40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From 1135ea40b0ae5e5a98ee0cb9e13491664356adfc Mon Sep 17 00:00:00 2001
|
|
From: Emeric Brun <ebrun@haproxy.com>
|
|
Date: Fri, 20 Jun 2014 15:44:34 +0200
|
|
Subject: [PATCH 2/5] BUG/MINOR: ssl: rejects OCSP response without nextupdate.
|
|
|
|
To cache an OCSP Response without expiration time is not safe.
|
|
(cherry picked from commit 13a6b48e241c0a50b501446992ab4fda2529f317)
|
|
---
|
|
src/ssl_sock.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
|
|
index ad4b1ca..278af8b 100644
|
|
--- a/src/ssl_sock.c
|
|
+++ b/src/ssl_sock.c
|
|
@@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
|
|
OCSP_SINGLERESP *sr;
|
|
unsigned char *p = (unsigned char *)ocsp_response->str;
|
|
int rc , count_sr;
|
|
- ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
|
|
+ ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
|
|
int reason;
|
|
int ret = 1;
|
|
|
|
@@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
|
|
goto out;
|
|
}
|
|
|
|
+ if (!nextupd) {
|
|
+ memprintf(err, "OCSP single response: missing nextupdate");
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
|
|
if (!rc) {
|
|
memprintf(err, "OCSP single response: no longer valid.");
|
|
--
|
|
1.8.5.5
|
|
|