Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6206:595b179e429f
OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate. As per RFC 6960, this means
that nextUpdate checks should be bypassed. Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.
The problem was introduced by 6893a1007a7c (1.9.2).
Reported by Matthew Baldwin.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 14 Jul 2015 01:10:25 +0300 |
parents | dcae651b2a0c |
children | f01ab2dbcfdc |
comparison
equal
deleted
inserted
replaced
6205:dcae651b2a0c | 6206:595b179e429f |
---|---|
635 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 635 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
636 "OCSP_check_validity() failed"); | 636 "OCSP_check_validity() failed"); |
637 goto error; | 637 goto error; |
638 } | 638 } |
639 | 639 |
640 valid = ngx_ssl_stapling_time(nextupdate); | 640 if (nextupdate) { |
641 if (valid == (time_t) NGX_ERROR) { | 641 valid = ngx_ssl_stapling_time(nextupdate); |
642 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | 642 if (valid == (time_t) NGX_ERROR) { |
643 "invalid nextUpdate time in certificate status"); | 643 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
644 goto error; | 644 "invalid nextUpdate time in certificate status"); |
645 goto error; | |
646 } | |
647 | |
648 } else { | |
649 valid = NGX_MAX_TIME_T_VALUE; | |
645 } | 650 } |
646 | 651 |
647 OCSP_CERTID_free(id); | 652 OCSP_CERTID_free(id); |
648 OCSP_BASICRESP_free(basic); | 653 OCSP_BASICRESP_free(basic); |
649 OCSP_RESPONSE_free(ocsp); | 654 OCSP_RESPONSE_free(ocsp); |