Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6206:595b179e429f
OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate. As per RFC 6960, this means
that nextUpdate checks should be bypassed. Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.
The problem was introduced by 6893a1007a7c (1.9.2).
Reported by Matthew Baldwin.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 14 Jul 2015 01:10:25 +0300 |
| parents | dcae651b2a0c |
| children | f01ab2dbcfdc |
comparison
equal
deleted
inserted
replaced
| 6205:dcae651b2a0c | 6206:595b179e429f |
|---|---|
| 635 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 635 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
| 636 "OCSP_check_validity() failed"); | 636 "OCSP_check_validity() failed"); |
| 637 goto error; | 637 goto error; |
| 638 } | 638 } |
| 639 | 639 |
| 640 valid = ngx_ssl_stapling_time(nextupdate); | 640 if (nextupdate) { |
| 641 if (valid == (time_t) NGX_ERROR) { | 641 valid = ngx_ssl_stapling_time(nextupdate); |
| 642 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | 642 if (valid == (time_t) NGX_ERROR) { |
| 643 "invalid nextUpdate time in certificate status"); | 643 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
| 644 goto error; | 644 "invalid nextUpdate time in certificate status"); |
| 645 goto error; | |
| 646 } | |
| 647 | |
| 648 } else { | |
| 649 valid = NGX_MAX_TIME_T_VALUE; | |
| 645 } | 650 } |
| 646 | 651 |
| 647 OCSP_CERTID_free(id); | 652 OCSP_CERTID_free(id); |
| 648 OCSP_BASICRESP_free(basic); | 653 OCSP_BASICRESP_free(basic); |
| 649 OCSP_RESPONSE_free(ocsp); | 654 OCSP_RESPONSE_free(ocsp); |