BUG/MINOR: ssl: rejects OCSP response without nextupdate. To cache an OCSP Response without expiration time is not safe. (cherry picked from commit 13a6b48e241c0a50b501446992ab4fda2529f317)

commit: 1135ea40b0ae5e5a98ee0cb9e13491664356adfc [log] [tgz]
author: Emeric Brun <ebrun@haproxy.com> Fri Jun 20 15:44:34 2014 +0200
committer: Willy Tarreau <w@1wt.eu> Mon Jun 23 15:53:08 2014 +0200
tree: b2a2f62a8121ae0dc35ef621f2aea9e1a87fa600
parent: 9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ad4b1ca..278af8b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -139,7 +139,7 @@
 	OCSP_SINGLERESP *sr;
 	unsigned char *p = (unsigned char *)ocsp_response->str;
 	int rc , count_sr;
-	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
+	ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL;
 	int reason;
 	int ret = 1;
 
@@ -179,6 +179,11 @@
 		goto out;
 	}
 
+	if (!nextupd) {
+		memprintf(err, "OCSP single response: missing nextupdate");
+		goto out;
+	}
+
 	rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1);
 	if (!rc) {
 		memprintf(err, "OCSP single response: no longer valid.");
commit	1135ea40b0ae5e5a98ee0cb9e13491664356adfc	[log] [tgz]
author	Emeric Brun <ebrun@haproxy.com>	Fri Jun 20 15:44:34 2014 +0200
committer	Willy Tarreau <w@1wt.eu>	Mon Jun 23 15:53:08 2014 +0200
tree	b2a2f62a8121ae0dc35ef621f2aea9e1a87fa600
parent	9ac7cabaf9945fb92c96cb92f5ea85235f54f7d6 [diff]