Mercurial > hg > nginx

changeset 7667:1ece2ac2555a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP: fixed use-after-free on error. When validating second and further certificates, ssl callback could be called twice to report the error. After the first call client connection is terminated and its memory is released. Prior to the second call and in it released connection memory is accessed. Errors triggering this behavior: - failure to create the request - failure to start resolving OCSP responder name - failure to start connecting to the OCSP responder The fix is to rearrange the code to eliminate the second call.
author Roman Arutyunyan <arut@nginx.com>
date Mon, 15 Jun 2020 20:17:16 +0300
parents 8cf31489b479
children 0a04e5e4c40b
files src/event/ngx_event_openssl_stapling.c
diffstat 1 files changed, 21 insertions(+), 22 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -980,6 +980,7 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
         if (ocsp->ncert == n - 1 || (ocf->depth == 2 && ocsp->ncert == 1)) {
             ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                            "ssl ocsp validated, certs:%ui", ocsp->ncert);
+            rc = NGX_OK;
             goto done;
         }
 
@@ -988,7 +989,8 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
 
         ctx = ngx_ssl_ocsp_start(c->log);
         if (ctx == NULL) {
-            goto failed;
+            rc = NGX_ERROR;
+            goto done;
         }
 
         ocsp->ctx = ctx;
@@ -1012,8 +1014,9 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
         ctx->uri = ocf->uri;
         ctx->port = ocf->port;
 
-        if (ngx_ssl_ocsp_responder(c, ctx) != NGX_OK) {
-            goto failed;
+        rc = ngx_ssl_ocsp_responder(c, ctx);
+        if (rc != NGX_OK) {
+            goto done;
         }
 
         if (ctx->uri.len == 0) {
@@ -1025,7 +1028,7 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
         rc = ngx_ssl_ocsp_cache_lookup(ctx);
 
         if (rc == NGX_ERROR) {
-            goto failed;
+            goto done;
         }
 
         if (rc == NGX_DECLINED) {
@@ -1051,12 +1054,12 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
 
 done:
 
-    ocsp->status = NGX_OK;
-    return;
-
-failed:
-
-    ocsp->status = NGX_ERROR;
+    ocsp->status = rc;
+
+    if (c->ssl->in_ocsp) {
+        c->ssl->handshaked = 1;
+        c->ssl->handler(c);
+    }
 }
 
 
@@ -1073,22 +1076,16 @@ ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t 
 
     rc = ngx_ssl_ocsp_verify(ctx);
     if (rc != NGX_OK) {
-        ocsp->status = rc;
-        ngx_ssl_ocsp_done(ctx);
         goto done;
     }
 
     rc = ngx_ssl_ocsp_cache_store(ctx);
     if (rc != NGX_OK) {
-        ocsp->status = rc;
-        ngx_ssl_ocsp_done(ctx);
         goto done;
     }
 
     if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
         ocsp->cert_status = ctx->status;
-        ocsp->status = NGX_OK;
-        ngx_ssl_ocsp_done(ctx);
         goto done;
     }
 
@@ -1096,15 +1093,17 @@ ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t 
 
     ngx_ssl_ocsp_validate_next(c);
 
+    return;
+
 done:
 
-    if (ocsp->status == NGX_AGAIN || !c->ssl->in_ocsp) {
-        return;
+    ocsp->status = rc;
+    ngx_ssl_ocsp_done(ctx);
+
+    if (c->ssl->in_ocsp) {
+        c->ssl->handshaked = 1;
+        c->ssl->handler(c);
     }
-
-    c->ssl->handshaked = 1;
-
-    c->ssl->handler(c);
 }