OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate. As per RFC 6960, this means
that nextUpdate checks should be bypassed. Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.
The problem was introduced by 6893a1007a7c (1.9.2).
Reported by Matthew Baldwin.
Maxim Dounin
6 years ago
| 636 | 636 | goto error; |
| 637 | 637 | } |
| 638 | 638 | |
| 639 | valid = ngx_ssl_stapling_time(nextupdate); | |
| 640 | if (valid == (time_t) NGX_ERROR) { | |
| 641 | ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | |
| 642 | "invalid nextUpdate time in certificate status"); | |
| 643 | goto error; | |
| 639 | if (nextupdate) { | |
| 640 | valid = ngx_ssl_stapling_time(nextupdate); | |
| 641 | if (valid == (time_t) NGX_ERROR) { | |
| 642 | ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | |
| 643 | "invalid nextUpdate time in certificate status"); | |
| 644 | goto error; | |
| 645 | } | |
| 646 | ||
| 647 | } else { | |
| 648 | valid = NGX_MAX_TIME_T_VALUE; | |
| 644 | 649 | } |
| 645 | 650 | |
| 646 | 651 | OCSP_CERTID_free(id); |