From a63558a1ebe3d50f4b8ab339e0d3ecdc858803c3 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 16 Sep 2018 22:19:27 +0900
Subject: [PATCH] nghttpx: Call OCSP_response_get1_basic only when OCSP status
 is successful

---
 src/shrpx_tls.cc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc
index 2fd61465..76a6e764 100644
--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -1907,6 +1907,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
   }
   auto resp_deleter = defer(OCSP_RESPONSE_free, resp);
 
+  if (OCSP_response_status(resp) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+    LOG(ERROR) << "OCSP response status is not successful";
+    return -1;
+  }
+
   ERR_clear_error();
 
   auto bs = OCSP_response_get1_basic(resp);