Mercurial > hg > nginx-vendor-current

annotate src/event/ngx_event_openssl_stapling.c @ 688:f31b19fe7f48 NGINX_1_3_7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 1.3.7 *) Feature: OCSP stapling support. Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work. *) Feature: the "ssl_trusted_certificate" directive. *) Feature: resolver now randomly rotates addresses returned from cache. Thanks to Anton Jouline. *) Bugfix: OpenSSL 0.9.7 compatibility.
author Igor Sysoev <http://sysoev.ru>
date Tue, 02 Oct 2012 00:00:00 +0400
parents
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
688
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
2 /*
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
3 * Copyright (C) Maxim Dounin
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
4 * Copyright (C) Nginx, Inc.
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
5 */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
6
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
7
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
8 #include <ngx_config.h>
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
9 #include <ngx_core.h>
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
10 #include <ngx_event.h>
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
11 #include <ngx_event_connect.h>
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
12
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
13
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
14 #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
15
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
16
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
17 typedef struct {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
18 ngx_str_t staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
19 ngx_msec_t timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
20
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
21 ngx_resolver_t *resolver;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
22 ngx_msec_t resolver_timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
23
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
24 ngx_addr_t *addrs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
25 ngx_str_t host;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
26 ngx_str_t uri;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
27 in_port_t port;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
28
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
29 SSL_CTX *ssl_ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
30
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
31 X509 *cert;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
32 X509 *issuer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
33
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
34 time_t valid;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
35
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
36 unsigned verify:1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
37 unsigned loading:1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
38 } ngx_ssl_stapling_t;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
39
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
40
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
41 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
42
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
43 struct ngx_ssl_ocsp_ctx_s {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
44 X509 *cert;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
45 X509 *issuer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
46
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
47 ngx_uint_t naddrs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
48
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
49 ngx_addr_t *addrs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
50 ngx_str_t host;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
51 ngx_str_t uri;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
52 in_port_t port;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
53
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
54 ngx_resolver_t *resolver;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
55 ngx_msec_t resolver_timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
56
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
57 ngx_msec_t timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
58
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
59 void (*handler)(ngx_ssl_ocsp_ctx_t *r);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
60 void *data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
61
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
62 ngx_buf_t *request;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
63 ngx_buf_t *response;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
64 ngx_peer_connection_t peer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
65
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
66 ngx_int_t (*process)(ngx_ssl_ocsp_ctx_t *r);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
67
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
68 ngx_uint_t state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
69
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
70 ngx_uint_t code;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
71 ngx_uint_t count;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
72
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
73 ngx_uint_t done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
74
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
75 u_char *header_name_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
76 u_char *header_name_end;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
77 u_char *header_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
78 u_char *header_end;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
79
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
80 ngx_pool_t *pool;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
81 ngx_log_t *log;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
82 };
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
83
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
84
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
85 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
86 ngx_str_t *file);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
87 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
88 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
89 ngx_str_t *responder);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
90
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
91 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
92 void *data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
93 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
94 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
95
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
96 static void ngx_ssl_stapling_cleanup(void *data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
97
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
98 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
99 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
100 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
101 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
102 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
103 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
104 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
105 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
106
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
107 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
108 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
109 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
110 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
111 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
112 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
113
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
114 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
115
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
116
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
117 ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
118 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
119 ngx_str_t *responder, ngx_uint_t verify)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
120 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
121 ngx_int_t rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
122 ngx_pool_cleanup_t *cln;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
123 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
124
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
125 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
126 if (staple == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
127 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
128 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
129
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
130 cln = ngx_pool_cleanup_add(cf->pool, 0);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
131 if (cln == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
132 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
133 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
134
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
135 cln->handler = ngx_ssl_stapling_cleanup;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
136 cln->data = staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
137
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
138 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, staple)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
139 == 0)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
140 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
141 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
142 "SSL_CTX_set_ex_data() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
143 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
144 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
145
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
146 staple->ssl_ctx = ssl->ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
147 staple->timeout = 60000;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
148 staple->verify = verify;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
149
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
150 if (file->len) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
151 /* use OCSP response from the file */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
152
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
153 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
154 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
155 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
156
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
157 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
158 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
159
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
160 rc = ngx_ssl_stapling_issuer(cf, ssl);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
161
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
162 if (rc == NGX_DECLINED) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
163 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
164 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
165
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
166 if (rc != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
167 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
168 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
169
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
170 rc = ngx_ssl_stapling_responder(cf, ssl, responder);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
171
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
172 if (rc == NGX_DECLINED) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
173 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
174 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
175
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
176 if (rc != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
177 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
178 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
179
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
180 done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
181
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
182 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
183 SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
184
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
185 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
186 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
187
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
188
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
189 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
190 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
191 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
192 BIO *bio;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
193 int len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
194 u_char *p, *buf;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
195 OCSP_RESPONSE *response;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
196 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
197
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
198 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
199
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
200 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
201 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
202 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
203
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
204 bio = BIO_new_file((char *) file->data, "r");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
205 if (bio == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
206 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
207 "BIO_new_file(\"%s\") failed", file->data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
208 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
209 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
210
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
211 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
212 if (response == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
213 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
214 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
215 BIO_free(bio);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
216 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
217 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
218
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
219 len = i2d_OCSP_RESPONSE(response, NULL);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
220 if (len <= 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
221 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
222 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
223 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
224 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
225
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
226 buf = ngx_alloc(len, ssl->log);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
227 if (buf == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
228 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
229 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
230
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
231 p = buf;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
232 len = i2d_OCSP_RESPONSE(response, &p);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
233 if (len <= 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
234 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
235 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
236 ngx_free(buf);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
237 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
238 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
239
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
240 OCSP_RESPONSE_free(response);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
241 BIO_free(bio);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
242
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
243 staple->staple.data = buf;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
244 staple->staple.len = len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
245
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
246 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
247
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
248 failed:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
249
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
250 OCSP_RESPONSE_free(response);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
251 BIO_free(bio);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
252
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
253 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
254 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
255
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
256
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
257 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
258 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
259 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
260 int i, n, rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
261 X509 *cert, *issuer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
262 X509_STORE *store;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
263 X509_STORE_CTX *store_ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
264 STACK_OF(X509) *chain;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
265 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
266
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
267 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
268 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
269
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
270 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
271 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
272 #else
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
273 chain = ssl->ctx->extra_certs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
274 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
275
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
276 n = sk_X509_num(chain);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
277
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
278 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
279 "SSL get issuer: %d extra certs", n);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
280
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
281 for (i = 0; i < n; i++) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
282 issuer = sk_X509_value(chain, i);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
283 if (X509_check_issued(issuer, cert) == X509_V_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
284 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
285
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
286 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
287 "SSL get issuer: found %p in extra certs", issuer);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
288
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
289 staple->cert = cert;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
290 staple->issuer = issuer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
291
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
292 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
293 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
294 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
295
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
296 store = SSL_CTX_get_cert_store(ssl->ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
297 if (store == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
298 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
299 "SSL_CTX_get_cert_store() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
300 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
301 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
302
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
303 store_ctx = X509_STORE_CTX_new();
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
304 if (store_ctx == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
305 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
306 "X509_STORE_CTX_new() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
307 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
308 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
309
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
310 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
312 "X509_STORE_CTX_init() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
313 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
314 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
315
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
316 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
317
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
318 if (rc == -1) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
319 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
320 "X509_STORE_CTX_get1_issuer() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
321 X509_STORE_CTX_free(store_ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
322 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
323 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
324
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
325 if (rc == 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
326 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
327 "\"ssl_stapling\" ignored, issuer certificate not found");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
328 X509_STORE_CTX_free(store_ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
329 return NGX_DECLINED;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
330 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
331
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
332 X509_STORE_CTX_free(store_ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
333
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
334 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
335 "SSL get issuer: found %p in cert store", issuer);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
336
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
337 staple->cert = cert;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
338 staple->issuer = issuer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
339
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
340 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
341 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
342
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
343
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
344 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
345 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
346 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
347 ngx_url_t u;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
348 char *s;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
349 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
350 STACK_OF(OPENSSL_STRING) *aia;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
351
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
352 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
353
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
354 if (responder->len == 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
355
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
356 /* extract OCSP responder URL from certificate */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
357
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
358 aia = X509_get1_ocsp(staple->cert);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
359 if (aia == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
360 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
361 "\"ssl_stapling\" ignored, "
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
362 "no OCSP responder URL in the certificate");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
363 return NGX_DECLINED;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
364 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
365
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
366 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
367 s = sk_OPENSSL_STRING_value(aia, 0);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
368 #else
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
369 s = sk_value(aia, 0);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
370 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
371 if (s == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
372 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
373 "\"ssl_stapling\" ignored, "
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
374 "no OCSP responder URL in the certificate");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
375 X509_email_free(aia);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
376 return NGX_DECLINED;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
377 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
378
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
379 responder->len = ngx_strlen(s);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
380 responder->data = ngx_palloc(cf->pool, responder->len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
381 if (responder->data == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
382 X509_email_free(aia);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
383 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
384 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
385
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
386 ngx_memcpy(responder->data, s, responder->len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
387 X509_email_free(aia);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
388 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
389
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
390 ngx_memzero(&u, sizeof(ngx_url_t));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
391
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
392 u.url = *responder;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
393 u.default_port = 80;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
394 u.uri_part = 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
395
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
396 if (u.url.len > 7
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
397 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
398 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
399 u.url.len -= 7;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
400 u.url.data += 7;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
401
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
402 } else {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
403 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
404 "\"ssl_stapling\" ignored, "
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
405 "invalid URL prefix in OCSP responder \"%V\"", &u.url);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
406 return NGX_DECLINED;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
407 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
408
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
409 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
410 if (u.err) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
411 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
412 "\"ssl_stapling\" ignored, "
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
413 "%s in OCSP responder \"%V\"", u.err, &u.url);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
414 return NGX_DECLINED;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
415 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
416
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
417 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
418 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
419
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
420 staple->addrs = u.addrs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
421 staple->host = u.host;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
422 staple->uri = u.uri;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
423 staple->port = u.port;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
424
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
425 if (staple->uri.len == 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
426 ngx_str_set(&staple->uri, "/");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
427 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
428
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
429 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
430 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
431
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
432
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
433 ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
434 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
435 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
436 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
437 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
438
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
439 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
440
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
441 staple->resolver = resolver;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
442 staple->resolver_timeout = resolver_timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
443
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
444 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
445 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
446
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
447
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
448 static int
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
449 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
450 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
451 int rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
452 u_char *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
453 ngx_connection_t *c;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
454 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
455
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
456 c = ngx_ssl_get_connection(ssl_conn);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
457
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
458 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
459 "SSL certificate status callback");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
460
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
461 staple = data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
462 rc = SSL_TLSEXT_ERR_NOACK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
463
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
464 if (staple->staple.len) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
465 /* we have to copy ocsp response as OpenSSL will free it by itself */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
466
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
467 p = OPENSSL_malloc(staple->staple.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
468 if (p == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
469 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
470 return SSL_TLSEXT_ERR_NOACK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
471 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
472
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
473 ngx_memcpy(p, staple->staple.data, staple->staple.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
474
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
475 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
476
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
477 rc = SSL_TLSEXT_ERR_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
478 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
479
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
480 ngx_ssl_stapling_update(staple);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
481
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
482 return rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
483 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
484
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
485
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
486 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
487 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
488 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
489 ngx_ssl_ocsp_ctx_t *ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
490
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
491 if (staple->host.len == 0
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
492 || staple->loading || staple->valid >= ngx_time())
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
493 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
494 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
495 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
496
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
497 staple->loading = 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
498
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
499 ctx = ngx_ssl_ocsp_start();
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
500 if (ctx == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
501 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
502 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
503
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
504 ctx->cert = staple->cert;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
505 ctx->issuer = staple->issuer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
506
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
507 ctx->addrs = staple->addrs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
508 ctx->host = staple->host;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
509 ctx->uri = staple->uri;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
510 ctx->port = staple->port;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
511 ctx->timeout = staple->timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
512
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
513 ctx->resolver = staple->resolver;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
514 ctx->resolver_timeout = staple->resolver_timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
515
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
516 ctx->handler = ngx_ssl_stapling_ocsp_handler;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
517 ctx->data = staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
518
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
519 ngx_ssl_ocsp_request(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
520
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
521 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
522 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
523
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
524
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
525 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
526 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
527 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
528 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
529 const
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
530 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
531 u_char *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
532 int n;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
533 size_t len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
534 ngx_str_t response;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
535 X509_STORE *store;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
536 STACK_OF(X509) *chain;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
537 OCSP_CERTID *id;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
538 OCSP_RESPONSE *ocsp;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
539 OCSP_BASICRESP *basic;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
540 ngx_ssl_stapling_t *staple;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
541 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
542
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
543 staple = ctx->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
544 ocsp = NULL;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
545 basic = NULL;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
546 id = NULL;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
547
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
548 if (ctx->code != 200) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
549 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
550 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
551
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
552 /* check the response */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
553
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
554 len = ctx->response->last - ctx->response->pos;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
555 p = ctx->response->pos;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
556
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
557 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
558 if (ocsp == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
559 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
560 "d2i_OCSP_RESPONSE() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
561 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
562 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
563
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
564 n = OCSP_response_status(ocsp);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
565
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
566 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
567 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
568 "OCSP response not successful (%d: %s)",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
569 n, OCSP_response_status_str(n));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
570 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
571 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
572
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
573 basic = OCSP_response_get1_basic(ocsp);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
574 if (basic == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
575 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
576 "OCSP_response_get1_basic() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
577 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
578 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
579
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
580 store = SSL_CTX_get_cert_store(staple->ssl_ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
581 if (store == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
582 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
583 "SSL_CTX_get_cert_store() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
584 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
585 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
586
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
587 #if OPENSSL_VERSION_NUMBER >= 0x10001000L
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
588 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
589 #else
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
590 chain = staple->ssl_ctx->extra_certs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
591 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
592
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
593 if (OCSP_basic_verify(basic, chain, store,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
594 staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
595 != 1)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
596 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
597 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
598 "OCSP_basic_verify() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
599 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
600 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
601
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
602 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
603 if (id == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
604 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
605 "OCSP_cert_to_id() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
606 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
607 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
608
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
609 if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
610 &thisupdate, &nextupdate)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
611 != 1)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
612 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
613 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
614 "certificate status not found in the OCSP response",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
615 n, OCSP_response_status_str(n));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
616 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
617 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
618
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
619 if (n != V_OCSP_CERTSTATUS_GOOD) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
620 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
621 "certificate status \"%s\" in the OCSP response",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
622 n, OCSP_cert_status_str(n));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
623 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
624 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
625
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
626 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
627 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
628 "OCSP_check_validity() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
629 goto error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
630 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
631
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
632 OCSP_CERTID_free(id);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
633 OCSP_BASICRESP_free(basic);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
634 OCSP_RESPONSE_free(ocsp);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
635
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
636 /* copy the response to memory not in ctx->pool */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
637
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
638 response.len = len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
639 response.data = ngx_alloc(response.len, ctx->log);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
640
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
641 if (response.data == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
642 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
643 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
644
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
645 ngx_memcpy(response.data, ctx->response->pos, response.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
646
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
647 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
648 "ssl ocsp response, %s, %uz",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
649 OCSP_cert_status_str(n), response.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
650
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
651 if (staple->staple.data) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
652 ngx_free(staple->staple.data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
653 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
654
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
655 staple->staple = response;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
656
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
657 done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
658
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
659 staple->loading = 0;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
660 staple->valid = ngx_time() + 3600; /* ssl_stapling_valid */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
661
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
662 ngx_ssl_ocsp_done(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
663 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
664
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
665 error:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
666
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
667 staple->loading = 0;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
668 staple->valid = ngx_time() + 300; /* ssl_stapling_err_valid */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
669
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
670 if (id) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
671 OCSP_CERTID_free(id);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
672 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
673
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
674 if (basic) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
675 OCSP_BASICRESP_free(basic);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
676 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
677
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
678 if (ocsp) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
679 OCSP_RESPONSE_free(ocsp);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
680 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
681
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
682 ngx_ssl_ocsp_done(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
683 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
684
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
685
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
686 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
687 ngx_ssl_stapling_cleanup(void *data)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
688 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
689 ngx_ssl_stapling_t *staple = data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
690
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
691 if (staple->issuer) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
692 X509_free(staple->issuer);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
693 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
694
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
695 if (staple->staple.data) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
696 ngx_free(staple->staple.data);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
697 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
698 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
699
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
700
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
701 static ngx_ssl_ocsp_ctx_t *
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
702 ngx_ssl_ocsp_start(void)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
703 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
704 ngx_log_t *log;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
705 ngx_pool_t *pool;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
706 ngx_ssl_ocsp_ctx_t *ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
707
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
708 pool = ngx_create_pool(2048, ngx_cycle->log);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
709 if (pool == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
710 return NULL;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
711 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
712
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
713 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
714 if (ctx == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
715 ngx_destroy_pool(pool);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
716 return NULL;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
717 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
718
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
719 log = ngx_palloc(pool, sizeof(ngx_log_t));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
720 if (log == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
721 ngx_destroy_pool(pool);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
722 return NULL;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
723 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
724
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
725 ctx->pool = pool;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
726
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
727 *log = *ctx->pool->log;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
728
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
729 ctx->pool->log = log;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
730 ctx->log = log;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
731
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
732 log->handler = ngx_ssl_ocsp_log_error;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
733 log->data = ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
734 log->action = "requesting certificate status";
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
735
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
736 return ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
737 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
738
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
739
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
740 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
741 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
742 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
743 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
744 "ssl ocsp done");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
745
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
746 if (ctx->peer.connection) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
747 ngx_close_connection(ctx->peer.connection);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
748 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
749
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
750 ngx_destroy_pool(ctx->pool);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
751 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
752
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
753
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
754 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
755 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
756 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
757 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
758 "ssl ocsp error");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
759
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
760 ctx->code = 0;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
761 ctx->handler(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
762 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
763
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
764
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
765 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
766 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
767 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
768 ngx_resolver_ctx_t *resolve, temp;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
769
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
770 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
771 "ssl ocsp request");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
772
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
773 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
774 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
775 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
776 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
777
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
778 if (ctx->resolver) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
779 /* resolve OCSP responder hostname */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
780
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
781 temp.name = ctx->host;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
782
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
783 resolve = ngx_resolve_start(ctx->resolver, &temp);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
784 if (resolve == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
785 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
786 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
787 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
788
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
789 if (resolve == NGX_NO_RESOLVER) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
790 ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
791 "no resolver defined to resolve %V", &ctx->host);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
792 goto connect;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
793 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
794
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
795 resolve->name = ctx->host;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
796 resolve->type = NGX_RESOLVE_A;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
797 resolve->handler = ngx_ssl_ocsp_resolve_handler;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
798 resolve->data = ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
799 resolve->timeout = ctx->resolver_timeout;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
800
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
801 if (ngx_resolve_name(resolve) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
802 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
803 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
804 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
805
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
806 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
807 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
808
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
809 connect:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
810
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
811 ngx_ssl_ocsp_connect(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
812 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
813
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
814
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
815 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
816 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
817 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
818 ngx_ssl_ocsp_ctx_t *ctx = resolve->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
819
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
820 u_char *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
821 size_t len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
822 in_port_t port;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
823 ngx_uint_t i;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
824 struct sockaddr_in *sin;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
825
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
826 ngx_log_debug0(NGX_LOG_ALERT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
827 "ssl ocsp resolve handler");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
828
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
829 if (resolve->state) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
830 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
831 "%V could not be resolved (%i: %s)",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
832 &resolve->name, resolve->state,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
833 ngx_resolver_strerror(resolve->state));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
834 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
835 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
836
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
837 #if (NGX_DEBUG)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
838 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
839 in_addr_t addr;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
840
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
841 for (i = 0; i < resolve->naddrs; i++) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
842 addr = ntohl(resolve->addrs[i]);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
843
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
844 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
845 "name was resolved to %ud.%ud.%ud.%ud",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
846 (addr >> 24) & 0xff, (addr >> 16) & 0xff,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
847 (addr >> 8) & 0xff, addr & 0xff);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
848 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
849 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
850 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
851
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
852 ctx->naddrs = resolve->naddrs;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
853 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
854
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
855 if (ctx->addrs == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
856 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
857 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
858
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
859 port = htons(ctx->port);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
860
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
861 for (i = 0; i < resolve->naddrs; i++) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
862
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
863 sin = ngx_pcalloc(ctx->pool, sizeof(struct sockaddr_in));
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
864 if (sin == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
865 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
866 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
867
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
868 sin->sin_family = AF_INET;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
869 sin->sin_port = port;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
870 sin->sin_addr.s_addr = resolve->addrs[i];
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
871
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
872 ctx->addrs[i].sockaddr = (struct sockaddr *) sin;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
873 ctx->addrs[i].socklen = sizeof(struct sockaddr_in);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
874
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
875 len = NGX_INET_ADDRSTRLEN + sizeof(":65535") - 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
876
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
877 p = ngx_pnalloc(ctx->pool, len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
878 if (p == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
879 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
880 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
881
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
882 len = ngx_sock_ntop((struct sockaddr *) sin, p, len, 1);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
883
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
884 ctx->addrs[i].name.len = len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
885 ctx->addrs[i].name.data = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
886 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
887
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
888 ngx_resolve_name_done(resolve);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
889
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
890 ngx_ssl_ocsp_connect(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
891 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
892
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
893 failed:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
894
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
895 ngx_resolve_name_done(resolve);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
896 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
897 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
898
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
899
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
900 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
901 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
902 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
903 ngx_int_t rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
904
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
905 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
906 "ssl ocsp connect");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
907
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
908 /* TODO: use all ip addresses */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
909
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
910 ctx->peer.sockaddr = ctx->addrs[0].sockaddr;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
911 ctx->peer.socklen = ctx->addrs[0].socklen;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
912 ctx->peer.name = &ctx->addrs[0].name;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
913 ctx->peer.get = ngx_event_get_peer;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
914 ctx->peer.log = ctx->log;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
915 ctx->peer.log_error = NGX_ERROR_ERR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
916
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
917 rc = ngx_event_connect_peer(&ctx->peer);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
918
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
919 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
920 "ssl ocsp connect peer done");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
921
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
922 if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
923 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
924 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
925 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
926
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
927 ctx->peer.connection->data = ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
928 ctx->peer.connection->pool = ctx->pool;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
929
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
930 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
931 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
932
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
933 ctx->process = ngx_ssl_ocsp_process_status_line;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
934
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
935 ngx_add_timer(ctx->peer.connection->read, ctx->timeout);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
936 ngx_add_timer(ctx->peer.connection->write, ctx->timeout);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
937
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
938 if (rc == NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
939 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
940 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
941 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
942 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
943
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
944
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
945 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
946 ngx_ssl_ocsp_write_handler(ngx_event_t *wev)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
947 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
948 ssize_t n, size;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
949 ngx_connection_t *c;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
950 ngx_ssl_ocsp_ctx_t *ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
951
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
952 c = wev->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
953 ctx = c->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
954
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
955 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
956 "ssl ocsp write handler");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
957
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
958 if (wev->timedout) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
959 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
960 "OCSP responder timed out");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
961 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
962 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
963 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
964
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
965 size = ctx->request->last - ctx->request->pos;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
966
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
967 n = ngx_send(c, ctx->request->pos, size);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
968
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
969 if (n == NGX_ERROR) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
970 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
971 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
972 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
973
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
974 if (n > 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
975 ctx->request->pos += n;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
976
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
977 if (n == size) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
978 wev->handler = ngx_ssl_ocsp_dummy_handler;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
979
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
980 if (wev->timer_set) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
981 ngx_del_timer(wev);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
982 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
983
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
984 if (ngx_handle_write_event(wev, 0) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
985 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
986 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
987
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
988 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
989 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
990 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
991
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
992 if (!wev->timer_set) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
993 ngx_add_timer(wev, ctx->timeout);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
994 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
995 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
996
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
997
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
998 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
999 ngx_ssl_ocsp_read_handler(ngx_event_t *rev)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1000 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1001 ssize_t n, size;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1002 ngx_int_t rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1003 ngx_ssl_ocsp_ctx_t *ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1004 ngx_connection_t *c;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1005
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1006 c = rev->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1007 ctx = c->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1008
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1009 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1010 "ssl ocsp read handler");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1011
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1012 if (rev->timedout) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1013 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1014 "OCSP responder timed out");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1015 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1016 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1017 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1018
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1019 if (ctx->response == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1020 ctx->response = ngx_create_temp_buf(ctx->pool, 16384);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1021 if (ctx->response == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1022 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1023 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1024 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1025 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1026
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1027 for ( ;; ) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1028
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1029 size = ctx->response->end - ctx->response->last;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1030
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1031 n = ngx_recv(c, ctx->response->last, size);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1032
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1033 if (n > 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1034 ctx->response->last += n;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1035
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1036 rc = ctx->process(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1037
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1038 if (rc == NGX_ERROR) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1039 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1040 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1041 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1042
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1043 continue;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1044 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1045
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1046 if (n == NGX_AGAIN) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1047
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1048 if (ngx_handle_read_event(rev, 0) != NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1049 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1050 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1051
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1052 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1053 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1054
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1055 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1056 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1057
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1058 ctx->done = 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1059
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1060 rc = ctx->process(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1061
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1062 if (rc == NGX_DONE) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1063 /* ctx->handler() was called */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1064 return;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1065 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1066
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1067 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1068 "OCSP responder prematurely closed connection");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1069
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1070 ngx_ssl_ocsp_error(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1071 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1072
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1073
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1074 static void
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1075 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1076 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1077 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1078 "ssl ocsp dummy handler");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1079 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1080
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1081
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1082 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1083 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1084 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1085 int len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1086 u_char *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1087 uintptr_t escape;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1088 ngx_str_t binary, base64;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1089 ngx_buf_t *b;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1090 OCSP_CERTID *id;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1091 OCSP_REQUEST *ocsp;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1092
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1093 ocsp = OCSP_REQUEST_new();
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1094 if (ocsp == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1095 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1096 "OCSP_REQUEST_new() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1097 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1098 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1099
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1100 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1101 if (id == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1102 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1103 "OCSP_cert_to_id() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1104 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1105 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1106
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1107 if (OCSP_request_add0_id(ocsp, id) == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1108 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1109 "OCSP_request_add0_id() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1110 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1111 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1112
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1113 len = i2d_OCSP_REQUEST(ocsp, NULL);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1114 if (len <= 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1115 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1116 "i2d_OCSP_REQUEST() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1117 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1118 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1119
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1120 binary.len = len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1121 binary.data = ngx_palloc(ctx->pool, len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1122 if (binary.data == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1123 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1124 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1125
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1126 p = binary.data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1127 len = i2d_OCSP_REQUEST(ocsp, &p);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1128 if (len <= 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1129 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1130 "i2d_OCSP_REQUEST() failed");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1131 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1132 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1133
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1134 base64.len = ngx_base64_encoded_length(binary.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1135 base64.data = ngx_palloc(ctx->pool, base64.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1136 if (base64.data == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1137 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1138 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1139
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1140 ngx_encode_base64(&base64, &binary);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1141
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1142 escape = ngx_escape_uri(NULL, base64.data, base64.len,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1143 NGX_ESCAPE_URI_COMPONENT);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1144
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1145 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1146 "ssl ocsp request length %z, escape %d",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1147 base64.len, escape);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1148
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1149 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1150 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1151 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1152 + sizeof(CRLF) - 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1153
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1154 b = ngx_create_temp_buf(ctx->pool, len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1155 if (b == NULL) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1156 goto failed;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1157 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1158
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1159 p = b->last;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1160
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1161 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1162 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1163
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1164 if (ctx->uri.data[ctx->uri.len - 1] != '/') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1165 *p++ = '/';
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1166 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1167
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1168 if (escape == 0) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1169 p = ngx_cpymem(p, base64.data, base64.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1170
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1171 } else {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1172 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1173 NGX_ESCAPE_URI_COMPONENT);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1174 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1175
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1176 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1177 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1178 p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1179 *p++ = CR; *p++ = LF;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1180
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1181 /* add "\r\n" at the header end */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1182 *p++ = CR; *p++ = LF;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1183
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1184 b->last = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1185 ctx->request = b;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1186
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1187 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1188
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1189 failed:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1190
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1191 OCSP_REQUEST_free(ocsp);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1192
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1193 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1194 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1195
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1196
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1197 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1198 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1199 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1200 ngx_int_t rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1201
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1202 rc = ngx_ssl_ocsp_parse_status_line(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1203
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1204 if (rc == NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1205 #if 0
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1206 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1207 "ssl ocsp status line \"%*s\"",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1208 ctx->response->pos - ctx->response->start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1209 ctx->response->start);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1210 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1211
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1212 ctx->process = ngx_ssl_ocsp_process_headers;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1213 return ctx->process(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1214 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1215
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1216 if (rc == NGX_AGAIN) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1217 return NGX_AGAIN;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1218 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1219
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1220 /* rc == NGX_ERROR */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1221
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1222 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1223 "OCSP responder sent invalid response");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1224
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1225 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1226 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1227
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1228
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1229 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1230 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1231 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1232 u_char ch;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1233 u_char *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1234 ngx_buf_t *b;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1235 enum {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1236 sw_start = 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1237 sw_H,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1238 sw_HT,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1239 sw_HTT,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1240 sw_HTTP,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1241 sw_first_major_digit,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1242 sw_major_digit,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1243 sw_first_minor_digit,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1244 sw_minor_digit,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1245 sw_status,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1246 sw_space_after_status,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1247 sw_status_text,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1248 sw_almost_done
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1249 } state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1250
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1251 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1252 "ssl ocsp process status line");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1253
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1254 state = ctx->state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1255 b = ctx->response;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1256
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1257 for (p = b->pos; p < b->last; p++) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1258 ch = *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1259
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1260 switch (state) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1261
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1262 /* "HTTP/" */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1263 case sw_start:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1264 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1265 case 'H':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1266 state = sw_H;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1267 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1268 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1269 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1270 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1271 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1272
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1273 case sw_H:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1274 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1275 case 'T':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1276 state = sw_HT;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1277 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1278 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1279 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1280 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1281 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1282
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1283 case sw_HT:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1284 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1285 case 'T':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1286 state = sw_HTT;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1287 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1288 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1289 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1290 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1291 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1292
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1293 case sw_HTT:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1294 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1295 case 'P':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1296 state = sw_HTTP;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1297 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1298 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1299 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1300 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1301 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1302
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1303 case sw_HTTP:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1304 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1305 case '/':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1306 state = sw_first_major_digit;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1307 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1308 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1309 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1310 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1311 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1312
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1313 /* the first digit of major HTTP version */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1314 case sw_first_major_digit:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1315 if (ch < '1' || ch > '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1316 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1317 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1318
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1319 state = sw_major_digit;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1320 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1321
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1322 /* the major HTTP version or dot */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1323 case sw_major_digit:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1324 if (ch == '.') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1325 state = sw_first_minor_digit;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1326 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1327 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1328
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1329 if (ch < '0' || ch > '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1330 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1331 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1332
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1333 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1334
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1335 /* the first digit of minor HTTP version */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1336 case sw_first_minor_digit:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1337 if (ch < '0' || ch > '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1338 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1339 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1340
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1341 state = sw_minor_digit;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1342 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1343
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1344 /* the minor HTTP version or the end of the request line */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1345 case sw_minor_digit:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1346 if (ch == ' ') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1347 state = sw_status;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1348 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1349 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1350
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1351 if (ch < '0' || ch > '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1352 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1353 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1354
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1355 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1356
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1357 /* HTTP status code */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1358 case sw_status:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1359 if (ch == ' ') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1360 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1361 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1362
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1363 if (ch < '0' || ch > '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1364 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1365 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1366
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1367 ctx->code = ctx->code * 10 + ch - '0';
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1368
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1369 if (++ctx->count == 3) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1370 state = sw_space_after_status;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1371 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1372
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1373 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1374
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1375 /* space or end of line */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1376 case sw_space_after_status:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1377 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1378 case ' ':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1379 state = sw_status_text;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1380 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1381 case '.': /* IIS may send 403.1, 403.2, etc */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1382 state = sw_status_text;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1383 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1384 case CR:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1385 state = sw_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1386 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1387 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1388 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1389 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1390 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1391 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1392 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1393
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1394 /* any text until end of line */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1395 case sw_status_text:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1396 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1397 case CR:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1398 state = sw_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1399 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1400 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1401 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1402 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1403 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1404
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1405 /* end of status line */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1406 case sw_almost_done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1407 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1408 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1409 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1410 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1411 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1412 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1413 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1414 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1415
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1416 b->pos = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1417 ctx->state = state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1418
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1419 return NGX_AGAIN;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1420
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1421 done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1422
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1423 b->pos = p + 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1424 ctx->state = sw_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1425
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1426 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1427 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1428
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1429
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1430 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1431 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1432 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1433 size_t len;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1434 ngx_int_t rc;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1435
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1436 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1437 "ssl ocsp process headers");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1438
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1439 for ( ;; ) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1440 rc = ngx_ssl_ocsp_parse_header_line(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1441
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1442 if (rc == NGX_OK) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1443
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1444 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1445 "ssl ocsp header \"%*s: %*s\"",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1446 ctx->header_name_end - ctx->header_name_start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1447 ctx->header_name_start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1448 ctx->header_end - ctx->header_start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1449 ctx->header_start);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1450
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1451 len = ctx->header_name_end - ctx->header_name_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1452
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1453 if (len == sizeof("Content-Type") - 1
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1454 && ngx_strncasecmp(ctx->header_name_start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1455 (u_char *) "Content-Type",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1456 sizeof("Content-Type") - 1)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1457 == 0)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1458 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1459 len = ctx->header_end - ctx->header_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1460
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1461 if (len != sizeof("application/ocsp-response") - 1
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1462 || ngx_strncasecmp(ctx->header_start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1463 (u_char *) "application/ocsp-response",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1464 sizeof("application/ocsp-response") - 1)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1465 != 0)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1466 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1467 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1468 "OCSP responder sent invalid "
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1469 "\"Content-Type\" header: \"%*s\"",
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1470 ctx->header_end - ctx->header_start,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1471 ctx->header_start);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1472 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1473 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1474
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1475 continue;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1476 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1477
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1478 /* TODO: honor Content-Length */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1479
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1480 continue;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1481 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1482
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1483 if (rc == NGX_DONE) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1484 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1485 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1486
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1487 if (rc == NGX_AGAIN) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1488 return NGX_AGAIN;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1489 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1490
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1491 /* rc == NGX_ERROR */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1492
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1493 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1494 "OCSP responder sent invalid response");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1495
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1496 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1497 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1498
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1499 ctx->process = ngx_ssl_ocsp_process_body;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1500 return ctx->process(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1501 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1502
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1503 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1504 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1505 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1506 u_char c, ch, *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1507 enum {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1508 sw_start = 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1509 sw_name,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1510 sw_space_before_value,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1511 sw_value,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1512 sw_space_after_value,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1513 sw_almost_done,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1514 sw_header_almost_done
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1515 } state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1516
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1517 state = ctx->state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1518
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1519 for (p = ctx->response->pos; p < ctx->response->last; p++) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1520 ch = *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1521
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1522 #if 0
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1523 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1524 "s:%d in:'%02Xd:%c'", state, ch, ch);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1525 #endif
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1526
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1527 switch (state) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1528
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1529 /* first char */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1530 case sw_start:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1531
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1532 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1533 case CR:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1534 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1535 state = sw_header_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1536 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1537 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1538 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1539 goto header_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1540 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1541 state = sw_name;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1542 ctx->header_name_start = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1543
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1544 c = (u_char) (ch | 0x20);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1545 if (c >= 'a' && c <= 'z') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1546 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1547 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1548
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1549 if (ch >= '0' && ch <= '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1550 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1551 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1552
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1553 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1554 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1555 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1556
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1557 /* header name */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1558 case sw_name:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1559 c = (u_char) (ch | 0x20);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1560 if (c >= 'a' && c <= 'z') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1561 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1562 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1563
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1564 if (ch == ':') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1565 ctx->header_name_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1566 state = sw_space_before_value;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1567 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1568 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1569
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1570 if (ch == '-') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1571 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1572 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1573
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1574 if (ch >= '0' && ch <= '9') {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1575 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1576 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1577
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1578 if (ch == CR) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1579 ctx->header_name_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1580 ctx->header_start = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1581 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1582 state = sw_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1583 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1584 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1585
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1586 if (ch == LF) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1587 ctx->header_name_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1588 ctx->header_start = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1589 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1590 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1591 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1592
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1593 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1594
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1595 /* space* before header value */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1596 case sw_space_before_value:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1597 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1598 case ' ':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1599 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1600 case CR:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1601 ctx->header_start = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1602 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1603 state = sw_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1604 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1605 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1606 ctx->header_start = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1607 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1608 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1609 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1610 ctx->header_start = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1611 state = sw_value;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1612 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1613 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1614 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1615
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1616 /* header value */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1617 case sw_value:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1618 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1619 case ' ':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1620 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1621 state = sw_space_after_value;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1622 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1623 case CR:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1624 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1625 state = sw_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1626 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1627 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1628 ctx->header_end = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1629 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1630 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1631 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1632
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1633 /* space* before end of header line */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1634 case sw_space_after_value:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1635 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1636 case ' ':
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1637 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1638 case CR:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1639 state = sw_almost_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1640 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1641 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1642 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1643 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1644 state = sw_value;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1645 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1646 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1647 break;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1648
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1649 /* end of header line */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1650 case sw_almost_done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1651 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1652 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1653 goto done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1654 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1655 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1656 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1657
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1658 /* end of header */
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1659 case sw_header_almost_done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1660 switch (ch) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1661 case LF:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1662 goto header_done;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1663 default:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1664 return NGX_ERROR;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1665 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1666 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1667 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1668
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1669 ctx->response->pos = p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1670 ctx->state = state;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1671
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1672 return NGX_AGAIN;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1673
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1674 done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1675
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1676 ctx->response->pos = p + 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1677 ctx->state = sw_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1678
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1679 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1680
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1681 header_done:
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1682
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1683 ctx->response->pos = p + 1;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1684 ctx->state = sw_start;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1685
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1686 return NGX_DONE;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1687 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1688
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1689
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1690 static ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1691 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1692 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1693 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1694 "ssl ocsp process body");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1695
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1696 if (ctx->done) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1697 ctx->handler(ctx);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1698 return NGX_DONE;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1699 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1700
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1701 return NGX_AGAIN;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1702 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1703
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1704
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1705 static u_char *
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1706 ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1707 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1708 u_char *p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1709 ngx_ssl_ocsp_ctx_t *ctx;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1710
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1711 p = buf;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1712
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1713 if (log->action) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1714 p = ngx_snprintf(buf, len, " while %s", log->action);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1715 len -= p - buf;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1716 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1717
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1718 ctx = log->data;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1719
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1720 if (ctx) {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1721 p = ngx_snprintf(p, len, ", responder: %V", &ctx->host);
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1722 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1723
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1724 return p;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1725 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1726
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1727
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1728 #else
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1729
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1730
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1731 ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1732 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1733 ngx_str_t *responder, ngx_uint_t verify)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1734 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1735 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1736 "\"ssl_stapling\" ignored, not supported");
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1737
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1738 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1739 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1740
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1741 ngx_int_t
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1742 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1743 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1744 {
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1745 return NGX_OK;
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1746 }
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1747
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1748
f31b19fe7f48 nginx 1.3.7
Igor Sysoev <http://sysoev.ru>
parents:
diff changeset
1749 #endif