BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future The wey the "Next Update" field of the OCSP response is converted into a timestamp relies on the use of signed integers for the year and month so if the calculated timestamp happens to overflow INT_MAX, it ends up being seen as negative and the OCSP response being dwignored in ssl_sock_ocsp_stapling_cbk (because of the "ocsp->expire < now.tv_sec" test). It could be backported to all stable branches.

commit: a3a0cce8ee8c142cd148090854ca8551a36d9bd7 [log] [tgz]
author: Remi Tricot-Le Breton <rlebreton@haproxy.com> Wed Jun 09 17:16:18 2021 +0200
committer: William Lallemand <wlallemand@haproxy.org> Wed Jun 09 17:49:00 2021 +0200
tree: a3ee1552e032d7e55503545cfde7c27b75131fd4
parent: 722180aca8757d8807b21cf125a2d68249be5bf8 [diff] [blame]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 60943fd..3b92ec1 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -778,7 +778,7 @@
 	const unsigned short month_offset[12] = {
 		0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
 	};
-	int year, month;
+	unsigned long year, month;
 
 	if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
 
@@ -996,6 +996,10 @@
 	}
 
 	ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
+	if (ocsp->expire < 0) {
+		memprintf(err, "OCSP single response: Invalid \"Next Update\" time");
+		goto out;
+	}
 
 	ret = 0;
 out:
commit	a3a0cce8ee8c142cd148090854ca8551a36d9bd7	[log] [tgz]
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>	Wed Jun 09 17:16:18 2021 +0200
committer	William Lallemand <wlallemand@haproxy.org>	Wed Jun 09 17:49:00 2021 +0200
tree	a3ee1552e032d7e55503545cfde7c27b75131fd4
parent	722180aca8757d8807b21cf125a2d68249be5bf8 [diff] [blame]