From: Emmanuel Hocdet <manu@gandi.net>
Date: Tue, 24 Oct 2017 12:57:16 +0000 (+0200)
Subject: BUG/MINOR: ssl: OCSP_single_get0_status can return -1
X-Git-Tag: v1.8-rc1~237
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef607050754981f4ed9280e96e94f77ce471fd68;p=thirdparty%2Fhaproxy.git

BUG/MINOR: ssl: OCSP_single_get0_status can return -1

Commit 872085ce "BUG/MINOR: ssl: ocsp response with 'revoked' status is correct"
introduce a regression. OCSP_single_get0_status can return -1 and haproxy must
generate an error in this case.
Thanks to Sander Hoentjen who have spotted the regression.

This patch should be backported in 1.7, 1.6 and 1.5 if the patch above is
backported.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bb1d691564..2f16d28710 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -622,7 +622,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
 	id = (OCSP_CERTID*)OCSP_SINGLERESP_get0_id(sr);
 
 	rc = OCSP_single_get0_status(sr, &reason, &revtime, &thisupd, &nextupd);
-	if (rc == V_OCSP_CERTSTATUS_UNKNOWN) {
+	if (rc != V_OCSP_CERTSTATUS_GOOD && rc != V_OCSP_CERTSTATUS_REVOKED) {
 		memprintf(err, "OCSP single response: certificate status is unknown");
 		goto out;
 	}