mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 14:21:25 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future

Browse Source 
The wey the "Next Update" field of the OCSP response is converted into a
timestamp relies on the use of signed integers for the year and month so
if the calculated timestamp happens to overflow INT_MAX, it ends up
being seen as negative and the OCSP response being dwignored in
ssl_sock_ocsp_stapling_cbk (because of the "ocsp->expire < now.tv_sec"
test).

It could be backported to all stable branches.
This commit is contained in:
Remi Tricot-Le Breton 2021-06-09 17:16:18 +02:00 committed by William Lallemand
parent 722180aca8
commit a3a0cce8ee
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ssl_sock.c
View File

@ -778,7 +778,7 @@ static long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d)
const unsigned short month_offset[12] = { const unsigned short month_offset[12] = {
0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
}; };
int year, month; unsigned long year, month;
if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1; if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1;
@ -996,6 +996,10 @@ static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response,
} }
ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW; ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW;
if (ocsp->expire < 0) {
memprintf(err, "OCSP single response: Invalid \"Next Update\" time");
goto out;
}
ret = 0; ret = 0;
out: out: