BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future
The wey the "Next Update" field of the OCSP response is converted into a
timestamp relies on the use of signed integers for the year and month so
if the calculated timestamp happens to overflow INT_MAX, it ends up
being seen as negative and the OCSP response being dwignored in
ssl_sock_ocsp_stapling_cbk (because of the "ocsp->expire < now.tv_sec"
test).
It could be backported to all stable branches.
(cherry picked from commit a3a0cce8ee8c142cd148090854ca8551a36d9bd7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 1adb439f84b3bb3a004736ef1fa88c899cd64f3e)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 7e8c60a4e343ffddaaeeaffbd4bf7939c8a3ec81)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 8593479db0abf71803321a85fd324a65500438d7)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index e82874c..65f070e 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -631,7 +631,7 @@
const unsigned short month_offset[12] = {
0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
};
- int year, month;
+ unsigned long year, month;
if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
@@ -848,6 +848,10 @@
}
ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
+ if (ocsp->expire < 0) {
+ memprintf(err, "OCSP single response: Invalid \"Next Update\" time");
+ goto out;
+ }
ret = 0;
out: