From 7e8c60a4e343ffddaaeeaffbd4bf7939c8a3ec81 Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Wed, 9 Jun 2021 17:16:18 +0200 Subject: [PATCH] BUG/MINOR: ssl: OCSP stapling does not work if expire too far in the future The wey the "Next Update" field of the OCSP response is converted into a timestamp relies on the use of signed integers for the year and month so if the calculated timestamp happens to overflow INT_MAX, it ends up being seen as negative and the OCSP response being dwignored in ssl_sock_ocsp_stapling_cbk (because of the "ocsp->expire < now.tv_sec" test). It could be backported to all stable branches. (cherry picked from commit a3a0cce8ee8c142cd148090854ca8551a36d9bd7) Signed-off-by: Christopher Faulet (cherry picked from commit 1adb439f84b3bb3a004736ef1fa88c899cd64f3e) Signed-off-by: Christopher Faulet --- src/ssl_sock.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 77c6d93..09b8d08 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -787,7 +787,7 @@ static long asn1_generalizedtime_to_epoch(ASN1_GENERALIZEDTIME *d) const unsigned short month_offset[12] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 }; - int year, month; + unsigned long year, month; if (!d || (d->type != V_ASN1_GENERALIZEDTIME)) return -1; @@ -1005,6 +1005,10 @@ static int ssl_sock_load_ocsp_response(struct buffer *ocsp_response, } ocsp->expire = asn1_generalizedtime_to_epoch(nextupd) - OCSP_MAX_RESPONSE_TIME_SKEW; + if (ocsp->expire < 0) { + memprintf(err, "OCSP single response: Invalid \"Next Update\" time"); + goto out; + } ret = 0; out: -- 1.7.10.4