->response.area ||
 	    !ocsp->response.data ||
-	    (ocsp->expire < now.tv_sec))
+	    (ocsp->expire < date.tv_sec))
 		return SSL_TLSEXT_ERR_NOACK;
 
 	ssl_buf = OPENSSL_malloc(ocsp->response.data);