|
|
- From 1135ea40b0ae5e5a98ee0cb9e13491664356adfc Mon Sep 17 00:00:00 2001
- From: Emeric Brun <ebrun@haproxy.com>
- Date: Fri, 20 Jun 2014 15:44:34 +0200
- Subject: [PATCH 2/5] BUG/MINOR: ssl: rejects OCSP response without nextupdate.
-
- To cache an OCSP Response without expiration time is not safe.
- (cherry picked from commit 13a6b48e241c0a50b501446992ab4fda2529f317)
- ---
- src/ssl_sock.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
- diff --git a/src/ssl_sock.c b/src/ssl_sock.c
- index ad4b1ca..278af8b 100644
- --- a/src/ssl_sock.c
- +++ b/src/ssl_sock.c
- @@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
- OCSP_SINGLERESP *sr;
- unsigned char *p = (unsigned char *)ocsp_response->str;
- int rc , count_sr;
- - ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
- + ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
- int reason;
- int ret = 1;
-
- @@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi
- goto out;
- }
-
- + if (!nextupd) {
- + memprintf(err, "OCSP single response: missing nextupdate");
- + goto out;
- + }
- +
- rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
- if (!rc) {
- memprintf(err, "OCSP single response: no longer valid.");
- --
- 1.8.5.5
-
|
