gnutls_ocsp_resp_get_single: fail if thisUpdate is not available or unparsable

That is because this field is not optional, and a failure on its
parsing is always fatal. Reported by Yuan Jochen Kang.

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 7e762bbfef3be2f35ba838d7590f96d4cc9e05ec..2e0179483bef450cdec95971d0732c9849837225 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1500,10 +1500,11 @@ gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp,
                ret = asn1_read_value(resp->basicresp, name, ttime, &len);
                if (ret != ASN1_SUCCESS) {
                        gnutls_assert();
-                       *this_update = (time_t) (-1);
-               } else
+                       return GNUTLS_E_ASN1_DER_ERROR;
+               } else {
                        *this_update =
                            _gnutls_x509_generalTime2gtime(ttime);
+               }
        }
 
        if (next_update) {