Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 7687:d752a2c76d49
OCSP: fixed certificate reference leak.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Thu, 23 Jul 2020 17:31:09 +0300 |
parents | 1ece2ac2555a |
children | a46fcf101cfc |
comparison
equal
deleted
inserted
replaced
7686:1f3bf1734a77 | 7687:d752a2c76d49 |
---|---|
881 return NGX_OK; | 881 return NGX_OK; |
882 } | 882 } |
883 | 883 |
884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); | 884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); |
885 if (ocsp == NULL) { | 885 if (ocsp == NULL) { |
886 X509_free(cert); | |
886 return NGX_ERROR; | 887 return NGX_ERROR; |
887 } | 888 } |
888 | 889 |
889 c->ssl->ocsp = ocsp; | 890 c->ssl->ocsp = ocsp; |
890 | 891 |
897 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); | 898 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); |
898 | 899 |
899 if (ocsp->certs) { | 900 if (ocsp->certs) { |
900 ocsp->certs = X509_chain_up_ref(ocsp->certs); | 901 ocsp->certs = X509_chain_up_ref(ocsp->certs); |
901 if (ocsp->certs == NULL) { | 902 if (ocsp->certs == NULL) { |
903 X509_free(cert); | |
902 return NGX_ERROR; | 904 return NGX_ERROR; |
903 } | 905 } |
904 } | 906 } |
905 | 907 |
906 #endif | 908 #endif |
908 if (ocsp->certs == NULL) { | 910 if (ocsp->certs == NULL) { |
909 store = SSL_CTX_get_cert_store(ssl_ctx); | 911 store = SSL_CTX_get_cert_store(ssl_ctx); |
910 if (store == NULL) { | 912 if (store == NULL) { |
911 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | 913 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
912 "SSL_CTX_get_cert_store() failed"); | 914 "SSL_CTX_get_cert_store() failed"); |
915 X509_free(cert); | |
913 return NGX_ERROR; | 916 return NGX_ERROR; |
914 } | 917 } |
915 | 918 |
916 store_ctx = X509_STORE_CTX_new(); | 919 store_ctx = X509_STORE_CTX_new(); |
917 if (store_ctx == NULL) { | 920 if (store_ctx == NULL) { |
918 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | 921 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
919 "X509_STORE_CTX_new() failed"); | 922 "X509_STORE_CTX_new() failed"); |
923 X509_free(cert); | |
920 return NGX_ERROR; | 924 return NGX_ERROR; |
921 } | 925 } |
922 | 926 |
923 chain = SSL_get_peer_cert_chain(c->ssl->connection); | 927 chain = SSL_get_peer_cert_chain(c->ssl->connection); |
924 | 928 |
925 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { | 929 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { |
926 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | 930 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
927 "X509_STORE_CTX_init() failed"); | 931 "X509_STORE_CTX_init() failed"); |
928 X509_STORE_CTX_free(store_ctx); | 932 X509_STORE_CTX_free(store_ctx); |
933 X509_free(cert); | |
929 return NGX_ERROR; | 934 return NGX_ERROR; |
930 } | 935 } |
931 | 936 |
932 rc = X509_verify_cert(store_ctx); | 937 rc = X509_verify_cert(store_ctx); |
933 if (rc <= 0) { | 938 if (rc <= 0) { |
934 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); | 939 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); |
935 X509_STORE_CTX_free(store_ctx); | 940 X509_STORE_CTX_free(store_ctx); |
941 X509_free(cert); | |
936 return NGX_ERROR; | 942 return NGX_ERROR; |
937 } | 943 } |
938 | 944 |
939 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); | 945 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); |
940 if (ocsp->certs == NULL) { | 946 if (ocsp->certs == NULL) { |
941 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, | 947 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
942 "X509_STORE_CTX_get1_chain() failed"); | 948 "X509_STORE_CTX_get1_chain() failed"); |
943 X509_STORE_CTX_free(store_ctx); | 949 X509_STORE_CTX_free(store_ctx); |
950 X509_free(cert); | |
944 return NGX_ERROR; | 951 return NGX_ERROR; |
945 } | 952 } |
946 | 953 |
947 X509_STORE_CTX_free(store_ctx); | 954 X509_STORE_CTX_free(store_ctx); |
948 } | 955 } |
956 | |
957 X509_free(cert); | |
949 | 958 |
950 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 959 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
951 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); | 960 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); |
952 | 961 |
953 ngx_ssl_ocsp_validate_next(c); | 962 ngx_ssl_ocsp_validate_next(c); |