Mercurial > hg > nginx
annotate src/event/ngx_event_openssl_stapling.c @ 8656:43f3574b3e6f quic
QUIC: fixed handling of clients connected to wildcard address.
The patch replaces c->send() occurences with c->send_chain(), because the
latter accounts for the local address, which may be different if the wildcard
listener is used.
Previously, server sent response to client using address different from
one client connected to.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 07 Dec 2020 14:06:00 +0300 |
parents | a46fcf101cfc |
children | ee40e2b1d083 |
rev | line source |
---|---|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 /* |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 * Copyright (C) Maxim Dounin |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 * Copyright (C) Nginx, Inc. |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 */ |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 #include <ngx_event.h> |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
11 #include <ngx_event_connect.h> |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
12 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
13 |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5683
diff
changeset
|
14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
15 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
16 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
17 typedef struct { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
18 ngx_str_t staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
19 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
20 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
21 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
22 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
23 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
24 ngx_addr_t *addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
25 ngx_uint_t naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
26 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
27 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
28 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
29 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
30 SSL_CTX *ssl_ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
31 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
32 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
33 X509 *issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
34 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
35 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
36 u_char *name; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
37 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
38 time_t valid; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
39 time_t refresh; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
40 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
41 unsigned verify:1; |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
42 unsigned loading:1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
43 } ngx_ssl_stapling_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
44 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
45 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
46 typedef struct { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
47 ngx_addr_t *addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
48 ngx_uint_t naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
49 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
50 ngx_str_t host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
51 ngx_str_t uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
52 in_port_t port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
53 ngx_uint_t depth; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
54 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
55 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
56 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
57 ngx_resolver_t *resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
58 ngx_msec_t resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
59 } ngx_ssl_ocsp_conf_t; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
60 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
61 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
62 typedef struct { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
63 ngx_rbtree_t rbtree; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
64 ngx_rbtree_node_t sentinel; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
65 ngx_queue_t expire_queue; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
66 } ngx_ssl_ocsp_cache_t; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
67 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
68 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
69 typedef struct { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
70 ngx_str_node_t node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
71 ngx_queue_t queue; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
72 int status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
73 time_t valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
74 } ngx_ssl_ocsp_cache_node_t; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
75 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
76 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
77 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
78 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
79 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
80 struct ngx_ssl_ocsp_s { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
81 STACK_OF(X509) *certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
82 ngx_uint_t ncert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
83 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
84 int cert_status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
85 ngx_int_t status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
86 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
87 ngx_ssl_ocsp_conf_t *conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
88 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
89 }; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
90 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
91 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
92 struct ngx_ssl_ocsp_ctx_s { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
93 SSL_CTX *ssl_ctx; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
94 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
95 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
96 X509 *issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
97 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
98 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
99 int status; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
100 time_t valid; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
101 |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
102 u_char *name; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
103 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
104 ngx_uint_t naddrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
105 ngx_uint_t naddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
106 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
107 ngx_addr_t *addrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
108 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
109 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
110 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
111 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
112 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
113 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
114 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
115 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
116 |
6810 | 117 void (*handler)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
118 void *data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
119 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
120 ngx_str_t key; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
121 ngx_buf_t *request; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
122 ngx_buf_t *response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
123 ngx_peer_connection_t peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
124 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
125 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
126 |
6810 | 127 ngx_int_t (*process)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
128 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
129 ngx_uint_t state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
130 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
131 ngx_uint_t code; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
132 ngx_uint_t count; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
133 ngx_uint_t flags; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
134 ngx_uint_t done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
135 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
136 u_char *header_name_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
137 u_char *header_name_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
138 u_char *header_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
139 u_char *header_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
140 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
141 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
142 ngx_log_t *log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
143 }; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
144 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
145 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
146 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
147 X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
148 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
149 ngx_ssl_stapling_t *staple, ngx_str_t *file); |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
150 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
151 ngx_ssl_stapling_t *staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
152 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
153 ngx_ssl_stapling_t *staple, ngx_str_t *responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
154 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
155 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
156 void *data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
157 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
158 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
159 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
160 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
161 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
162 static void ngx_ssl_stapling_cleanup(void *data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
163 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
164 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
165 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
166 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
167 ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
168 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
169 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(ngx_log_t *log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
170 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
171 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
172 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
173 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
174 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
175 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
176 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
177 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
178 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
179 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
180 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
181 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
182 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
183 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
184 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx); |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
185 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
186 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
187 static ngx_int_t ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
188 static ngx_int_t ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
189 static ngx_int_t ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
190 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
191 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
192 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
193 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
194 ngx_int_t |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
195 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
196 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
197 { |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
198 X509 *cert; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
199 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
200 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
201 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
202 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
203 { |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
204 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
205 != NGX_OK) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
206 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
207 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
208 } |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
209 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
210 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
211 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
212 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
213 return NGX_OK; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
214 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
215 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
216 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
217 static ngx_int_t |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
218 ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
219 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify) |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
220 { |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
221 ngx_int_t rc; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
222 ngx_pool_cleanup_t *cln; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
223 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
224 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
225 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
226 if (staple == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
227 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
228 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
229 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
230 cln = ngx_pool_cleanup_add(cf->pool, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
231 if (cln == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
232 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
233 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
234 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
235 cln->handler = ngx_ssl_stapling_cleanup; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
236 cln->data = staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
237 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
238 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
240 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
241 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
242 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
243 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
244 /* OpenSSL 1.0.2+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
245 SSL_CTX_select_current_cert(ssl->ctx, cert); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
246 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
247 |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
248 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
249 /* OpenSSL 1.0.1+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
250 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
251 #else |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
252 staple->chain = ssl->ctx->extra_certs; |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
253 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
254 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
255 staple->ssl_ctx = ssl->ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
256 staple->timeout = 60000; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
257 staple->verify = verify; |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
258 staple->cert = cert; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
259 staple->name = X509_get_ex_data(staple->cert, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
260 ngx_ssl_certificate_name_index); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
261 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
262 if (file->len) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
263 /* use OCSP response from the file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
264 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
265 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
266 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
267 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
268 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
269 return NGX_OK; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
270 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
271 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
272 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
273 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
274 if (rc == NGX_DECLINED) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
275 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
276 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
277 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
278 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
279 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
280 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
281 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
282 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
283 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
284 if (rc == NGX_DECLINED) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
285 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
286 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
287 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
288 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
289 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
290 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
291 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
292 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
293 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
294 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
295 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
296 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
297 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
298 ngx_ssl_stapling_t *staple, ngx_str_t *file) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
299 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
300 BIO *bio; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
301 int len; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
302 u_char *p, *buf; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
303 OCSP_RESPONSE *response; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
304 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
305 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
306 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
307 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
308 |
7485
edf5cd6c56fa
OCSP stapling: open ssl_stapling_file in binary-mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7067
diff
changeset
|
309 bio = BIO_new_file((char *) file->data, "rb"); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
310 if (bio == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
312 "BIO_new_file(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
313 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
314 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
315 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
316 response = d2i_OCSP_RESPONSE_bio(bio, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
317 if (response == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
318 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
319 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
320 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
321 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
322 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
323 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
324 len = i2d_OCSP_RESPONSE(response, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
325 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
326 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
327 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
328 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
329 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
330 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
331 buf = ngx_alloc(len, ssl->log); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
332 if (buf == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
333 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
334 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
335 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
336 p = buf; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
337 len = i2d_OCSP_RESPONSE(response, &p); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
338 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
340 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
341 ngx_free(buf); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
342 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
343 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
344 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
345 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
346 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
347 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
348 staple->staple.data = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
349 staple->staple.len = len; |
6205
dcae651b2a0c
OCSP stapling: fixed ssl_stapling_file (ticket #769).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6181
diff
changeset
|
350 staple->valid = NGX_MAX_TIME_T_VALUE; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
351 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
352 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
353 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
354 failed: |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
355 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
356 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
357 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
358 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
359 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
360 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
361 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
362 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
363 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
364 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
365 ngx_ssl_stapling_t *staple) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
366 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
367 int i, n, rc; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
368 X509 *cert, *issuer; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
369 X509_STORE *store; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
370 X509_STORE_CTX *store_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
371 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
372 cert = staple->cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
373 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
374 n = sk_X509_num(staple->chain); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
375 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
376 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
377 "SSL get issuer: %d extra certs", n); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
378 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
379 for (i = 0; i < n; i++) { |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
380 issuer = sk_X509_value(staple->chain, i); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
381 if (X509_check_issued(issuer, cert) == X509_V_OK) { |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
382 #if OPENSSL_VERSION_NUMBER >= 0x10100001L |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
383 X509_up_ref(issuer); |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
384 #else |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
385 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
386 #endif |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
387 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
388 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
389 "SSL get issuer: found %p in extra certs", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
390 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
391 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
392 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
393 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
394 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
395 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
396 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
397 store = SSL_CTX_get_cert_store(ssl->ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
398 if (store == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
399 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
400 "SSL_CTX_get_cert_store() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
401 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
402 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
403 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
404 store_ctx = X509_STORE_CTX_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
405 if (store_ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
407 "X509_STORE_CTX_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
408 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
409 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
410 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
411 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
413 "X509_STORE_CTX_init() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
414 X509_STORE_CTX_free(store_ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
415 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
416 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
417 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
418 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
419 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
420 if (rc == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
421 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
422 "X509_STORE_CTX_get1_issuer() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
423 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
424 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
425 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
426 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
427 if (rc == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
428 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
429 "\"ssl_stapling\" ignored, " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
430 "issuer certificate not found for certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
431 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
432 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
433 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
434 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
435 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
436 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
437 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
439 "SSL get issuer: found %p in cert store", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
440 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
441 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
442 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
443 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
444 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
445 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
446 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
447 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
448 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
449 ngx_ssl_stapling_t *staple, ngx_str_t *responder) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
450 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
451 char *s; |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
452 ngx_str_t rsp; |
6810 | 453 ngx_url_t u; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
454 STACK_OF(OPENSSL_STRING) *aia; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
455 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
456 if (responder->len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
457 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
458 /* extract OCSP responder URL from certificate */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
459 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
460 aia = X509_get1_ocsp(staple->cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
461 if (aia == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
462 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
463 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
464 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
465 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
466 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
467 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
468 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
469 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
470 s = sk_OPENSSL_STRING_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
471 #else |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
472 s = sk_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
473 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
474 if (s == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
475 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
476 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
477 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
478 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
479 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
480 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
481 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
482 |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
483 responder = &rsp; |
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
484 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
485 responder->len = ngx_strlen(s); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
486 responder->data = ngx_palloc(cf->pool, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
487 if (responder->data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
488 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
489 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
490 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
491 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
492 ngx_memcpy(responder->data, s, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
493 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
494 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
495 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
496 ngx_memzero(&u, sizeof(ngx_url_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
497 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
498 u.url = *responder; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
499 u.default_port = 80; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
500 u.uri_part = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
501 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
502 if (u.url.len > 7 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
503 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
504 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
505 u.url.len -= 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
506 u.url.data += 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
507 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
508 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
510 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
511 "invalid URL prefix in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
512 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
513 &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
514 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
515 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
516 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
517 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
518 if (u.err) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
519 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
520 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
521 "%s in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
522 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
523 u.err, &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
524 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
525 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
526 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
527 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
528 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
529 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
530 staple->addrs = u.addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
531 staple->naddrs = u.naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
532 staple->host = u.host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
533 staple->uri = u.uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
534 staple->port = u.port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
535 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
536 if (staple->uri.len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
537 ngx_str_set(&staple->uri, "/"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
538 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
539 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
540 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
541 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
542 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
543 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
544 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
545 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
546 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
547 { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
548 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
549 ngx_ssl_stapling_t *staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
550 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
551 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
552 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
553 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
554 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
555 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
556 staple->resolver = resolver; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
557 staple->resolver_timeout = resolver_timeout; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
558 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
559 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
560 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
561 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
562 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
563 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
564 static int |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
565 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
566 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
567 int rc; |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
568 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
569 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
570 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
571 ngx_ssl_stapling_t *staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
572 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
573 c = ngx_ssl_get_connection(ssl_conn); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
574 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
575 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
576 "SSL certificate status callback"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
577 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
578 rc = SSL_TLSEXT_ERR_NOACK; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
579 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
580 cert = SSL_get_certificate(ssl_conn); |
7493
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
581 |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
582 if (cert == NULL) { |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
583 return rc; |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
584 } |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
585 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
586 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
587 |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
588 if (staple == NULL) { |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
589 return rc; |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
590 } |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
591 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
592 if (staple->staple.len |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
593 && staple->valid >= ngx_time()) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
594 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
595 /* we have to copy ocsp response as OpenSSL will free it by itself */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
596 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
597 p = OPENSSL_malloc(staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
598 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
599 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
600 return SSL_TLSEXT_ERR_NOACK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
601 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
602 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
603 ngx_memcpy(p, staple->staple.data, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
604 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
605 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
606 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
607 rc = SSL_TLSEXT_ERR_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
608 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
609 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
610 ngx_ssl_stapling_update(staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
611 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
612 return rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
613 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
614 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
615 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
616 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
617 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
618 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
619 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
620 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
621 if (staple->host.len == 0 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
622 || staple->loading || staple->refresh >= ngx_time()) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
623 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
624 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
625 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
626 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
627 staple->loading = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
628 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
629 ctx = ngx_ssl_ocsp_start(ngx_cycle->log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
630 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
631 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
632 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
633 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
634 ctx->ssl_ctx = staple->ssl_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
635 ctx->cert = staple->cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
636 ctx->issuer = staple->issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
637 ctx->chain = staple->chain; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
638 ctx->name = staple->name; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
639 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
640 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
641 ctx->addrs = staple->addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
642 ctx->naddrs = staple->naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
643 ctx->host = staple->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
644 ctx->uri = staple->uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
645 ctx->port = staple->port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
646 ctx->timeout = staple->timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
647 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
648 ctx->resolver = staple->resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
649 ctx->resolver_timeout = staple->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
650 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
651 ctx->handler = ngx_ssl_stapling_ocsp_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
652 ctx->data = staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
653 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
654 ngx_ssl_ocsp_request(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
655 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
656 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
657 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
658 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
659 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
660 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
661 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
662 { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
663 time_t now; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
664 ngx_str_t response; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
665 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
666 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
667 staple = ctx->data; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
668 now = ngx_time(); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
669 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
670 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
671 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
672 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
673 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
674 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
675 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
676 "certificate status \"%s\" in the OCSP response", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
677 OCSP_cert_status_str(ctx->status)); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
678 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
679 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
680 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
681 /* copy the response to memory not in ctx->pool */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
682 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
683 response.len = ctx->response->last - ctx->response->pos; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
684 response.data = ngx_alloc(response.len, ctx->log); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
685 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
686 if (response.data == NULL) { |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
687 goto error; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
688 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
689 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
690 ngx_memcpy(response.data, ctx->response->pos, response.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
691 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
692 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
693 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
694 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
695 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
696 staple->staple = response; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
697 staple->valid = ctx->valid; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
698 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
699 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
700 * refresh before the response expires, |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
701 * but not earlier than in 5 minutes, and at least in an hour |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
702 */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
703 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
704 staple->loading = 0; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
705 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
706 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
707 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
708 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
709 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
710 error: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
711 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
712 staple->loading = 0; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
713 staple->refresh = now + 300; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
714 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
715 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
716 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
717 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
718 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
719 static time_t |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
720 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
721 { |
6810 | 722 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
723 char *value; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
724 size_t len; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
725 time_t time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
726 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
727 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
728 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
729 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(), |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
730 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
731 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
732 */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
733 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
734 bio = BIO_new(BIO_s_mem()); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
735 if (bio == NULL) { |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
736 return NGX_ERROR; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
737 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
738 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
739 /* fake weekday prepended to match C asctime() format */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
740 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
741 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
742 ASN1_GENERALIZEDTIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
743 len = BIO_get_mem_data(bio, &value); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
744 |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
745 time = ngx_parse_http_time((u_char *) value, len); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
746 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
747 BIO_free(bio); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
748 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
749 return time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
750 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
751 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
752 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
753 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
754 ngx_ssl_stapling_cleanup(void *data) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
755 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
756 ngx_ssl_stapling_t *staple = data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
757 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
758 if (staple->issuer) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
759 X509_free(staple->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
760 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
761 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
762 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
763 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
764 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
765 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
766 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
767 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
768 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
769 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
770 ngx_uint_t depth, ngx_shm_zone_t *shm_zone) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
771 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
772 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
773 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
774 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
775 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
776 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
777 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
778 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
779 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
780 ocf->depth = depth; |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
781 ocf->shm_zone = shm_zone; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
782 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
783 if (responder->len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
784 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
785 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
786 u.url = *responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
787 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
788 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
789 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
790 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
791 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
792 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
793 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
794 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
795 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
796 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
797 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
798 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
799 "in \"ssl_ocsp_responder\"", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
800 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
801 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
802 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
803 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
804 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
805 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
806 "%s in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
807 "in \"ssl_ocsp_responder\"", u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
808 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
809 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
810 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
811 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
812 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
813 ocf->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
814 ocf->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
815 ocf->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
816 ocf->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
817 ocf->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
818 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
819 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
821 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
822 "SSL_CTX_set_ex_data() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
823 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
824 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
825 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
826 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
827 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
828 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
829 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
830 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
831 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
832 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
833 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
834 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
835 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
836 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
837 ocf->resolver = resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
838 ocf->resolver_timeout = resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
839 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
840 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
841 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
842 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
843 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
844 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
845 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
846 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
847 X509 *cert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
848 SSL_CTX *ssl_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
849 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
850 X509_STORE *store; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
851 X509_STORE_CTX *store_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
852 STACK_OF(X509) *chain; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
853 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
854 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
855 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
856 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
857 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
858 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
859 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
860 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
861 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
862 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
863 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
864 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
865 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
866 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
867 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
868 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
869 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
870 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
871 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
872 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
873 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
874 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
875 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
876 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
877 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
878 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
879 cert = SSL_get_peer_certificate(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
880 if (cert == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
881 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
882 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
883 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
885 if (ocsp == NULL) { |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
886 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
887 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
888 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
889 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
890 c->ssl->ocsp = ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
891 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
892 ocsp->status = NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
893 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
894 ocsp->conf = ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
895 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
896 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
897 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
898 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
899 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
900 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
901 ocsp->certs = X509_chain_up_ref(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
902 if (ocsp->certs == NULL) { |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
903 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
904 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
905 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
906 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
907 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
908 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
909 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
910 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
911 store = SSL_CTX_get_cert_store(ssl_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
912 if (store == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
913 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
914 "SSL_CTX_get_cert_store() failed"); |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
915 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
916 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
917 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
918 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
919 store_ctx = X509_STORE_CTX_new(); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
920 if (store_ctx == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
921 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
922 "X509_STORE_CTX_new() failed"); |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
923 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
924 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
925 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
926 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
927 chain = SSL_get_peer_cert_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
928 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
929 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
930 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
931 "X509_STORE_CTX_init() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
932 X509_STORE_CTX_free(store_ctx); |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
933 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
934 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
935 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
936 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
937 rc = X509_verify_cert(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
938 if (rc <= 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
939 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
940 X509_STORE_CTX_free(store_ctx); |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
941 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
942 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
943 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
944 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
945 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
946 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
947 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
948 "X509_STORE_CTX_get1_chain() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
949 X509_STORE_CTX_free(store_ctx); |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
950 X509_free(cert); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
951 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
952 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
953 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
954 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
955 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
956 |
7687
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
957 X509_free(cert); |
d752a2c76d49
OCSP: fixed certificate reference leak.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7667
diff
changeset
|
958 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
959 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7655
bd4d1b9db0ee
Fixed format specifiers.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7654
diff
changeset
|
960 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
961 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
962 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
963 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
964 if (ocsp->status == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
965 c->ssl->in_ocsp = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
966 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
967 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
968 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
969 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
970 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
971 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
972 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
973 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
974 ngx_ssl_ocsp_validate_next(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
975 { |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
976 ngx_int_t rc; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
977 ngx_uint_t n; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
978 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
979 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
980 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
981 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
982 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
983 ocf = ocsp->conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
984 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
985 n = sk_X509_num(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
986 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
987 for ( ;; ) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
988 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
989 if (ocsp->ncert == n - 1 || (ocf->depth == 2 && ocsp->ncert == 1)) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
990 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
991 "ssl ocsp validated, certs:%ui", ocsp->ncert); |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
992 rc = NGX_OK; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
993 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
994 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
995 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
996 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
997 "ssl ocsp validate cert:%ui", ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
998 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
999 ctx = ngx_ssl_ocsp_start(c->log); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1000 if (ctx == NULL) { |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1001 rc = NGX_ERROR; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1002 goto done; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1003 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1004 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1005 ocsp->ctx = ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1006 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1007 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1008 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1009 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1010 ctx->chain = ocsp->certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1011 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1012 ctx->resolver = ocf->resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1013 ctx->resolver_timeout = ocf->resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1014 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1015 ctx->handler = ngx_ssl_ocsp_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1016 ctx->data = c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1017 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1018 ctx->shm_zone = ocf->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1019 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1020 ctx->addrs = ocf->addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1021 ctx->naddrs = ocf->naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1022 ctx->host = ocf->host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1023 ctx->uri = ocf->uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1024 ctx->port = ocf->port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1025 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1026 rc = ngx_ssl_ocsp_responder(c, ctx); |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1027 if (rc != NGX_OK) { |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1028 goto done; |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1029 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1030 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1031 if (ctx->uri.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1032 ngx_str_set(&ctx->uri, "/"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1033 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1034 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1035 ocsp->ncert++; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1036 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1037 rc = ngx_ssl_ocsp_cache_lookup(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1038 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1039 if (rc == NGX_ERROR) { |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1040 goto done; |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1041 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1042 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1043 if (rc == NGX_DECLINED) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1044 break; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1045 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1046 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1047 /* rc == NGX_OK */ |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1048 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1049 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1050 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1051 "ssl ocsp cached status \"%s\"", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1052 OCSP_cert_status_str(ctx->status)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1053 ocsp->cert_status = ctx->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1054 goto done; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1055 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1056 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1057 ocsp->ctx = NULL; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1058 ngx_ssl_ocsp_done(ctx); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1059 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1060 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1061 ngx_ssl_ocsp_request(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1062 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1063 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1064 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1065 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1066 ocsp->status = rc; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1067 |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1068 if (c->ssl->in_ocsp) { |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1069 c->ssl->handshaked = 1; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1070 c->ssl->handler(c); |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1071 } |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1072 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1073 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1074 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1075 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1076 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1077 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1078 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1079 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1080 ngx_connection_t *c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1081 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1082 c = ctx->data; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1083 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1084 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1085 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1086 rc = ngx_ssl_ocsp_verify(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1087 if (rc != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1088 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1089 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1090 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1091 rc = ngx_ssl_ocsp_cache_store(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1092 if (rc != NGX_OK) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1093 goto done; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1094 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
1095 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1096 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1097 ocsp->cert_status = ctx->status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1098 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1099 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1100 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1101 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1102 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1103 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1104 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1105 return; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1106 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1107 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1108 |
7667
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1109 ocsp->status = rc; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1110 ngx_ssl_ocsp_done(ctx); |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1111 |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1112 if (c->ssl->in_ocsp) { |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1113 c->ssl->handshaked = 1; |
1ece2ac2555a
OCSP: fixed use-after-free on error.
Roman Arutyunyan <arut@nginx.com>
parents:
7655
diff
changeset
|
1114 c->ssl->handler(c); |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1115 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1116 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1117 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1118 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1119 static ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1120 ngx_ssl_ocsp_responder(ngx_connection_t *c, ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1121 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1122 char *s; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1123 ngx_str_t responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1124 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1125 STACK_OF(OPENSSL_STRING) *aia; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1126 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1127 if (ctx->host.len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1128 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1129 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1130 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1131 /* extract OCSP responder URL from certificate */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1132 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1133 aia = X509_get1_ocsp(ctx->cert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1134 if (aia == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1135 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1136 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1137 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1138 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1139 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1140 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1141 s = sk_OPENSSL_STRING_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1142 #else |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1143 s = sk_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1144 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1145 if (s == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1146 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1147 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1148 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1149 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1150 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1151 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1152 responder.len = ngx_strlen(s); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1153 responder.data = ngx_palloc(ctx->pool, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1154 if (responder.data == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1155 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1156 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1157 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1158 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1159 ngx_memcpy(responder.data, s, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1160 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1161 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1162 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1163 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1164 u.url = responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1165 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1166 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1167 u.no_resolve = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1168 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1169 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1170 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1171 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1172 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1173 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1174 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1175 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1176 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1177 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1178 "in certificate", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1179 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1180 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1181 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1182 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1183 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1184 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1185 "%s in OCSP responder \"%V\" in certificate", |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1186 u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1187 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1188 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1189 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1190 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1191 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1192 if (u.host.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1193 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1194 "empty host in OCSP responder in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1195 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1196 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1197 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1198 ctx->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1199 ctx->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1200 ctx->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1201 ctx->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1202 ctx->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1203 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1204 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1205 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1206 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1207 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1208 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1209 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1210 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1211 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1212 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1213 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1214 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1215 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1216 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1217 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1218 if (ocsp->status == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1219 *s = "certificate status request failed"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1220 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1221 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1222 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1223 switch (ocsp->cert_status) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1224 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1225 case V_OCSP_CERTSTATUS_GOOD: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1226 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1227 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1228 case V_OCSP_CERTSTATUS_REVOKED: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1229 *s = "certificate revoked"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1230 break; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1231 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1232 default: /* V_OCSP_CERTSTATUS_UNKNOWN */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1233 *s = "certificate status unknown"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1234 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1235 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1236 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1237 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1238 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1239 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1240 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1241 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1242 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1243 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1244 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1245 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1246 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1247 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1248 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1249 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1250 if (ocsp->ctx) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1251 ngx_ssl_ocsp_done(ocsp->ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1252 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1253 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1254 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1255 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1256 sk_X509_pop_free(ocsp->certs, X509_free); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1257 ocsp->certs = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1258 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1259 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1260 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1261 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1262 static ngx_ssl_ocsp_ctx_t * |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1263 ngx_ssl_ocsp_start(ngx_log_t *log) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1264 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1265 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1266 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1267 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1268 pool = ngx_create_pool(2048, log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1269 if (pool == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1270 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1271 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1272 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1273 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1274 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1275 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1276 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1277 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1278 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1279 log = ngx_palloc(pool, sizeof(ngx_log_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1280 if (log == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1281 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1282 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1283 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1284 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1285 ctx->pool = pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1286 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1287 *log = *ctx->pool->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1288 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1289 ctx->pool->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1290 ctx->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1291 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1292 log->handler = ngx_ssl_ocsp_log_error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1293 log->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1294 log->action = "requesting certificate status"; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1295 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1296 return ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1297 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1298 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1299 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1300 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1301 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1302 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1303 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1304 "ssl ocsp done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1305 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1306 if (ctx->peer.connection) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1307 ngx_close_connection(ctx->peer.connection); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1308 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1309 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1310 ngx_destroy_pool(ctx->pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1311 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1312 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1313 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1314 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1315 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1316 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1317 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1318 "ssl ocsp error"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1319 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1320 ctx->code = 0; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1321 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1322 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1323 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1324 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1325 static void |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1326 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx) |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1327 { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1328 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1329 "ssl ocsp next"); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1330 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1331 if (++ctx->naddr >= ctx->naddrs) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1332 ngx_ssl_ocsp_error(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1333 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1334 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1335 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1336 ctx->request->pos = ctx->request->start; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1337 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1338 if (ctx->response) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1339 ctx->response->last = ctx->response->pos; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1340 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1341 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1342 if (ctx->peer.connection) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1343 ngx_close_connection(ctx->peer.connection); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1344 ctx->peer.connection = NULL; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1345 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1346 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1347 ctx->state = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1348 ctx->count = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1349 ctx->done = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1350 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1351 ngx_ssl_ocsp_connect(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1352 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1353 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1354 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1355 static void |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1356 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1357 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1358 ngx_resolver_ctx_t *resolve, temp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1359 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1360 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1361 "ssl ocsp request"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1362 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1363 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1364 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1365 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1366 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1367 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1368 if (ctx->resolver) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1369 /* resolve OCSP responder hostname */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1370 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1371 temp.name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1372 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1373 resolve = ngx_resolve_start(ctx->resolver, &temp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1374 if (resolve == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1375 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1376 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1377 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1378 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1379 if (resolve == NGX_NO_RESOLVER) { |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1380 if (ctx->naddrs == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1381 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1382 "no resolver defined to resolve %V", &ctx->host); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1383 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1384 ngx_ssl_ocsp_error(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1385 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1386 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1387 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1388 ngx_log_error(NGX_LOG_WARN, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1389 "no resolver defined to resolve %V", &ctx->host); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1390 goto connect; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1391 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1392 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1393 resolve->name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1394 resolve->handler = ngx_ssl_ocsp_resolve_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1395 resolve->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1396 resolve->timeout = ctx->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1397 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1398 if (ngx_resolve_name(resolve) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1399 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1400 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1401 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1402 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1403 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1404 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1405 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1406 connect: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1407 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1408 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1409 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1410 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1411 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1412 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1413 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1414 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1415 ngx_ssl_ocsp_ctx_t *ctx = resolve->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1416 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1417 u_char *p; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1418 size_t len; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1419 socklen_t socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1420 ngx_uint_t i; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1421 struct sockaddr *sockaddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1422 |
5234
a855ae7e6377
OCSP stapling: fixed incorrect debug level.
Ruslan Ermilov <ru@nginx.com>
parents:
5215
diff
changeset
|
1423 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1424 "ssl ocsp resolve handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1425 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1426 if (resolve->state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1427 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1428 "%V could not be resolved (%i: %s)", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1429 &resolve->name, resolve->state, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1430 ngx_resolver_strerror(resolve->state)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1431 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1432 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1433 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1434 #if (NGX_DEBUG) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1435 { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1436 u_char text[NGX_SOCKADDR_STRLEN]; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1437 ngx_str_t addr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1438 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1439 addr.data = text; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1440 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1441 for (i = 0; i < resolve->naddrs; i++) { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1442 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1443 resolve->addrs[i].socklen, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1444 text, NGX_SOCKADDR_STRLEN, 0); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1445 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1446 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1447 "name was resolved to %V", &addr); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1448 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1449 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1450 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1451 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1452 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1453 ctx->naddrs = resolve->naddrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1454 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1455 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1456 if (ctx->addrs == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1457 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1458 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1459 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1460 for (i = 0; i < resolve->naddrs; i++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1461 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1462 socklen = resolve->addrs[i].socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1463 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1464 sockaddr = ngx_palloc(ctx->pool, socklen); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1465 if (sockaddr == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1466 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1467 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1468 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1469 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen); |
6593
b3b7e33083ac
Introduced ngx_inet_get_port() and ngx_inet_set_port() functions.
Roman Arutyunyan <arut@nginx.com>
parents:
6549
diff
changeset
|
1470 ngx_inet_set_port(sockaddr, ctx->port); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1471 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1472 ctx->addrs[i].sockaddr = sockaddr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1473 ctx->addrs[i].socklen = socklen; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1474 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1475 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1476 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1477 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1478 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1479 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1480 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1481 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1482 ctx->addrs[i].name.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1483 ctx->addrs[i].name.data = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1484 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1485 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1486 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1487 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1488 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1489 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1490 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1491 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1492 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1493 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1494 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1495 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1496 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1497 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1498 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1499 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1500 { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1501 ngx_int_t rc; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1502 ngx_addr_t *addr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1503 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1504 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1505 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1506 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1507 addr = &ctx->addrs[ctx->naddr]; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1508 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1509 ctx->peer.sockaddr = addr->sockaddr; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1510 ctx->peer.socklen = addr->socklen; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1511 ctx->peer.name = &addr->name; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1512 ctx->peer.get = ngx_event_get_peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1513 ctx->peer.log = ctx->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1514 ctx->peer.log_error = NGX_ERROR_ERR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1515 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1516 rc = ngx_event_connect_peer(&ctx->peer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1517 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1518 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1519 "ssl ocsp connect peer done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1520 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1521 if (rc == NGX_ERROR) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1522 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1523 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1524 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1525 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1526 if (rc == NGX_BUSY || rc == NGX_DECLINED) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1527 ngx_ssl_ocsp_next(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1528 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1529 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1530 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1531 ctx->peer.connection->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1532 ctx->peer.connection->pool = ctx->pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1533 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1534 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1535 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1536 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1537 ctx->process = ngx_ssl_ocsp_process_status_line; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1538 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1539 if (ctx->timeout) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1540 ngx_add_timer(ctx->peer.connection->read, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1541 ngx_add_timer(ctx->peer.connection->write, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1542 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1543 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1544 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1545 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1546 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1547 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1548 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1549 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1550 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1551 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1552 ngx_ssl_ocsp_write_handler(ngx_event_t *wev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1553 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1554 ssize_t n, size; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1555 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1556 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1557 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1558 c = wev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1559 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1560 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1561 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1562 "ssl ocsp write handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1563 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1564 if (wev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1565 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1566 "OCSP responder timed out"); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1567 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1568 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1569 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1570 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1571 size = ctx->request->last - ctx->request->pos; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1572 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1573 n = ngx_send(c, ctx->request->pos, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1574 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1575 if (n == NGX_ERROR) { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1576 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1577 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1578 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1579 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1580 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1581 ctx->request->pos += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1582 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1583 if (n == size) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1584 wev->handler = ngx_ssl_ocsp_dummy_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1585 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1586 if (wev->timer_set) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1587 ngx_del_timer(wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1588 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1589 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1590 if (ngx_handle_write_event(wev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1591 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1592 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1593 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1594 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1595 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1596 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1597 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1598 if (!wev->timer_set && ctx->timeout) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1599 ngx_add_timer(wev, ctx->timeout); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1600 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1601 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1602 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1603 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1604 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1605 ngx_ssl_ocsp_read_handler(ngx_event_t *rev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1606 { |
6810 | 1607 ssize_t n, size; |
1608 ngx_int_t rc; | |
1609 ngx_connection_t *c; | |
1610 ngx_ssl_ocsp_ctx_t *ctx; | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1611 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1612 c = rev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1613 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1614 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1615 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1616 "ssl ocsp read handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1617 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1618 if (rev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1619 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1620 "OCSP responder timed out"); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1621 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1622 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1623 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1624 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1625 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1626 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1627 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1628 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1629 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1630 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1631 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1632 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1633 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1634 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1635 size = ctx->response->end - ctx->response->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1636 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1637 n = ngx_recv(c, ctx->response->last, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1638 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1639 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1640 ctx->response->last += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1641 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1642 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1643 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1644 if (rc == NGX_ERROR) { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1645 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1646 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1647 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1648 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1649 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1650 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1651 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1652 if (n == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1653 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1654 if (ngx_handle_read_event(rev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1655 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1656 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1657 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1658 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1659 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1660 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1661 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1662 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1663 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1664 ctx->done = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1665 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1666 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1667 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1668 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1669 /* ctx->handler() was called */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1670 return; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1671 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1672 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1673 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1674 "OCSP responder prematurely closed connection"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1675 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1676 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1677 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1678 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1679 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1680 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1681 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1682 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1683 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1684 "ssl ocsp dummy handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1685 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1686 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1687 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1688 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1689 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1690 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1691 int len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1692 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1693 uintptr_t escape; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1694 ngx_str_t binary, base64; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1695 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1696 OCSP_CERTID *id; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1697 OCSP_REQUEST *ocsp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1698 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1699 ocsp = OCSP_REQUEST_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1700 if (ocsp == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1701 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1702 "OCSP_REQUEST_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1703 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1704 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1705 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1706 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1707 if (id == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1708 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1709 "OCSP_cert_to_id() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1710 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1711 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1712 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1713 if (OCSP_request_add0_id(ocsp, id) == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1714 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1715 "OCSP_request_add0_id() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
1716 OCSP_CERTID_free(id); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1717 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1718 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1719 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1720 len = i2d_OCSP_REQUEST(ocsp, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1721 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1722 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1723 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1724 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1725 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1726 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1727 binary.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1728 binary.data = ngx_palloc(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1729 if (binary.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1730 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1731 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1732 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1733 p = binary.data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1734 len = i2d_OCSP_REQUEST(ocsp, &p); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1735 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1736 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1737 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1738 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1739 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1740 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1741 base64.len = ngx_base64_encoded_length(binary.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1742 base64.data = ngx_palloc(ctx->pool, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1743 if (base64.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1744 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1745 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1746 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1747 ngx_encode_base64(&base64, &binary); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1748 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1749 escape = ngx_escape_uri(NULL, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1750 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1751 |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1752 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1753 "ssl ocsp request length %z, escape %d", |
6480 | 1754 base64.len, (int) escape); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1755 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1756 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1757 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1758 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1759 + sizeof(CRLF) - 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1760 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1761 b = ngx_create_temp_buf(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1762 if (b == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1763 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1764 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1765 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1766 p = b->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1767 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1768 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1769 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1770 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1771 if (ctx->uri.data[ctx->uri.len - 1] != '/') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1772 *p++ = '/'; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1773 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1774 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1775 if (escape == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1776 p = ngx_cpymem(p, base64.data, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1777 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1778 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1779 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1780 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1781 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1782 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1783 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1784 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1785 p = ngx_cpymem(p, ctx->host.data, ctx->host.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1786 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1787 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1788 /* add "\r\n" at the header end */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1789 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1790 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1791 b->last = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1792 ctx->request = b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1793 |
5683
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1794 OCSP_REQUEST_free(ocsp); |
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1795 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1796 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1797 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1798 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1799 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1800 OCSP_REQUEST_free(ocsp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1801 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1802 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1803 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1804 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1805 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1806 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1807 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1808 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1809 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1810 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1811 rc = ngx_ssl_ocsp_parse_status_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1812 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1813 if (rc == NGX_OK) { |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1814 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1815 "ssl ocsp status %ui \"%*s\"", |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1816 ctx->code, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1817 ctx->header_end - ctx->header_start, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1818 ctx->header_start); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1819 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1820 ctx->process = ngx_ssl_ocsp_process_headers; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1821 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1822 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1823 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1824 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1825 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1826 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1827 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1828 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1829 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1830 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1831 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1832 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1833 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1834 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1835 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1836 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1837 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1838 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1839 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1840 u_char ch; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1841 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1842 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1843 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1844 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1845 sw_H, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1846 sw_HT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1847 sw_HTT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1848 sw_HTTP, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1849 sw_first_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1850 sw_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1851 sw_first_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1852 sw_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1853 sw_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1854 sw_space_after_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1855 sw_status_text, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1856 sw_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1857 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1858 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1859 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1860 "ssl ocsp process status line"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1861 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1862 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1863 b = ctx->response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1864 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1865 for (p = b->pos; p < b->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1866 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1867 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1868 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1869 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1870 /* "HTTP/" */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1871 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1872 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1873 case 'H': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1874 state = sw_H; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1875 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1876 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1877 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1878 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1879 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1880 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1881 case sw_H: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1882 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1883 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1884 state = sw_HT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1885 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1886 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1887 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1888 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1889 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1890 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1891 case sw_HT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1892 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1893 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1894 state = sw_HTT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1895 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1896 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1897 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1898 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1899 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1900 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1901 case sw_HTT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1902 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1903 case 'P': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1904 state = sw_HTTP; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1905 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1906 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1907 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1908 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1909 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1910 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1911 case sw_HTTP: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1912 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1913 case '/': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1914 state = sw_first_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1915 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1916 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1917 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1918 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1919 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1920 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1921 /* the first digit of major HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1922 case sw_first_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1923 if (ch < '1' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1924 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1925 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1926 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1927 state = sw_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1928 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1929 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1930 /* the major HTTP version or dot */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1931 case sw_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1932 if (ch == '.') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1933 state = sw_first_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1934 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1935 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1936 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1937 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1938 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1939 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1940 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1941 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1942 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1943 /* the first digit of minor HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1944 case sw_first_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1945 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1946 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1947 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1948 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1949 state = sw_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1950 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1951 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1952 /* the minor HTTP version or the end of the request line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1953 case sw_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1954 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1955 state = sw_status; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1956 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1957 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1958 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1959 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1960 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1961 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1962 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1963 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1964 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1965 /* HTTP status code */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1966 case sw_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1967 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1968 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1969 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1970 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1971 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1972 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1973 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1974 |
7067
e3723f2a11b7
Parenthesized ASCII-related calculations.
Valentin Bartenev <vbart@nginx.com>
parents:
6842
diff
changeset
|
1975 ctx->code = ctx->code * 10 + (ch - '0'); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1976 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1977 if (++ctx->count == 3) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1978 state = sw_space_after_status; |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1979 ctx->header_start = p - 2; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1980 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1981 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1982 break; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1983 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1984 /* space or end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1985 case sw_space_after_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1986 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1987 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1988 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1989 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1990 case '.': /* IIS may send 403.1, 403.2, etc */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1991 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1992 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1993 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1994 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1995 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1996 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1997 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1998 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1999 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2000 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2001 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2002 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2003 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2004 /* any text until end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2005 case sw_status_text: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2006 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2007 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2008 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2009 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2010 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
2011 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2012 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2013 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2014 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2015 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2016 /* end of status line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2017 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2018 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2019 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
2020 ctx->header_end = p - 1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2021 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2022 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2023 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2024 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2025 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2026 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2027 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2028 b->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2029 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2030 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2031 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2032 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2033 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2034 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2035 b->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2036 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2037 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2038 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2039 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2040 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2041 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2042 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2043 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2044 { |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2045 size_t len; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2046 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2047 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2048 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2049 "ssl ocsp process headers"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2050 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2051 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2052 rc = ngx_ssl_ocsp_parse_header_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2053 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2054 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2055 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2056 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2057 "ssl ocsp header \"%*s: %*s\"", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2058 ctx->header_name_end - ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2059 ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2060 ctx->header_end - ctx->header_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2061 ctx->header_start); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2062 |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2063 len = ctx->header_name_end - ctx->header_name_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2064 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2065 if (len == sizeof("Content-Type") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2066 && ngx_strncasecmp(ctx->header_name_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2067 (u_char *) "Content-Type", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2068 sizeof("Content-Type") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2069 == 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2070 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2071 len = ctx->header_end - ctx->header_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2072 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2073 if (len != sizeof("application/ocsp-response") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2074 || ngx_strncasecmp(ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2075 (u_char *) "application/ocsp-response", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2076 sizeof("application/ocsp-response") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2077 != 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2078 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2079 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2080 "OCSP responder sent invalid " |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2081 "\"Content-Type\" header: \"%*s\"", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2082 ctx->header_end - ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2083 ctx->header_start); |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2084 return NGX_ERROR; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2085 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2086 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2087 continue; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2088 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2089 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2090 /* TODO: honor Content-Length */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2091 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2092 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2093 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2094 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2095 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2096 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2097 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2098 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2099 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2100 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2101 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2102 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2103 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2104 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2105 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2106 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2107 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2108 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2109 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2110 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2111 ctx->process = ngx_ssl_ocsp_process_body; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2112 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2113 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2114 |
6810 | 2115 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2116 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2117 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2118 { |
6810 | 2119 u_char c, ch, *p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2120 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2121 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2122 sw_name, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2123 sw_space_before_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2124 sw_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2125 sw_space_after_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2126 sw_almost_done, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2127 sw_header_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2128 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2129 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2130 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2131 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2132 for (p = ctx->response->pos; p < ctx->response->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2133 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2134 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2135 #if 0 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2136 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2137 "s:%d in:'%02Xd:%c'", state, ch, ch); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2138 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2139 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2140 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2141 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2142 /* first char */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2143 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2144 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2145 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2146 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2147 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2148 state = sw_header_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2149 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2150 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2151 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2152 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2153 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2154 state = sw_name; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2155 ctx->header_name_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2156 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2157 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2158 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2159 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2160 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2161 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2162 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2163 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2164 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2165 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2166 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2167 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2168 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2169 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2170 /* header name */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2171 case sw_name: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2172 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2173 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2174 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2175 } |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2176 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2177 if (ch == ':') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2178 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2179 state = sw_space_before_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2180 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2181 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2182 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2183 if (ch == '-') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2184 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2185 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2186 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2187 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2188 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2189 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2190 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2191 if (ch == CR) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2192 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2193 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2194 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2195 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2196 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2197 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2198 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2199 if (ch == LF) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2200 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2201 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2202 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2203 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2204 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2205 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2206 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2207 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2208 /* space* before header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2209 case sw_space_before_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2210 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2211 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2212 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2213 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2214 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2215 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2216 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2217 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2218 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2219 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2220 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2221 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2222 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2223 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2224 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2225 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2226 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2227 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2228 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2229 /* header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2230 case sw_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2231 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2232 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2233 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2234 state = sw_space_after_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2235 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2236 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2237 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2238 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2239 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2240 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2241 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2242 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2243 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2244 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2245 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2246 /* space* before end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2247 case sw_space_after_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2248 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2249 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2250 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2251 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2252 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2253 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2254 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2255 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2256 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2257 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2258 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2259 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2260 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2261 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2262 /* end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2263 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2264 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2265 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2266 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2267 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2268 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2269 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2270 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2271 /* end of header */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2272 case sw_header_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2273 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2274 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2275 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2276 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2277 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2278 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2279 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2280 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2281 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2282 ctx->response->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2283 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2284 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2285 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2286 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2287 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2288 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2289 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2290 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2291 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2292 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2293 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2294 header_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2295 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2296 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2297 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2298 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2299 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2300 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2301 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2302 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2303 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2304 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2305 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2306 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2307 "ssl ocsp process body"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2308 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2309 if (ctx->done) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2310 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2311 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2312 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2313 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2314 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2315 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2316 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2317 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2318 static ngx_int_t |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2319 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2320 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2321 int n; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2322 size_t len; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2323 X509_STORE *store; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2324 const u_char *p; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2325 OCSP_CERTID *id; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2326 OCSP_RESPONSE *ocsp; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2327 OCSP_BASICRESP *basic; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2328 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2329 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2330 ocsp = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2331 basic = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2332 id = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2333 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2334 if (ctx->code != 200) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2335 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2336 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2337 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2338 /* check the response */ |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2339 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2340 len = ctx->response->last - ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2341 p = ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2342 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2343 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2344 if (ocsp == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2345 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2346 "d2i_OCSP_RESPONSE() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2347 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2348 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2349 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2350 n = OCSP_response_status(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2351 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2352 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2353 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2354 "OCSP response not successful (%d: %s)", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2355 n, OCSP_response_status_str(n)); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2356 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2357 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2358 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2359 basic = OCSP_response_get1_basic(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2360 if (basic == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2361 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2362 "OCSP_response_get1_basic() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2363 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2364 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2365 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2366 store = SSL_CTX_get_cert_store(ctx->ssl_ctx); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2367 if (store == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2368 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2369 "SSL_CTX_get_cert_store() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2370 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2371 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2372 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
2373 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2374 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2375 "OCSP_basic_verify() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2376 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2377 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2378 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2379 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2380 if (id == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2381 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2382 "OCSP_cert_to_id() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2383 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2384 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2385 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2386 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2387 &thisupdate, &nextupdate) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2388 != 1) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2389 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2390 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2391 "certificate status not found in the OCSP response"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2392 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2393 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2394 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2395 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2396 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2397 "OCSP_check_validity() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2398 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2399 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2400 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2401 if (nextupdate) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2402 ctx->valid = ngx_ssl_stapling_time(nextupdate); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2403 if (ctx->valid == (time_t) NGX_ERROR) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2404 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2405 "invalid nextUpdate time in certificate status"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2406 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2407 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2408 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2409 } else { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2410 ctx->valid = NGX_MAX_TIME_T_VALUE; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2411 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2412 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2413 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2414 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2415 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2416 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2417 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2418 "ssl ocsp response, %s, %uz", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2419 OCSP_cert_status_str(ctx->status), len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2420 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2421 return NGX_OK; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2422 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2423 error: |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2424 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2425 if (id) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2426 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2427 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2428 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2429 if (basic) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2430 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2431 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2432 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2433 if (ocsp) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2434 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2435 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2436 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2437 return NGX_ERROR; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2438 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2439 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2440 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2441 ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2442 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2443 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2444 size_t len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2445 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2446 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2447 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2448 if (data) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2449 shm_zone->data = data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2450 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2451 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2452 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2453 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2454 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2455 if (shm_zone->shm.exists) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2456 shm_zone->data = shpool->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2457 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2458 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2459 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2460 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_ocsp_cache_t)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2461 if (cache == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2462 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2463 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2464 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2465 shpool->data = cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2466 shm_zone->data = cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2467 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2468 ngx_rbtree_init(&cache->rbtree, &cache->sentinel, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2469 ngx_str_rbtree_insert_value); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2470 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2471 ngx_queue_init(&cache->expire_queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2472 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2473 len = sizeof(" in OCSP cache \"\"") + shm_zone->shm.name.len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2474 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2475 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2476 if (shpool->log_ctx == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2477 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2478 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2479 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2480 ngx_sprintf(shpool->log_ctx, " in OCSP cache \"%V\"%Z", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2481 &shm_zone->shm.name); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2482 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2483 shpool->log_nomem = 0; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2484 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2485 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2486 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2487 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2488 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2489 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2490 ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2491 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2492 uint32_t hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2493 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2494 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2495 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2496 ngx_ssl_ocsp_cache_node_t *node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2497 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2498 shm_zone = ctx->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2499 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2500 if (shm_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2501 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2502 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2503 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2504 if (ngx_ssl_ocsp_create_key(ctx) != NGX_OK) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2505 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2506 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2507 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2508 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache lookup"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2509 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2510 cache = shm_zone->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2511 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2512 hash = ngx_hash_key(ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2513 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2514 ngx_shmtx_lock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2515 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2516 node = (ngx_ssl_ocsp_cache_node_t *) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2517 ngx_str_rbtree_lookup(&cache->rbtree, &ctx->key, hash); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2518 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2519 if (node) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2520 if (node->valid > ngx_time()) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2521 ctx->status = node->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2522 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2523 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2524 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2525 "ssl ocsp cache hit, %s", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2526 OCSP_cert_status_str(ctx->status)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2527 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2528 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2529 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2530 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2531 ngx_queue_remove(&node->queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2532 ngx_rbtree_delete(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2533 ngx_slab_free_locked(shpool, node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2534 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2535 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2536 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2537 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2538 "ssl ocsp cache expired"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2539 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2540 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2541 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2542 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2543 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2544 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2545 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache miss"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2546 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2547 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2548 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2549 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2550 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2551 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2552 ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2553 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2554 time_t now, valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2555 uint32_t hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2556 ngx_queue_t *q; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2557 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2558 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2559 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2560 ngx_ssl_ocsp_cache_node_t *node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2561 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2562 shm_zone = ctx->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2563 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2564 if (shm_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2565 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2566 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2567 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2568 valid = ctx->valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2569 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2570 now = ngx_time(); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2571 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2572 if (valid < now) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2573 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2574 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2575 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2576 if (valid == NGX_MAX_TIME_T_VALUE) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2577 valid = now + 3600; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2578 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2579 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2580 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2581 "ssl ocsp cache store, valid:%T", valid - now); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2582 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2583 cache = shm_zone->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2584 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2585 hash = ngx_hash_key(ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2586 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2587 ngx_shmtx_lock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2588 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2589 node = ngx_slab_calloc_locked(shpool, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2590 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2591 if (node == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2592 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2593 if (!ngx_queue_empty(&cache->expire_queue)) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2594 q = ngx_queue_last(&cache->expire_queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2595 node = ngx_queue_data(q, ngx_ssl_ocsp_cache_node_t, queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2596 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2597 ngx_rbtree_delete(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2598 ngx_queue_remove(q); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2599 ngx_slab_free_locked(shpool, node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2600 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2601 node = ngx_slab_alloc_locked(shpool, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2602 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2603 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2604 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2605 if (node == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2606 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2607 ngx_log_error(NGX_LOG_ALERT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2608 "could not allocate new entry%s", shpool->log_ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2609 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2610 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2611 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2612 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2613 node->node.str.len = ctx->key.len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2614 node->node.str.data = (u_char *) node + sizeof(ngx_ssl_ocsp_cache_node_t); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2615 ngx_memcpy(node->node.str.data, ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2616 node->node.node.key = hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2617 node->status = ctx->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2618 node->valid = valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2619 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2620 ngx_rbtree_insert(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2621 ngx_queue_insert_head(&cache->expire_queue, &node->queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2622 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2623 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2624 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2625 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2626 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2627 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2628 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2629 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2630 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2631 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2632 u_char *p; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2633 X509_NAME *name; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2634 ASN1_INTEGER *serial; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2635 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2636 p = ngx_pnalloc(ctx->pool, 60); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2637 if (p == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2638 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2639 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2640 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2641 ctx->key.data = p; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2642 ctx->key.len = 60; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2643 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2644 name = X509_get_subject_name(ctx->issuer); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2645 if (X509_NAME_digest(name, EVP_sha1(), p, NULL) == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2646 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2647 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2648 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2649 p += 20; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2650 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2651 if (X509_pubkey_digest(ctx->issuer, EVP_sha1(), p, NULL) == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2652 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2653 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2654 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2655 p += 20; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2656 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2657 serial = X509_get_serialNumber(ctx->cert); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2658 if (serial->length > 20) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2659 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2660 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2661 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2662 p = ngx_cpymem(p, serial->data, serial->length); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2663 ngx_memzero(p, 20 - serial->length); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2664 |
7736
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7687
diff
changeset
|
2665 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
7687
diff
changeset
|
2666 "ssl ocsp key %xV", &ctx->key); |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2667 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2668 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2669 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2670 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2671 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2672 static u_char * |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2673 ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2674 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2675 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2676 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2677 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2678 p = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2679 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2680 if (log->action) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2681 p = ngx_snprintf(buf, len, " while %s", log->action); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2682 len -= p - buf; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2683 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2684 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2685 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2686 ctx = log->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2687 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2688 if (ctx) { |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2689 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2690 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2691 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2692 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2693 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2694 if (ctx && ctx->peer.name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2695 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2696 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2697 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2698 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2699 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2700 if (ctx && ctx->name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2701 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2702 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2703 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2704 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2705 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2706 return p; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2707 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2708 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2709 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2710 #else |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2711 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2712 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2713 ngx_int_t |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2714 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2715 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2716 { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2717 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2718 "\"ssl_stapling\" ignored, not supported"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2719 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2720 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2721 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2722 |
6810 | 2723 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2724 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2725 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2726 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2727 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2728 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2729 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2730 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2731 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2732 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2733 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2734 ngx_uint_t depth, ngx_shm_zone_t *shm_zone) |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2735 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2736 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2737 "\"ssl_ocsp\" is not supported on this platform"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2738 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2739 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2740 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2741 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2742 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2743 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2744 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2745 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2746 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2747 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2748 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2749 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2750 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2751 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2752 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2753 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2754 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2755 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2756 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2757 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2758 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2759 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2760 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2761 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2762 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2763 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2764 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2765 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2766 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2767 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2768 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2769 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2770 |
7654
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2771 ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2772 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2773 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2774 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2775 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2776 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7653
diff
changeset
|
2777 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2778 #endif |