From 13a6b48e241c0a50b501446992ab4fda2529f317 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Fri, 20 Jun 2014 15:44:34 +0200 Subject: [PATCH] BUG/MINOR: ssl: rejects OCSP response without nextupdate. To cache an OCSP Response without expiration time is not safe. --- src/ssl_sock.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index ad4b1caaa..278af8bba 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -139,7 +139,7 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi OCSP_SINGLERESP *sr; unsigned char *p = (unsigned char *)ocsp_response->str; int rc , count_sr; - ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd; + ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd = NULL; int reason; int ret = 1; @@ -179,6 +179,11 @@ static int ssl_sock_load_ocsp_response(struct chunk *ocsp_response, struct certi goto out; } + if (!nextupd) { + memprintf(err, "OCSP single response: missing nextupdate"); + goto out; + } + rc = OCSP_check_validity(thisupd, nextupd, OCSP_MAX_RESPONSE_TIME_SKEW, -1); if (!rc) { memprintf(err, "OCSP single response: no longer valid.");