Mercurial > hg > nginx

comparison src/event/ngx_event_openssl_stapling.c @ 7687:d752a2c76d49

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP: fixed certificate reference leak.
author Sergey Kandaurov <pluknet@nginx.com>
date Thu, 23 Jul 2020 17:31:09 +0300
parents 1ece2ac2555a
children a46fcf101cfc
comparison
equal deleted inserted replaced
7686:1f3bf1734a77 7687:d752a2c76d49
881 return NGX_OK; 881 return NGX_OK;
882 } 882 }
883 883
884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); 884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t));
885 if (ocsp == NULL) { 885 if (ocsp == NULL) {
886 X509_free(cert);
886 return NGX_ERROR; 887 return NGX_ERROR;
887 } 888 }
888 889
889 c->ssl->ocsp = ocsp; 890 c->ssl->ocsp = ocsp;
890 891
897 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); 898 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
898 899
899 if (ocsp->certs) { 900 if (ocsp->certs) {
900 ocsp->certs = X509_chain_up_ref(ocsp->certs); 901 ocsp->certs = X509_chain_up_ref(ocsp->certs);
901 if (ocsp->certs == NULL) { 902 if (ocsp->certs == NULL) {
903 X509_free(cert);
902 return NGX_ERROR; 904 return NGX_ERROR;
903 } 905 }
904 } 906 }
905 907
906 #endif 908 #endif
908 if (ocsp->certs == NULL) { 910 if (ocsp->certs == NULL) {
909 store = SSL_CTX_get_cert_store(ssl_ctx); 911 store = SSL_CTX_get_cert_store(ssl_ctx);
910 if (store == NULL) { 912 if (store == NULL) {
911 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, 913 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
912 "SSL_CTX_get_cert_store() failed"); 914 "SSL_CTX_get_cert_store() failed");
915 X509_free(cert);
913 return NGX_ERROR; 916 return NGX_ERROR;
914 } 917 }
915 918
916 store_ctx = X509_STORE_CTX_new(); 919 store_ctx = X509_STORE_CTX_new();
917 if (store_ctx == NULL) { 920 if (store_ctx == NULL) {
918 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, 921 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
919 "X509_STORE_CTX_new() failed"); 922 "X509_STORE_CTX_new() failed");
923 X509_free(cert);
920 return NGX_ERROR; 924 return NGX_ERROR;
921 } 925 }
922 926
923 chain = SSL_get_peer_cert_chain(c->ssl->connection); 927 chain = SSL_get_peer_cert_chain(c->ssl->connection);
924 928
925 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { 929 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) {
926 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, 930 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
927 "X509_STORE_CTX_init() failed"); 931 "X509_STORE_CTX_init() failed");
928 X509_STORE_CTX_free(store_ctx); 932 X509_STORE_CTX_free(store_ctx);
933 X509_free(cert);
929 return NGX_ERROR; 934 return NGX_ERROR;
930 } 935 }
931 936
932 rc = X509_verify_cert(store_ctx); 937 rc = X509_verify_cert(store_ctx);
933 if (rc <= 0) { 938 if (rc <= 0) {
934 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); 939 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed");
935 X509_STORE_CTX_free(store_ctx); 940 X509_STORE_CTX_free(store_ctx);
941 X509_free(cert);
936 return NGX_ERROR; 942 return NGX_ERROR;
937 } 943 }
938 944
939 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); 945 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx);
940 if (ocsp->certs == NULL) { 946 if (ocsp->certs == NULL) {
941 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, 947 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
942 "X509_STORE_CTX_get1_chain() failed"); 948 "X509_STORE_CTX_get1_chain() failed");
943 X509_STORE_CTX_free(store_ctx); 949 X509_STORE_CTX_free(store_ctx);
950 X509_free(cert);
944 return NGX_ERROR; 951 return NGX_ERROR;
945 } 952 }
946 953
947 X509_STORE_CTX_free(store_ctx); 954 X509_STORE_CTX_free(store_ctx);
948 } 955 }
956
957 X509_free(cert);
949 958
950 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, 959 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
951 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); 960 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs));
952 961
953 ngx_ssl_ocsp_validate_next(c); 962 ngx_ssl_ocsp_validate_next(c);