commit 8c99081d38eb294f4ec21bc6ed85d8cd85b4cd70
author Remi Tricot-Le Breton <rlebreton@haproxy.com> Tue Jan 10 11:44:15 2023 +0100
committer William Lallemand <wlallemand@haproxy.org> Wed Jan 11 11:20:26 2023 +0100
tree ae9bb8eadc96e5252865913a092b43a514c48385
parent 71237a14572d7229957fb912e41b572ee06d8249

BUG/MINOR: ssl: Missing ssl_conf pointer check when checking ocsp update inconsistencies

The ssl_conf might be NULL when processing ocsp_update option in
crt-lists.

This patch fixes GitHub issue #1995.
It does not need to be backported.

src/ssl_crtlist.c

diff --git a/src/ssl_crtlist.c b/src/ssl_crtlist.c
index e76fb9a..bf32de1 100644
--- a/src/ssl_crtlist.c
+++ b/src/ssl_crtlist.c
@@ -615,7 +615,7 @@
 					entry_dup->crtlist = newlist;
 					if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 						if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-						    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+						    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 							memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 							cfgerr |= ERR_ALERT;
 						}
@@ -647,7 +647,7 @@
 			entry->crtlist = newlist;
 			if (ckchs->data->ocsp_update_mode != SSL_SOCK_OCSP_UPDATE_DFLT || entry->ssl_conf) {
 				if ((!entry->ssl_conf && ckchs->data->ocsp_update_mode == SSL_SOCK_OCSP_UPDATE_ON)
-				    || ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update) {
+				    || (entry->ssl_conf && ckchs->data->ocsp_update_mode != entry->ssl_conf->ocsp_update)) {
 					memprintf(err, "%sIncompatibilities found in OCSP update mode for certificate %s\n", err && *err ? *err : "", crt_path);
 					cfgerr |= ERR_ALERT;
 				}