Mercurial > hg > nginx
annotate src/event/ngx_event_openssl_stapling.c @ 8472:3b15732ac03f quic
QUIC: renaming.
The c->quic->retransmit timer is now called "pto".
The ngx_quic_retransmit() function is renamed to "ngx_quic_detect_lost()".
This is a preparation for the following patches.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 13 Jul 2020 10:07:15 +0300 |
parents | 1ece2ac2555a |
children | d752a2c76d49 |
rev | line source |
---|---|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 /* |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 * Copyright (C) Maxim Dounin |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 * Copyright (C) Nginx, Inc. |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 */ |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 #include <ngx_event.h> |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
11 #include <ngx_event_connect.h> |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
12 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
13 |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5683
diff
changeset
|
14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
15 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
16 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
17 typedef struct { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
18 ngx_str_t staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
19 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
20 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
21 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
22 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
23 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
24 ngx_addr_t *addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
25 ngx_uint_t naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
26 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
27 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
28 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
29 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
30 SSL_CTX *ssl_ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
31 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
32 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
33 X509 *issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
34 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
35 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
36 u_char *name; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
37 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
38 time_t valid; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
39 time_t refresh; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
40 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
41 unsigned verify:1; |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
42 unsigned loading:1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
43 } ngx_ssl_stapling_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
44 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
45 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
46 typedef struct { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
47 ngx_addr_t *addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
48 ngx_uint_t naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
49 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
50 ngx_str_t host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
51 ngx_str_t uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
52 in_port_t port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
53 ngx_uint_t depth; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
54 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
55 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
56 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
57 ngx_resolver_t *resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
58 ngx_msec_t resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
59 } ngx_ssl_ocsp_conf_t; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
60 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
61 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
62 typedef struct { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
63 ngx_rbtree_t rbtree; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
64 ngx_rbtree_node_t sentinel; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
65 ngx_queue_t expire_queue; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
66 } ngx_ssl_ocsp_cache_t; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
67 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
68 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
69 typedef struct { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
70 ngx_str_node_t node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
71 ngx_queue_t queue; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
72 int status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
73 time_t valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
74 } ngx_ssl_ocsp_cache_node_t; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
75 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
76 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
77 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
78 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
79 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
80 struct ngx_ssl_ocsp_s { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
81 STACK_OF(X509) *certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
82 ngx_uint_t ncert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
83 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
84 int cert_status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
85 ngx_int_t status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
86 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
87 ngx_ssl_ocsp_conf_t *conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
88 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
89 }; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
90 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
91 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
92 struct ngx_ssl_ocsp_ctx_s { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
93 SSL_CTX *ssl_ctx; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
94 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
95 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
96 X509 *issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
97 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
98 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
99 int status; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
100 time_t valid; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
101 |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
102 u_char *name; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
103 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
104 ngx_uint_t naddrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
105 ngx_uint_t naddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
106 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
107 ngx_addr_t *addrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
108 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
109 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
110 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
111 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
112 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
113 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
114 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
115 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
116 |
6810 | 117 void (*handler)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
118 void *data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
119 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
120 ngx_str_t key; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
121 ngx_buf_t *request; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
122 ngx_buf_t *response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
123 ngx_peer_connection_t peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
124 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
125 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
126 |
6810 | 127 ngx_int_t (*process)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
128 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
129 ngx_uint_t state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
130 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
131 ngx_uint_t code; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
132 ngx_uint_t count; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
133 ngx_uint_t flags; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
134 ngx_uint_t done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
135 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
136 u_char *header_name_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
137 u_char *header_name_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
138 u_char *header_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
139 u_char *header_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
140 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
141 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
142 ngx_log_t *log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
143 }; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
144 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
145 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
146 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
147 X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
148 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
149 ngx_ssl_stapling_t *staple, ngx_str_t *file); |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
150 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
151 ngx_ssl_stapling_t *staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
152 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
153 ngx_ssl_stapling_t *staple, ngx_str_t *responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
154 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
155 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
156 void *data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
157 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
158 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
159 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
160 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
161 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
162 static void ngx_ssl_stapling_cleanup(void *data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
163 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
164 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
165 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
166 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
167 ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
168 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
169 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(ngx_log_t *log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
170 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
171 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
172 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
173 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
174 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
175 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
176 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
177 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
178 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
179 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
180 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
181 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
182 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
183 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
184 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx); |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
185 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
186 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
187 static ngx_int_t ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
188 static ngx_int_t ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
189 static ngx_int_t ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
190 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
191 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
192 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
193 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
194 ngx_int_t |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
195 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
196 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
197 { |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
198 X509 *cert; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
199 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
200 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
201 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
202 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
203 { |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
204 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
205 != NGX_OK) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
206 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
207 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
208 } |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
209 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
210 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
211 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
212 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
213 return NGX_OK; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
214 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
215 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
216 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
217 static ngx_int_t |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
218 ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
219 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify) |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
220 { |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
221 ngx_int_t rc; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
222 ngx_pool_cleanup_t *cln; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
223 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
224 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
225 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
226 if (staple == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
227 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
228 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
229 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
230 cln = ngx_pool_cleanup_add(cf->pool, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
231 if (cln == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
232 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
233 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
234 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
235 cln->handler = ngx_ssl_stapling_cleanup; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
236 cln->data = staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
237 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
238 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
240 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
241 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
242 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
243 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
244 /* OpenSSL 1.0.2+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
245 SSL_CTX_select_current_cert(ssl->ctx, cert); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
246 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
247 |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
248 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
249 /* OpenSSL 1.0.1+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
250 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
251 #else |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
252 staple->chain = ssl->ctx->extra_certs; |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
253 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
254 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
255 staple->ssl_ctx = ssl->ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
256 staple->timeout = 60000; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
257 staple->verify = verify; |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
258 staple->cert = cert; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
259 staple->name = X509_get_ex_data(staple->cert, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
260 ngx_ssl_certificate_name_index); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
261 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
262 if (file->len) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
263 /* use OCSP response from the file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
264 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
265 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
266 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
267 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
268 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
269 return NGX_OK; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
270 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
271 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
272 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
273 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
274 if (rc == NGX_DECLINED) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
275 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
276 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
277 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
278 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
279 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
280 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
281 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
282 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
283 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
284 if (rc == NGX_DECLINED) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
285 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
286 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
287 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
288 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
289 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
290 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
291 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
292 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
293 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
294 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
295 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
296 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
297 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
298 ngx_ssl_stapling_t *staple, ngx_str_t *file) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
299 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
300 BIO *bio; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
301 int len; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
302 u_char *p, *buf; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
303 OCSP_RESPONSE *response; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
304 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
305 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
306 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
307 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
308 |
7485
edf5cd6c56fa
OCSP stapling: open ssl_stapling_file in binary-mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7067
diff
changeset
|
309 bio = BIO_new_file((char *) file->data, "rb"); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
310 if (bio == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
312 "BIO_new_file(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
313 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
314 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
315 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
316 response = d2i_OCSP_RESPONSE_bio(bio, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
317 if (response == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
318 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
319 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
320 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
321 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
322 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
323 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
324 len = i2d_OCSP_RESPONSE(response, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
325 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
326 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
327 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
328 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
329 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
330 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
331 buf = ngx_alloc(len, ssl->log); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
332 if (buf == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
333 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
334 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
335 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
336 p = buf; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
337 len = i2d_OCSP_RESPONSE(response, &p); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
338 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
340 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
341 ngx_free(buf); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
342 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
343 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
344 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
345 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
346 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
347 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
348 staple->staple.data = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
349 staple->staple.len = len; |
6205
dcae651b2a0c
OCSP stapling: fixed ssl_stapling_file (ticket #769).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6181
diff
changeset
|
350 staple->valid = NGX_MAX_TIME_T_VALUE; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
351 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
352 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
353 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
354 failed: |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
355 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
356 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
357 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
358 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
359 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
360 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
361 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
362 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
363 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
364 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
365 ngx_ssl_stapling_t *staple) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
366 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
367 int i, n, rc; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
368 X509 *cert, *issuer; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
369 X509_STORE *store; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
370 X509_STORE_CTX *store_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
371 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
372 cert = staple->cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
373 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
374 n = sk_X509_num(staple->chain); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
375 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
376 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
377 "SSL get issuer: %d extra certs", n); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
378 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
379 for (i = 0; i < n; i++) { |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
380 issuer = sk_X509_value(staple->chain, i); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
381 if (X509_check_issued(issuer, cert) == X509_V_OK) { |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
382 #if OPENSSL_VERSION_NUMBER >= 0x10100001L |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
383 X509_up_ref(issuer); |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
384 #else |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
385 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
386 #endif |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
387 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
388 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
389 "SSL get issuer: found %p in extra certs", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
390 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
391 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
392 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
393 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
394 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
395 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
396 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
397 store = SSL_CTX_get_cert_store(ssl->ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
398 if (store == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
399 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
400 "SSL_CTX_get_cert_store() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
401 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
402 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
403 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
404 store_ctx = X509_STORE_CTX_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
405 if (store_ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
407 "X509_STORE_CTX_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
408 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
409 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
410 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
411 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
413 "X509_STORE_CTX_init() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
414 X509_STORE_CTX_free(store_ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
415 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
416 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
417 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
418 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
419 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
420 if (rc == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
421 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
422 "X509_STORE_CTX_get1_issuer() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
423 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
424 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
425 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
426 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
427 if (rc == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
428 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
429 "\"ssl_stapling\" ignored, " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
430 "issuer certificate not found for certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
431 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
432 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
433 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
434 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
435 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
436 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
437 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
439 "SSL get issuer: found %p in cert store", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
440 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
441 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
442 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
443 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
444 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
445 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
446 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
447 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
448 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
449 ngx_ssl_stapling_t *staple, ngx_str_t *responder) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
450 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
451 char *s; |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
452 ngx_str_t rsp; |
6810 | 453 ngx_url_t u; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
454 STACK_OF(OPENSSL_STRING) *aia; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
455 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
456 if (responder->len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
457 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
458 /* extract OCSP responder URL from certificate */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
459 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
460 aia = X509_get1_ocsp(staple->cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
461 if (aia == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
462 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
463 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
464 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
465 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
466 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
467 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
468 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
469 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
470 s = sk_OPENSSL_STRING_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
471 #else |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
472 s = sk_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
473 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
474 if (s == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
475 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
476 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
477 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
478 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
479 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
480 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
481 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
482 |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
483 responder = &rsp; |
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
484 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
485 responder->len = ngx_strlen(s); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
486 responder->data = ngx_palloc(cf->pool, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
487 if (responder->data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
488 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
489 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
490 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
491 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
492 ngx_memcpy(responder->data, s, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
493 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
494 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
495 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
496 ngx_memzero(&u, sizeof(ngx_url_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
497 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
498 u.url = *responder; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
499 u.default_port = 80; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
500 u.uri_part = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
501 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
502 if (u.url.len > 7 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
503 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
504 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
505 u.url.len -= 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
506 u.url.data += 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
507 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
508 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
510 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
511 "invalid URL prefix in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
512 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
513 &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
514 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
515 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
516 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
517 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
518 if (u.err) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
519 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
520 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
521 "%s in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
522 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
523 u.err, &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
524 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
525 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
526 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
527 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
528 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
529 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
530 staple->addrs = u.addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
531 staple->naddrs = u.naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
532 staple->host = u.host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
533 staple->uri = u.uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
534 staple->port = u.port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
535 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
536 if (staple->uri.len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
537 ngx_str_set(&staple->uri, "/"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
538 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
539 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
540 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
541 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
542 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
543 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
544 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
545 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
546 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
547 { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
548 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
549 ngx_ssl_stapling_t *staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
550 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
551 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
552 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
553 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
554 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
555 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
556 staple->resolver = resolver; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
557 staple->resolver_timeout = resolver_timeout; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
558 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
559 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
560 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
561 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
562 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
563 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
564 static int |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
565 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
566 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
567 int rc; |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
568 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
569 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
570 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
571 ngx_ssl_stapling_t *staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
572 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
573 c = ngx_ssl_get_connection(ssl_conn); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
574 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
575 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
576 "SSL certificate status callback"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
577 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
578 rc = SSL_TLSEXT_ERR_NOACK; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
579 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
580 cert = SSL_get_certificate(ssl_conn); |
7493
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
581 |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
582 if (cert == NULL) { |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
583 return rc; |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
584 } |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
585 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
586 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
587 |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
588 if (staple == NULL) { |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
589 return rc; |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
590 } |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
591 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
592 if (staple->staple.len |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
593 && staple->valid >= ngx_time()) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
594 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
595 /* we have to copy ocsp response as OpenSSL will free it by itself */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
596 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
597 p = OPENSSL_malloc(staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
598 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
599 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
600 return SSL_TLSEXT_ERR_NOACK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
601 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
602 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
603 ngx_memcpy(p, staple->staple.data, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
604 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
605 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
606 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
607 rc = SSL_TLSEXT_ERR_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
608 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
609 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
610 ngx_ssl_stapling_update(staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
611 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
612 return rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
613 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
614 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
615 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
616 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
617 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
618 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
619 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
620 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
621 if (staple->host.len == 0 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
622 || staple->loading || staple->refresh >= ngx_time()) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
623 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
624 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
625 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
626 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
627 staple->loading = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
628 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
629 ctx = ngx_ssl_ocsp_start(ngx_cycle->log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
630 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
631 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
632 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
633 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
634 ctx->ssl_ctx = staple->ssl_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
635 ctx->cert = staple->cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
636 ctx->issuer = staple->issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
637 ctx->chain = staple->chain; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
638 ctx->name = staple->name; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
639 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
640 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
641 ctx->addrs = staple->addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
642 ctx->naddrs = staple->naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
643 ctx->host = staple->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
644 ctx->uri = staple->uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
645 ctx->port = staple->port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
646 ctx->timeout = staple->timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
647 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
648 ctx->resolver = staple->resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
649 ctx->resolver_timeout = staple->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
650 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
651 ctx->handler = ngx_ssl_stapling_ocsp_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
652 ctx->data = staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
653 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
654 ngx_ssl_ocsp_request(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
655 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
656 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
657 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
658 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
659 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
660 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
661 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
662 { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
663 time_t now; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
664 ngx_str_t response; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
665 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
666 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
667 staple = ctx->data; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
668 now = ngx_time(); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
669 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
670 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
671 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
672 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
673 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
674 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
675 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
676 "certificate status \"%s\" in the OCSP response", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
677 OCSP_cert_status_str(ctx->status)); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
678 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
679 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
680 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
681 /* copy the response to memory not in ctx->pool */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
682 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
683 response.len = ctx->response->last - ctx->response->pos; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
684 response.data = ngx_alloc(response.len, ctx->log); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
685 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
686 if (response.data == NULL) { |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
687 goto error; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
688 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
689 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
690 ngx_memcpy(response.data, ctx->response->pos, response.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
691 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
692 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
693 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
694 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
695 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
696 staple->staple = response; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
697 staple->valid = ctx->valid; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
698 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
699 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
700 * refresh before the response expires, |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
701 * but not earlier than in 5 minutes, and at least in an hour |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
702 */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
703 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
704 staple->loading = 0; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
705 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
706 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
707 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
708 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
709 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
710 error: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
711 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
712 staple->loading = 0; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
713 staple->refresh = now + 300; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
714 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
715 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
716 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
717 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
718 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
719 static time_t |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
720 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
721 { |
6810 | 722 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
723 char *value; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
724 size_t len; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
725 time_t time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
726 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
727 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
728 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
729 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(), |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
730 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
731 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
732 */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
733 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
734 bio = BIO_new(BIO_s_mem()); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
735 if (bio == NULL) { |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
736 return NGX_ERROR; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
737 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
738 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
739 /* fake weekday prepended to match C asctime() format */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
740 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
741 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
742 ASN1_GENERALIZEDTIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
743 len = BIO_get_mem_data(bio, &value); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
744 |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
745 time = ngx_parse_http_time((u_char *) value, len); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
746 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
747 BIO_free(bio); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
748 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
749 return time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
750 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
751 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
752 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
753 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
754 ngx_ssl_stapling_cleanup(void *data) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
755 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
756 ngx_ssl_stapling_t *staple = data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
757 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
758 if (staple->issuer) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
759 X509_free(staple->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
760 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
761 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
762 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
763 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
764 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
765 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
766 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
767 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
768 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
769 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
770 ngx_uint_t depth, ngx_shm_zone_t *shm_zone) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
771 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
772 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
773 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
774 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
775 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
776 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
777 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
778 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
779 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
780 ocf->depth = depth; |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
781 ocf->shm_zone = shm_zone; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
782 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
783 if (responder->len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
784 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
785 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
786 u.url = *responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
787 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
788 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
789 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
790 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
791 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
792 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
793 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
794 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
795 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
796 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
797 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
798 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
799 "in \"ssl_ocsp_responder\"", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
800 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
801 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
802 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
803 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
804 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
805 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
806 "%s in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
807 "in \"ssl_ocsp_responder\"", u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
808 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
809 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
810 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
811 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
812 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
813 ocf->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
814 ocf->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
815 ocf->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
816 ocf->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
817 ocf->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
818 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
819 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
821 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
822 "SSL_CTX_set_ex_data() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
823 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
824 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
825 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
826 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
827 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
828 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
829 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
830 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
831 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
832 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
833 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
834 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
835 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
836 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
837 ocf->resolver = resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
838 ocf->resolver_timeout = resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
839 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
840 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
841 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
842 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
843 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
844 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
845 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
846 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
847 X509 *cert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
848 SSL_CTX *ssl_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
849 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
850 X509_STORE *store; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
851 X509_STORE_CTX *store_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
852 STACK_OF(X509) *chain; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
853 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
854 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
855 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
856 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
857 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
858 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
859 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
860 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
861 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
862 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
863 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
864 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
865 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
866 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
867 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
868 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
869 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
870 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
871 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
872 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
873 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
874 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
875 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
876 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
877 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
878 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
879 cert = SSL_get_peer_certificate(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
880 if (cert == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
881 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
882 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
883 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
885 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
886 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
887 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
888 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
889 c->ssl->ocsp = ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
890 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
891 ocsp->status = NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
892 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
893 ocsp->conf = ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
894 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
895 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
896 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
897 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
898 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
899 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
900 ocsp->certs = X509_chain_up_ref(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
901 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
902 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
903 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
904 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
905 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
906 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
907 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
908 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
909 store = SSL_CTX_get_cert_store(ssl_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
910 if (store == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
911 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
912 "SSL_CTX_get_cert_store() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
913 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
914 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
915 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
916 store_ctx = X509_STORE_CTX_new(); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
917 if (store_ctx == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
918 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
919 "X509_STORE_CTX_new() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
920 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
921 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
922 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
923 chain = SSL_get_peer_cert_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
924 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
925 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
926 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
927 "X509_STORE_CTX_init() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
928 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
929 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
930 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
931 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
932 rc = X509_verify_cert(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
933 if (rc <= 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
934 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
935 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
936 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
937 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
938 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
939 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
940 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
941 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
942 "X509_STORE_CTX_get1_chain() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
943 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
944 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
945 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
946 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
947 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
948 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
949 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
950 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7655
bd4d1b9db0ee
Fixed format specifiers.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7654
diff
changeset
|
951 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
952 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
953 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
954 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
955 if (ocsp->status == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
956 c->ssl->in_ocsp = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
957 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
958 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
959 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
960 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
961 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
962 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
963 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
964 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
965 ngx_ssl_ocsp_validate_next(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
966 { |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
967 ngx_int_t rc; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
968 ngx_uint_t n; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
969 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
970 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
971 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
972 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
973 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
974 ocf = ocsp->conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
975 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
976 n = sk_X509_num(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
977 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
978 for ( ;; ) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
979 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
980 if (ocsp->ncert == n - 1 || (ocf->depth == 2 && ocsp->ncert == 1)) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
981 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
982 "ssl ocsp validated, certs:%ui", ocsp->ncert); |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
983 rc = NGX_OK; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
984 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
985 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
986 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
987 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
988 "ssl ocsp validate cert:%ui", ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
989 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
990 ctx = ngx_ssl_ocsp_start(c->log); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
991 if (ctx == NULL) { |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
992 rc = NGX_ERROR; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
993 goto done; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
994 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
995 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
996 ocsp->ctx = ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
997 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
998 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
999 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1000 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1001 ctx->chain = ocsp->certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1002 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1003 ctx->resolver = ocf->resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1004 ctx->resolver_timeout = ocf->resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1005 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1006 ctx->handler = ngx_ssl_ocsp_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1007 ctx->data = c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1008 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1009 ctx->shm_zone = ocf->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1010 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1011 ctx->addrs = ocf->addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1012 ctx->naddrs = ocf->naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1013 ctx->host = ocf->host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1014 ctx->uri = ocf->uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1015 ctx->port = ocf->port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1016 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1017 rc = ngx_ssl_ocsp_responder(c, ctx); |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1018 if (rc != NGX_OK) { |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1019 goto done; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1020 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1021 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1022 if (ctx->uri.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1023 ngx_str_set(&ctx->uri, "/"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1024 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1025 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1026 ocsp->ncert++; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1027 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1028 rc = ngx_ssl_ocsp_cache_lookup(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1029 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1030 if (rc == NGX_ERROR) { |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1031 goto done; |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1032 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1033 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1034 if (rc == NGX_DECLINED) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1035 break; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1036 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1037 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1038 /* rc == NGX_OK */ |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1039 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1040 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1041 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1042 "ssl ocsp cached status \"%s\"", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1043 OCSP_cert_status_str(ctx->status)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1044 ocsp->cert_status = ctx->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1045 goto done; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1046 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1047 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1048 ocsp->ctx = NULL; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1049 ngx_ssl_ocsp_done(ctx); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1050 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1051 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1052 ngx_ssl_ocsp_request(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1053 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1054 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1055 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1056 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1057 ocsp->status = rc; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1058 |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1059 if (c->ssl->in_ocsp) { |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1060 c->ssl->handshaked = 1; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1061 c->ssl->handler(c); |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1062 } |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1063 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1064 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1065 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1066 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1067 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1068 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1069 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1070 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1071 ngx_connection_t *c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1072 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1073 c = ctx->data; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1074 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1075 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1076 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1077 rc = ngx_ssl_ocsp_verify(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1078 if (rc != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1079 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1080 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1081 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1082 rc = ngx_ssl_ocsp_cache_store(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1083 if (rc != NGX_OK) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1084 goto done; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1085 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1086 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1087 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1088 ocsp->cert_status = ctx->status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1089 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1090 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1091 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1092 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1093 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1094 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1095 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1096 return; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1097 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1098 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1099 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1100 ocsp->status = rc; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1101 ngx_ssl_ocsp_done(ctx); |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1102 |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1103 if (c->ssl->in_ocsp) { |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1104 c->ssl->handshaked = 1; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1105 c->ssl->handler(c); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1106 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1107 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1108 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1109 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1110 static ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1111 ngx_ssl_ocsp_responder(ngx_connection_t *c, ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1112 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1113 char *s; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1114 ngx_str_t responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1115 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1116 STACK_OF(OPENSSL_STRING) *aia; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1117 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1118 if (ctx->host.len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1119 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1120 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1121 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1122 /* extract OCSP responder URL from certificate */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1123 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1124 aia = X509_get1_ocsp(ctx->cert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1125 if (aia == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1126 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1127 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1128 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1129 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1130 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1131 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1132 s = sk_OPENSSL_STRING_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1133 #else |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1134 s = sk_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1135 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1136 if (s == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1137 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1138 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1139 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1140 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1141 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1142 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1143 responder.len = ngx_strlen(s); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1144 responder.data = ngx_palloc(ctx->pool, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1145 if (responder.data == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1146 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1147 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1148 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1149 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1150 ngx_memcpy(responder.data, s, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1151 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1152 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1153 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1154 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1155 u.url = responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1156 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1157 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1158 u.no_resolve = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1159 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1160 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1161 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1162 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1163 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1164 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1165 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1166 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1167 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1168 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1169 "in certificate", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1170 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1171 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1172 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1173 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1174 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1175 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1176 "%s in OCSP responder \"%V\" in certificate", |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1177 u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1178 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1179 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1180 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1181 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1182 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1183 if (u.host.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1184 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1185 "empty host in OCSP responder in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1186 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1187 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1188 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1189 ctx->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1190 ctx->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1191 ctx->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1192 ctx->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1193 ctx->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1194 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1195 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1196 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1197 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1198 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1199 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1200 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1201 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1202 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1203 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1204 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1205 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1206 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1207 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1208 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1209 if (ocsp->status == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1210 *s = "certificate status request failed"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1211 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1212 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1213 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1214 switch (ocsp->cert_status) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1215 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1216 case V_OCSP_CERTSTATUS_GOOD: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1217 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1218 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1219 case V_OCSP_CERTSTATUS_REVOKED: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1220 *s = "certificate revoked"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1221 break; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1222 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1223 default: /* V_OCSP_CERTSTATUS_UNKNOWN */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1224 *s = "certificate status unknown"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1225 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1226 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1227 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1228 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1229 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1230 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1231 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1232 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1233 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1234 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1235 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1236 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1237 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1238 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1239 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1240 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1241 if (ocsp->ctx) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1242 ngx_ssl_ocsp_done(ocsp->ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1243 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1244 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1245 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1246 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1247 sk_X509_pop_free(ocsp->certs, X509_free); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1248 ocsp->certs = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1249 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1250 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1251 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1252 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1253 static ngx_ssl_ocsp_ctx_t * |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1254 ngx_ssl_ocsp_start(ngx_log_t *log) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1255 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1256 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1257 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1258 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1259 pool = ngx_create_pool(2048, log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1260 if (pool == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1261 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1262 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1263 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1264 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1265 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1266 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1267 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1268 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1269 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1270 log = ngx_palloc(pool, sizeof(ngx_log_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1271 if (log == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1272 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1273 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1274 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1275 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1276 ctx->pool = pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1277 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1278 *log = *ctx->pool->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1279 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1280 ctx->pool->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1281 ctx->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1282 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1283 log->handler = ngx_ssl_ocsp_log_error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1284 log->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1285 log->action = "requesting certificate status"; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1286 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1287 return ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1288 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1289 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1290 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1291 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1292 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1293 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1294 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1295 "ssl ocsp done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1296 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1297 if (ctx->peer.connection) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1298 ngx_close_connection(ctx->peer.connection); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1299 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1300 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1301 ngx_destroy_pool(ctx->pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1302 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1303 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1304 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1305 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1306 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1307 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1308 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1309 "ssl ocsp error"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1310 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1311 ctx->code = 0; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1312 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1313 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1314 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1315 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1316 static void |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1317 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx) |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1318 { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1319 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1320 "ssl ocsp next"); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1321 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1322 if (++ctx->naddr >= ctx->naddrs) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1323 ngx_ssl_ocsp_error(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1324 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1325 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1326 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1327 ctx->request->pos = ctx->request->start; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1328 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1329 if (ctx->response) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1330 ctx->response->last = ctx->response->pos; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1331 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1332 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1333 if (ctx->peer.connection) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1334 ngx_close_connection(ctx->peer.connection); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1335 ctx->peer.connection = NULL; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1336 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1337 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1338 ctx->state = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1339 ctx->count = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1340 ctx->done = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1341 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1342 ngx_ssl_ocsp_connect(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1343 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1344 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1345 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1346 static void |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1347 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1348 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1349 ngx_resolver_ctx_t *resolve, temp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1350 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1351 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1352 "ssl ocsp request"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1353 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1354 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1355 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1356 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1357 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1358 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1359 if (ctx->resolver) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1360 /* resolve OCSP responder hostname */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1361 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1362 temp.name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1363 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1364 resolve = ngx_resolve_start(ctx->resolver, &temp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1365 if (resolve == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1366 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1367 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1368 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1369 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1370 if (resolve == NGX_NO_RESOLVER) { |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1371 if (ctx->naddrs == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1372 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1373 "no resolver defined to resolve %V", &ctx->host); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1374 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1375 ngx_ssl_ocsp_error(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1376 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1377 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1378 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1379 ngx_log_error(NGX_LOG_WARN, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1380 "no resolver defined to resolve %V", &ctx->host); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1381 goto connect; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1382 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1383 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1384 resolve->name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1385 resolve->handler = ngx_ssl_ocsp_resolve_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1386 resolve->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1387 resolve->timeout = ctx->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1388 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1389 if (ngx_resolve_name(resolve) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1390 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1391 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1392 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1393 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1394 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1395 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1396 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1397 connect: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1398 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1399 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1400 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1401 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1402 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1403 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1404 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1405 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1406 ngx_ssl_ocsp_ctx_t *ctx = resolve->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1407 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1408 u_char *p; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1409 size_t len; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1410 socklen_t socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1411 ngx_uint_t i; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1412 struct sockaddr *sockaddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1413 |
5234
a855ae7e6377
OCSP stapling: fixed incorrect debug level.
Ruslan Ermilov <ru@nginx.com>
parents:
5215
diff
changeset
|
1414 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1415 "ssl ocsp resolve handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1416 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1417 if (resolve->state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1418 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1419 "%V could not be resolved (%i: %s)", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1420 &resolve->name, resolve->state, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1421 ngx_resolver_strerror(resolve->state)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1422 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1423 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1424 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1425 #if (NGX_DEBUG) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1426 { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1427 u_char text[NGX_SOCKADDR_STRLEN]; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1428 ngx_str_t addr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1429 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1430 addr.data = text; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1431 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1432 for (i = 0; i < resolve->naddrs; i++) { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1433 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1434 resolve->addrs[i].socklen, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1435 text, NGX_SOCKADDR_STRLEN, 0); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1436 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1437 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1438 "name was resolved to %V", &addr); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1439 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1440 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1441 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1442 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1443 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1444 ctx->naddrs = resolve->naddrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1445 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1446 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1447 if (ctx->addrs == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1448 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1449 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1450 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1451 for (i = 0; i < resolve->naddrs; i++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1452 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1453 socklen = resolve->addrs[i].socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1454 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1455 sockaddr = ngx_palloc(ctx->pool, socklen); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1456 if (sockaddr == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1457 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1458 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1459 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1460 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen); |
6593
b3b7e33083ac
Introduced ngx_inet_get_port() and ngx_inet_set_port() functions.
Roman Arutyunyan <arut@nginx.com>
parents:
6549
diff
changeset
|
1461 ngx_inet_set_port(sockaddr, ctx->port); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1462 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1463 ctx->addrs[i].sockaddr = sockaddr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1464 ctx->addrs[i].socklen = socklen; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1465 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1466 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1467 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1468 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1469 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1470 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1471 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1472 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1473 ctx->addrs[i].name.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1474 ctx->addrs[i].name.data = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1475 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1476 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1477 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1478 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1479 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1480 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1481 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1482 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1483 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1484 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1485 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1486 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1487 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1488 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1489 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1490 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1491 { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1492 ngx_int_t rc; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1493 ngx_addr_t *addr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1494 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1495 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1496 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1497 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1498 addr = &ctx->addrs[ctx->naddr]; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1499 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1500 ctx->peer.sockaddr = addr->sockaddr; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1501 ctx->peer.socklen = addr->socklen; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1502 ctx->peer.name = &addr->name; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1503 ctx->peer.get = ngx_event_get_peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1504 ctx->peer.log = ctx->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1505 ctx->peer.log_error = NGX_ERROR_ERR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1506 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1507 rc = ngx_event_connect_peer(&ctx->peer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1508 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1509 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1510 "ssl ocsp connect peer done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1511 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1512 if (rc == NGX_ERROR) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1513 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1514 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1515 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1516 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1517 if (rc == NGX_BUSY || rc == NGX_DECLINED) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1518 ngx_ssl_ocsp_next(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1519 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1520 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1521 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1522 ctx->peer.connection->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1523 ctx->peer.connection->pool = ctx->pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1524 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1525 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1526 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1527 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1528 ctx->process = ngx_ssl_ocsp_process_status_line; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1529 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1530 if (ctx->timeout) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1531 ngx_add_timer(ctx->peer.connection->read, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1532 ngx_add_timer(ctx->peer.connection->write, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1533 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1534 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1535 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1536 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1537 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1538 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1539 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1540 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1541 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1542 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1543 ngx_ssl_ocsp_write_handler(ngx_event_t *wev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1544 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1545 ssize_t n, size; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1546 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1547 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1548 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1549 c = wev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1550 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1551 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1552 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1553 "ssl ocsp write handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1554 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1555 if (wev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1556 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1557 "OCSP responder timed out"); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1558 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1559 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1560 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1561 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1562 size = ctx->request->last - ctx->request->pos; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1563 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1564 n = ngx_send(c, ctx->request->pos, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1565 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1566 if (n == NGX_ERROR) { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1567 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1568 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1569 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1570 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1571 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1572 ctx->request->pos += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1573 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1574 if (n == size) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1575 wev->handler = ngx_ssl_ocsp_dummy_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1576 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1577 if (wev->timer_set) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1578 ngx_del_timer(wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1579 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1580 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1581 if (ngx_handle_write_event(wev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1582 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1583 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1584 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1585 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1586 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1587 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1588 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1589 if (!wev->timer_set && ctx->timeout) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1590 ngx_add_timer(wev, ctx->timeout); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1591 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1592 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1593 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1594 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1595 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1596 ngx_ssl_ocsp_read_handler(ngx_event_t *rev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1597 { |
6810 | 1598 ssize_t n, size; |
1599 ngx_int_t rc; | |
1600 ngx_connection_t *c; | |
1601 ngx_ssl_ocsp_ctx_t *ctx; | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1602 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1603 c = rev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1604 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1605 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1606 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1607 "ssl ocsp read handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1608 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1609 if (rev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1610 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1611 "OCSP responder timed out"); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1612 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1613 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1614 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1615 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1616 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1617 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1618 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1619 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1620 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1621 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1622 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1623 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1624 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1625 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1626 size = ctx->response->end - ctx->response->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1627 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1628 n = ngx_recv(c, ctx->response->last, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1629 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1630 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1631 ctx->response->last += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1632 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1633 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1634 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1635 if (rc == NGX_ERROR) { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1636 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1637 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1638 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1639 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1640 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1641 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1642 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1643 if (n == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1644 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1645 if (ngx_handle_read_event(rev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1646 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1647 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1648 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1649 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1650 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1651 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1652 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1653 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1654 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1655 ctx->done = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1656 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1657 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1658 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1659 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1660 /* ctx->handler() was called */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1661 return; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1662 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1663 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1664 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1665 "OCSP responder prematurely closed connection"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1666 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1667 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1668 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1669 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1670 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1671 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1672 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1673 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1674 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1675 "ssl ocsp dummy handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1676 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1677 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1678 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1679 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1680 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1681 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1682 int len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1683 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1684 uintptr_t escape; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1685 ngx_str_t binary, base64; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1686 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1687 OCSP_CERTID *id; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1688 OCSP_REQUEST *ocsp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1689 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1690 ocsp = OCSP_REQUEST_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1691 if (ocsp == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1692 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1693 "OCSP_REQUEST_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1694 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1695 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1696 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1697 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1698 if (id == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1699 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1700 "OCSP_cert_to_id() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1701 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1702 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1703 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1704 if (OCSP_request_add0_id(ocsp, id) == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1705 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1706 "OCSP_request_add0_id() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
1707 OCSP_CERTID_free(id); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1708 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1709 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1710 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1711 len = i2d_OCSP_REQUEST(ocsp, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1712 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1713 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1714 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1715 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1716 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1717 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1718 binary.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1719 binary.data = ngx_palloc(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1720 if (binary.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1721 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1722 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1723 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1724 p = binary.data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1725 len = i2d_OCSP_REQUEST(ocsp, &p); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1726 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1727 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1728 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1729 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1730 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1731 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1732 base64.len = ngx_base64_encoded_length(binary.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1733 base64.data = ngx_palloc(ctx->pool, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1734 if (base64.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1735 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1736 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1737 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1738 ngx_encode_base64(&base64, &binary); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1739 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1740 escape = ngx_escape_uri(NULL, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1741 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1742 |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1743 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1744 "ssl ocsp request length %z, escape %d", |
6480 | 1745 base64.len, (int) escape); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1746 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1747 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1748 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1749 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1750 + sizeof(CRLF) - 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1751 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1752 b = ngx_create_temp_buf(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1753 if (b == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1754 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1755 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1756 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1757 p = b->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1758 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1759 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1760 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1761 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1762 if (ctx->uri.data[ctx->uri.len - 1] != '/') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1763 *p++ = '/'; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1764 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1765 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1766 if (escape == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1767 p = ngx_cpymem(p, base64.data, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1768 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1769 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1770 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1771 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1772 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1773 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1774 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1775 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1776 p = ngx_cpymem(p, ctx->host.data, ctx->host.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1777 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1778 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1779 /* add "\r\n" at the header end */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1780 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1781 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1782 b->last = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1783 ctx->request = b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1784 |
5683
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1785 OCSP_REQUEST_free(ocsp); |
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1786 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1787 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1788 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1789 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1790 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1791 OCSP_REQUEST_free(ocsp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1792 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1793 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1794 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1795 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1796 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1797 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1798 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1799 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1800 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1801 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1802 rc = ngx_ssl_ocsp_parse_status_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1803 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1804 if (rc == NGX_OK) { |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1805 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1806 "ssl ocsp status %ui \"%*s\"", |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1807 ctx->code, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1808 ctx->header_end - ctx->header_start, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1809 ctx->header_start); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1810 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1811 ctx->process = ngx_ssl_ocsp_process_headers; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1812 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1813 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1814 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1815 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1816 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1817 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1818 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1819 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1820 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1821 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1822 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1823 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1824 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1825 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1826 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1827 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1828 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1829 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1830 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1831 u_char ch; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1832 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1833 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1834 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1835 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1836 sw_H, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1837 sw_HT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1838 sw_HTT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1839 sw_HTTP, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1840 sw_first_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1841 sw_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1842 sw_first_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1843 sw_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1844 sw_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1845 sw_space_after_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1846 sw_status_text, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1847 sw_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1848 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1849 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1850 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1851 "ssl ocsp process status line"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1852 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1853 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1854 b = ctx->response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1855 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1856 for (p = b->pos; p < b->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1857 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1858 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1859 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1860 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1861 /* "HTTP/" */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1862 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1863 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1864 case 'H': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1865 state = sw_H; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1866 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1867 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1868 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1869 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1870 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1871 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1872 case sw_H: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1873 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1874 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1875 state = sw_HT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1876 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1877 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1878 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1879 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1880 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1881 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1882 case sw_HT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1883 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1884 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1885 state = sw_HTT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1886 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1887 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1888 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1889 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1890 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1891 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1892 case sw_HTT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1893 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1894 case 'P': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1895 state = sw_HTTP; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1896 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1897 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1898 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1899 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1900 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1901 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1902 case sw_HTTP: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1903 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1904 case '/': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1905 state = sw_first_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1906 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1907 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1908 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1909 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1910 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1911 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1912 /* the first digit of major HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1913 case sw_first_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1914 if (ch < '1' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1915 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1916 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1917 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1918 state = sw_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1919 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1920 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1921 /* the major HTTP version or dot */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1922 case sw_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1923 if (ch == '.') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1924 state = sw_first_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1925 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1926 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1927 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1928 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1929 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1930 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1931 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1932 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1933 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1934 /* the first digit of minor HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1935 case sw_first_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1936 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1937 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1938 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1939 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1940 state = sw_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1941 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1942 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1943 /* the minor HTTP version or the end of the request line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1944 case sw_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1945 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1946 state = sw_status; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1947 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1948 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1949 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1950 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1951 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1952 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1953 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1954 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1955 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1956 /* HTTP status code */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1957 case sw_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1958 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1959 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1960 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1961 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1962 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1963 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1964 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1965 |
7067
e3723f2a11b7
Parenthesized ASCII-related calculations.
Valentin Bartenev <vbart@nginx.com>
parents:
6842
diff
changeset
|
1966 ctx->code = ctx->code * 10 + (ch - '0'); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1967 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1968 if (++ctx->count == 3) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1969 state = sw_space_after_status; |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1970 ctx->header_start = p - 2; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1971 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1972 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1973 break; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1974 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1975 /* space or end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1976 case sw_space_after_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1977 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1978 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1979 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1980 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1981 case '.': /* IIS may send 403.1, 403.2, etc */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1982 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1983 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1984 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1985 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1986 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1987 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1988 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1989 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1990 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1991 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1992 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1993 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1994 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1995 /* any text until end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1996 case sw_status_text: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1997 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1998 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1999 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2000 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2001 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
2002 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2003 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2004 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2005 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2006 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2007 /* end of status line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2008 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2009 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2010 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
2011 ctx->header_end = p - 1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2012 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2013 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2014 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2015 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2016 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2017 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2018 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2019 b->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2020 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2021 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2022 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2023 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2024 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2025 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2026 b->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2027 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2028 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2029 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2030 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2031 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2032 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2033 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2034 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2035 { |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2036 size_t len; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2037 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2038 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2039 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2040 "ssl ocsp process headers"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2041 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2042 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2043 rc = ngx_ssl_ocsp_parse_header_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2044 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2045 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2046 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2047 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2048 "ssl ocsp header \"%*s: %*s\"", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2049 ctx->header_name_end - ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2050 ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2051 ctx->header_end - ctx->header_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2052 ctx->header_start); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2053 |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2054 len = ctx->header_name_end - ctx->header_name_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2055 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2056 if (len == sizeof("Content-Type") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2057 && ngx_strncasecmp(ctx->header_name_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2058 (u_char *) "Content-Type", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2059 sizeof("Content-Type") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2060 == 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2061 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2062 len = ctx->header_end - ctx->header_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2063 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2064 if (len != sizeof("application/ocsp-response") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2065 || ngx_strncasecmp(ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2066 (u_char *) "application/ocsp-response", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2067 sizeof("application/ocsp-response") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2068 != 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2069 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2070 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2071 "OCSP responder sent invalid " |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2072 "\"Content-Type\" header: \"%*s\"", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2073 ctx->header_end - ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2074 ctx->header_start); |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2075 return NGX_ERROR; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2076 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2077 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2078 continue; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2079 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2080 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2081 /* TODO: honor Content-Length */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2082 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2083 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2084 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2085 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2086 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2087 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2088 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2089 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2090 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2091 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2092 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2093 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2094 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2095 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2096 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2097 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2098 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2099 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2100 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2101 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2102 ctx->process = ngx_ssl_ocsp_process_body; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2103 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2104 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2105 |
6810 | 2106 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2107 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2108 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2109 { |
6810 | 2110 u_char c, ch, *p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2111 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2112 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2113 sw_name, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2114 sw_space_before_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2115 sw_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2116 sw_space_after_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2117 sw_almost_done, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2118 sw_header_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2119 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2120 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2121 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2122 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2123 for (p = ctx->response->pos; p < ctx->response->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2124 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2125 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2126 #if 0 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2127 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2128 "s:%d in:'%02Xd:%c'", state, ch, ch); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2129 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2130 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2131 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2132 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2133 /* first char */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2134 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2135 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2136 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2137 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2138 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2139 state = sw_header_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2140 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2141 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2142 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2143 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2144 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2145 state = sw_name; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2146 ctx->header_name_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2147 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2148 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2149 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2150 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2151 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2152 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2153 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2154 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2155 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2156 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2157 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2158 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2159 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2160 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2161 /* header name */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2162 case sw_name: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2163 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2164 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2165 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2166 } |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2167 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2168 if (ch == ':') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2169 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2170 state = sw_space_before_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2171 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2172 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2173 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2174 if (ch == '-') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2175 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2176 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2177 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2178 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2179 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2180 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2181 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2182 if (ch == CR) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2183 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2184 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2185 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2186 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2187 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2188 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2189 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2190 if (ch == LF) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2191 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2192 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2193 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2194 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2195 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2196 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2197 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2198 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2199 /* space* before header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2200 case sw_space_before_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2201 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2202 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2203 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2204 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2205 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2206 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2207 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2208 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2209 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2210 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2211 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2212 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2213 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2214 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2215 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2216 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2217 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2218 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2219 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2220 /* header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2221 case sw_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2222 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2223 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2224 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2225 state = sw_space_after_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2226 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2227 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2228 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2229 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2230 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2231 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2232 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2233 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2234 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2235 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2236 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2237 /* space* before end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2238 case sw_space_after_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2239 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2240 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2241 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2242 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2243 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2244 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2245 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2246 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2247 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2248 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2249 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2250 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2251 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2252 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2253 /* end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2254 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2255 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2256 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2257 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2258 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2259 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2260 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2261 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2262 /* end of header */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2263 case sw_header_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2264 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2265 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2266 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2267 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2268 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2269 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2270 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2271 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2272 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2273 ctx->response->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2274 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2275 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2276 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2277 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2278 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2279 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2280 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2281 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2282 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2283 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2284 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2285 header_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2286 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2287 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2288 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2289 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2290 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2291 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2292 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2293 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2294 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2295 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2296 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2297 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2298 "ssl ocsp process body"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2299 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2300 if (ctx->done) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2301 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2302 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2303 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2304 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2305 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2306 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2307 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2308 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2309 static ngx_int_t |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2310 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2311 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2312 int n; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2313 size_t len; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2314 X509_STORE *store; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2315 const u_char *p; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2316 OCSP_CERTID *id; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2317 OCSP_RESPONSE *ocsp; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2318 OCSP_BASICRESP *basic; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2319 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2320 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2321 ocsp = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2322 basic = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2323 id = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2324 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2325 if (ctx->code != 200) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2326 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2327 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2328 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2329 /* check the response */ |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2330 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2331 len = ctx->response->last - ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2332 p = ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2333 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2334 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2335 if (ocsp == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2336 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2337 "d2i_OCSP_RESPONSE() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2338 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2339 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2340 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2341 n = OCSP_response_status(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2342 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2343 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2344 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2345 "OCSP response not successful (%d: %s)", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2346 n, OCSP_response_status_str(n)); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2347 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2348 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2349 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2350 basic = OCSP_response_get1_basic(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2351 if (basic == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2352 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2353 "OCSP_response_get1_basic() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2354 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2355 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2356 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2357 store = SSL_CTX_get_cert_store(ctx->ssl_ctx); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2358 if (store == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2359 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2360 "SSL_CTX_get_cert_store() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2361 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2362 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2363 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
2364 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2365 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2366 "OCSP_basic_verify() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2367 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2368 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2369 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2370 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2371 if (id == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2372 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2373 "OCSP_cert_to_id() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2374 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2375 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2376 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2377 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2378 &thisupdate, &nextupdate) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2379 != 1) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2380 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2381 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2382 "certificate status not found in the OCSP response"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2383 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2384 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2385 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2386 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2387 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2388 "OCSP_check_validity() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2389 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2390 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2391 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2392 if (nextupdate) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2393 ctx->valid = ngx_ssl_stapling_time(nextupdate); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2394 if (ctx->valid == (time_t) NGX_ERROR) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2395 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2396 "invalid nextUpdate time in certificate status"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2397 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2398 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2399 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2400 } else { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2401 ctx->valid = NGX_MAX_TIME_T_VALUE; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2402 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2403 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2404 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2405 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2406 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2407 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2408 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2409 "ssl ocsp response, %s, %uz", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2410 OCSP_cert_status_str(ctx->status), len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2411 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2412 return NGX_OK; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2413 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2414 error: |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2415 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2416 if (id) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2417 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2418 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2419 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2420 if (basic) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2421 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2422 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2423 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2424 if (ocsp) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2425 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2426 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2427 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2428 return NGX_ERROR; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2429 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2430 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2431 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2432 ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2433 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2434 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2435 size_t len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2436 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2437 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2438 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2439 if (data) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2440 shm_zone->data = data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2441 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2442 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2443 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2444 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2445 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2446 if (shm_zone->shm.exists) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2447 shm_zone->data = shpool->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2448 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2449 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2450 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2451 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_ocsp_cache_t)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2452 if (cache == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2453 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2454 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2455 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2456 shpool->data = cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2457 shm_zone->data = cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2458 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2459 ngx_rbtree_init(&cache->rbtree, &cache->sentinel, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2460 ngx_str_rbtree_insert_value); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2461 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2462 ngx_queue_init(&cache->expire_queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2463 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2464 len = sizeof(" in OCSP cache \"\"") + shm_zone->shm.name.len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2465 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2466 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2467 if (shpool->log_ctx == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2468 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2469 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2470 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2471 ngx_sprintf(shpool->log_ctx, " in OCSP cache \"%V\"%Z", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2472 &shm_zone->shm.name); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2473 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2474 shpool->log_nomem = 0; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2475 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2476 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2477 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2478 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2479 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2480 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2481 ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2482 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2483 uint32_t hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2484 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2485 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2486 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2487 ngx_ssl_ocsp_cache_node_t *node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2488 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2489 shm_zone = ctx->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2490 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2491 if (shm_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2492 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2493 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2494 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2495 if (ngx_ssl_ocsp_create_key(ctx) != NGX_OK) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2496 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2497 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2498 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2499 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache lookup"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2500 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2501 cache = shm_zone->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2502 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2503 hash = ngx_hash_key(ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2504 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2505 ngx_shmtx_lock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2506 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2507 node = (ngx_ssl_ocsp_cache_node_t *) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2508 ngx_str_rbtree_lookup(&cache->rbtree, &ctx->key, hash); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2509 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2510 if (node) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2511 if (node->valid > ngx_time()) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2512 ctx->status = node->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2513 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2514 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2515 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2516 "ssl ocsp cache hit, %s", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2517 OCSP_cert_status_str(ctx->status)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2518 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2519 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2520 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2521 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2522 ngx_queue_remove(&node->queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2523 ngx_rbtree_delete(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2524 ngx_slab_free_locked(shpool, node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2525 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2526 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2527 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2528 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2529 "ssl ocsp cache expired"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2530 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2531 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2532 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2533 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2534 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2535 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2536 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache miss"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2537 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2538 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2539 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2540 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2541 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2542 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2543 ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2544 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2545 time_t now, valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2546 uint32_t hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2547 ngx_queue_t *q; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2548 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2549 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2550 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2551 ngx_ssl_ocsp_cache_node_t *node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2552 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2553 shm_zone = ctx->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2554 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2555 if (shm_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2556 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2557 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2558 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2559 valid = ctx->valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2560 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2561 now = ngx_time(); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2562 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2563 if (valid < now) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2564 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2565 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2566 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2567 if (valid == NGX_MAX_TIME_T_VALUE) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2568 valid = now + 3600; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2569 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2570 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2571 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2572 "ssl ocsp cache store, valid:%T", valid - now); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2573 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2574 cache = shm_zone->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2575 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2576 hash = ngx_hash_key(ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2577 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2578 ngx_shmtx_lock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2579 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2580 node = ngx_slab_calloc_locked(shpool, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2581 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2582 if (node == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2583 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2584 if (!ngx_queue_empty(&cache->expire_queue)) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2585 q = ngx_queue_last(&cache->expire_queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2586 node = ngx_queue_data(q, ngx_ssl_ocsp_cache_node_t, queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2587 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2588 ngx_rbtree_delete(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2589 ngx_queue_remove(q); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2590 ngx_slab_free_locked(shpool, node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2591 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2592 node = ngx_slab_alloc_locked(shpool, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2593 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2594 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2595 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2596 if (node == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2597 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2598 ngx_log_error(NGX_LOG_ALERT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2599 "could not allocate new entry%s", shpool->log_ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2600 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2601 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2602 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2603 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2604 node->node.str.len = ctx->key.len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2605 node->node.str.data = (u_char *) node + sizeof(ngx_ssl_ocsp_cache_node_t); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2606 ngx_memcpy(node->node.str.data, ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2607 node->node.node.key = hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2608 node->status = ctx->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2609 node->valid = valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2610 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2611 ngx_rbtree_insert(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2612 ngx_queue_insert_head(&cache->expire_queue, &node->queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2613 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2614 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2615 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2616 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2617 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2618 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2619 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2620 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2621 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2622 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2623 u_char *p; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2624 X509_NAME *name; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2625 ASN1_INTEGER *serial; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2626 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2627 p = ngx_pnalloc(ctx->pool, 60); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2628 if (p == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2629 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2630 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2631 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2632 ctx->key.data = p; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2633 ctx->key.len = 60; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2634 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2635 name = X509_get_subject_name(ctx->issuer); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2636 if (X509_NAME_digest(name, EVP_sha1(), p, NULL) == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2637 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2638 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2639 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2640 p += 20; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2641 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2642 if (X509_pubkey_digest(ctx->issuer, EVP_sha1(), p, NULL) == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2643 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2644 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2645 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2646 p += 20; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2647 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2648 serial = X509_get_serialNumber(ctx->cert); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2649 if (serial->length > 20) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2650 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2651 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2652 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2653 p = ngx_cpymem(p, serial->data, serial->length); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2654 ngx_memzero(p, 20 - serial->length); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2655 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2656 #if (NGX_DEBUG) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2657 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2658 u_char buf[120]; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2659 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2660 ngx_hex_dump(buf, ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2661 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2662 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7655
bd4d1b9db0ee
Fixed format specifiers.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7654
diff
changeset
|
2663 "ssl ocsp key %*s", sizeof(buf), buf); |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2664 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2665 #endif |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2666 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2667 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2668 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2669 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2670 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2671 static u_char * |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2672 ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2673 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2674 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2675 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2676 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2677 p = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2678 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2679 if (log->action) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2680 p = ngx_snprintf(buf, len, " while %s", log->action); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2681 len -= p - buf; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2682 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2683 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2684 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2685 ctx = log->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2686 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2687 if (ctx) { |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2688 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2689 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2690 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2691 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2692 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2693 if (ctx && ctx->peer.name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2694 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2695 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2696 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2697 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2698 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2699 if (ctx && ctx->name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2700 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2701 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2702 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2703 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2704 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2705 return p; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2706 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2707 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2708 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2709 #else |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2710 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2711 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2712 ngx_int_t |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2713 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2714 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2715 { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2716 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2717 "\"ssl_stapling\" ignored, not supported"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2718 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2719 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2720 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2721 |
6810 | 2722 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2723 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2724 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2725 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2726 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2727 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2728 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2729 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2730 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2731 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2732 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2733 ngx_uint_t depth, ngx_shm_zone_t *shm_zone) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2734 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2735 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2736 "\"ssl_ocsp\" is not supported on this platform"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2737 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2738 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2739 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2740 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2741 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2742 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2743 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2744 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2745 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2746 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2747 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2748 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2749 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2750 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2751 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2752 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2753 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2754 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2755 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2756 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2757 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2758 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2759 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2760 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2761 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2762 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2763 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2764 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2765 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2766 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2767 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2768 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2769 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2770 ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2771 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2772 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2773 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2774 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2775 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2776 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2777 #endif |