Mercurial > hg > nginx-quic
annotate src/event/ngx_event_openssl_stapling.c @ 7967:699f6e55bbb4
SSL: added verify callback to ngx_ssl_trusted_certificate().
This ensures that certificate verification is properly logged to debug
log during upstream server certificate verification. This should help
with debugging various certificate issues.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 03 Jun 2020 19:11:32 +0300 |
parents | bd4d1b9db0ee |
children | 1ece2ac2555a |
rev | line source |
---|---|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 /* |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 * Copyright (C) Maxim Dounin |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 * Copyright (C) Nginx, Inc. |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 */ |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 #include <ngx_event.h> |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
11 #include <ngx_event_connect.h> |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
12 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
13 |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5683
diff
changeset
|
14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
15 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
16 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
17 typedef struct { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
18 ngx_str_t staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
19 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
20 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
21 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
22 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
23 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
24 ngx_addr_t *addrs; |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
25 ngx_uint_t naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
26 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
27 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
28 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
29 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
30 SSL_CTX *ssl_ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
31 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
32 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
33 X509 *issuer; |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
34 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
35 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
36 u_char *name; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
37 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
38 time_t valid; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
39 time_t refresh; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
40 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
41 unsigned verify:1; |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
42 unsigned loading:1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
43 } ngx_ssl_stapling_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
44 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
45 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
46 typedef struct { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
47 ngx_addr_t *addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
48 ngx_uint_t naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
49 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
50 ngx_str_t host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
51 ngx_str_t uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
52 in_port_t port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
53 ngx_uint_t depth; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
54 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
55 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
56 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
57 ngx_resolver_t *resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
58 ngx_msec_t resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
59 } ngx_ssl_ocsp_conf_t; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
60 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
61 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
62 typedef struct { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
63 ngx_rbtree_t rbtree; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
64 ngx_rbtree_node_t sentinel; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
65 ngx_queue_t expire_queue; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
66 } ngx_ssl_ocsp_cache_t; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
67 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
68 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
69 typedef struct { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
70 ngx_str_node_t node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
71 ngx_queue_t queue; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
72 int status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
73 time_t valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
74 } ngx_ssl_ocsp_cache_node_t; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
75 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
76 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
77 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
78 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
79 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
80 struct ngx_ssl_ocsp_s { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
81 STACK_OF(X509) *certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
82 ngx_uint_t ncert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
83 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
84 int cert_status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
85 ngx_int_t status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
86 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
87 ngx_ssl_ocsp_conf_t *conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
88 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
89 }; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
90 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
91 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
92 struct ngx_ssl_ocsp_ctx_s { |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
93 SSL_CTX *ssl_ctx; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
94 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
95 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
96 X509 *issuer; |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
97 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
98 |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
99 int status; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
100 time_t valid; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
101 |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
102 u_char *name; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
103 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
104 ngx_uint_t naddrs; |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
105 ngx_uint_t naddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
106 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
107 ngx_addr_t *addrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
108 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
109 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
110 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
111 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
112 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
113 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
114 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
115 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
116 |
6810 | 117 void (*handler)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
118 void *data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
119 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
120 ngx_str_t key; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
121 ngx_buf_t *request; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
122 ngx_buf_t *response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
123 ngx_peer_connection_t peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
124 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
125 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
126 |
6810 | 127 ngx_int_t (*process)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
128 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
129 ngx_uint_t state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
130 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
131 ngx_uint_t code; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
132 ngx_uint_t count; |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
133 ngx_uint_t flags; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
134 ngx_uint_t done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
135 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
136 u_char *header_name_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
137 u_char *header_name_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
138 u_char *header_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
139 u_char *header_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
140 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
141 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
142 ngx_log_t *log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
143 }; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
144 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
145 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
146 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
147 X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
148 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
149 ngx_ssl_stapling_t *staple, ngx_str_t *file); |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
150 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
151 ngx_ssl_stapling_t *staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
152 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
153 ngx_ssl_stapling_t *staple, ngx_str_t *responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
154 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
155 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
156 void *data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
157 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
158 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
159 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
160 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
161 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
162 static void ngx_ssl_stapling_cleanup(void *data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
163 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
164 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
165 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
166 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
167 ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
168 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
169 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(ngx_log_t *log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
170 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
171 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
172 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
173 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
174 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
175 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
176 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
177 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
178 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
179 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
180 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
181 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
182 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
183 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
184 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx); |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
185 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
186 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
187 static ngx_int_t ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
188 static ngx_int_t ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
189 static ngx_int_t ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
190 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
191 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
192 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
193 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
194 ngx_int_t |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
195 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
196 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
197 { |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
198 X509 *cert; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
199 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
200 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
201 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
202 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
203 { |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
204 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
205 != NGX_OK) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
206 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
207 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
208 } |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
209 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
210 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
211 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
212 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
213 return NGX_OK; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
214 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
215 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
216 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
217 static ngx_int_t |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
218 ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
219 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify) |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
220 { |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
221 ngx_int_t rc; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
222 ngx_pool_cleanup_t *cln; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
223 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
224 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
225 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
226 if (staple == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
227 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
228 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
229 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
230 cln = ngx_pool_cleanup_add(cf->pool, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
231 if (cln == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
232 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
233 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
234 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
235 cln->handler = ngx_ssl_stapling_cleanup; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
236 cln->data = staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
237 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
238 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
240 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
241 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
242 |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
243 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
244 /* OpenSSL 1.0.2+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
245 SSL_CTX_select_current_cert(ssl->ctx, cert); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
246 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
247 |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
248 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
249 /* OpenSSL 1.0.1+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
250 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
251 #else |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
252 staple->chain = ssl->ctx->extra_certs; |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
253 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
254 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
255 staple->ssl_ctx = ssl->ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
256 staple->timeout = 60000; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
257 staple->verify = verify; |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
258 staple->cert = cert; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
259 staple->name = X509_get_ex_data(staple->cert, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
260 ngx_ssl_certificate_name_index); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
261 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
262 if (file->len) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
263 /* use OCSP response from the file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
264 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
265 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
266 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
267 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
268 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
269 return NGX_OK; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
270 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
271 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
272 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
273 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
274 if (rc == NGX_DECLINED) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
275 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
276 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
277 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
278 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
279 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
280 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
281 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
282 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
283 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
284 if (rc == NGX_DECLINED) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
285 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
286 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
287 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
288 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
289 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
290 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
291 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
292 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
293 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
294 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
295 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
296 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
297 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
298 ngx_ssl_stapling_t *staple, ngx_str_t *file) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
299 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
300 BIO *bio; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
301 int len; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
302 u_char *p, *buf; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
303 OCSP_RESPONSE *response; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
304 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
305 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
306 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
307 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
308 |
7485
edf5cd6c56fa
OCSP stapling: open ssl_stapling_file in binary-mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7067
diff
changeset
|
309 bio = BIO_new_file((char *) file->data, "rb"); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
310 if (bio == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
312 "BIO_new_file(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
313 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
314 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
315 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
316 response = d2i_OCSP_RESPONSE_bio(bio, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
317 if (response == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
318 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
319 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
320 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
321 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
322 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
323 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
324 len = i2d_OCSP_RESPONSE(response, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
325 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
326 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
327 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
328 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
329 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
330 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
331 buf = ngx_alloc(len, ssl->log); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
332 if (buf == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
333 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
334 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
335 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
336 p = buf; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
337 len = i2d_OCSP_RESPONSE(response, &p); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
338 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
340 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
341 ngx_free(buf); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
342 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
343 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
344 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
345 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
346 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
347 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
348 staple->staple.data = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
349 staple->staple.len = len; |
6205
dcae651b2a0c
OCSP stapling: fixed ssl_stapling_file (ticket #769).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6181
diff
changeset
|
350 staple->valid = NGX_MAX_TIME_T_VALUE; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
351 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
352 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
353 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
354 failed: |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
355 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
356 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
357 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
358 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
359 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
360 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
361 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
362 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
363 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
364 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
365 ngx_ssl_stapling_t *staple) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
366 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
367 int i, n, rc; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
368 X509 *cert, *issuer; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
369 X509_STORE *store; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
370 X509_STORE_CTX *store_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
371 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
372 cert = staple->cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
373 |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
374 n = sk_X509_num(staple->chain); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
375 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
376 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
377 "SSL get issuer: %d extra certs", n); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
378 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
379 for (i = 0; i < n; i++) { |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
380 issuer = sk_X509_value(staple->chain, i); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
381 if (X509_check_issued(issuer, cert) == X509_V_OK) { |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
382 #if OPENSSL_VERSION_NUMBER >= 0x10100001L |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
383 X509_up_ref(issuer); |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
384 #else |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
385 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
386 #endif |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
387 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
388 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
389 "SSL get issuer: found %p in extra certs", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
390 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
391 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
392 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
393 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
394 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
395 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
396 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
397 store = SSL_CTX_get_cert_store(ssl->ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
398 if (store == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
399 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
400 "SSL_CTX_get_cert_store() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
401 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
402 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
403 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
404 store_ctx = X509_STORE_CTX_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
405 if (store_ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
407 "X509_STORE_CTX_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
408 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
409 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
410 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
411 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
413 "X509_STORE_CTX_init() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
414 X509_STORE_CTX_free(store_ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
415 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
416 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
417 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
418 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
419 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
420 if (rc == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
421 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
422 "X509_STORE_CTX_get1_issuer() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
423 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
424 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
425 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
426 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
427 if (rc == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
428 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
429 "\"ssl_stapling\" ignored, " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
430 "issuer certificate not found for certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
431 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
432 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
433 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
434 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
435 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
436 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
437 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
439 "SSL get issuer: found %p in cert store", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
440 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
441 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
442 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
443 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
444 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
445 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
446 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
447 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
448 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
449 ngx_ssl_stapling_t *staple, ngx_str_t *responder) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
450 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
451 char *s; |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
452 ngx_str_t rsp; |
6810 | 453 ngx_url_t u; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
454 STACK_OF(OPENSSL_STRING) *aia; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
455 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
456 if (responder->len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
457 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
458 /* extract OCSP responder URL from certificate */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
459 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
460 aia = X509_get1_ocsp(staple->cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
461 if (aia == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
462 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
463 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
464 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
465 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
466 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
467 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
468 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
469 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
470 s = sk_OPENSSL_STRING_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
471 #else |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
472 s = sk_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
473 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
474 if (s == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
475 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
476 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
477 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
478 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
479 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
480 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
481 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
482 |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
483 responder = &rsp; |
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
484 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
485 responder->len = ngx_strlen(s); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
486 responder->data = ngx_palloc(cf->pool, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
487 if (responder->data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
488 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
489 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
490 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
491 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
492 ngx_memcpy(responder->data, s, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
493 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
494 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
495 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
496 ngx_memzero(&u, sizeof(ngx_url_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
497 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
498 u.url = *responder; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
499 u.default_port = 80; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
500 u.uri_part = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
501 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
502 if (u.url.len > 7 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
503 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
504 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
505 u.url.len -= 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
506 u.url.data += 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
507 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
508 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
510 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
511 "invalid URL prefix in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
512 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
513 &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
514 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
515 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
516 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
517 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
518 if (u.err) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
519 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
520 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
521 "%s in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
522 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
523 u.err, &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
524 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
525 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
526 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
527 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
528 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
529 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
530 staple->addrs = u.addrs; |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
531 staple->naddrs = u.naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
532 staple->host = u.host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
533 staple->uri = u.uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
534 staple->port = u.port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
535 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
536 if (staple->uri.len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
537 ngx_str_set(&staple->uri, "/"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
538 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
539 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
540 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
541 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
542 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
543 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
544 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
545 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
546 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
547 { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
548 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
549 ngx_ssl_stapling_t *staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
550 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
551 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
552 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
553 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
554 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
555 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
556 staple->resolver = resolver; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
557 staple->resolver_timeout = resolver_timeout; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
558 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
559 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
560 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
561 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
562 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
563 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
564 static int |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
565 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
566 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
567 int rc; |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
568 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
569 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
570 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
571 ngx_ssl_stapling_t *staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
572 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
573 c = ngx_ssl_get_connection(ssl_conn); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
574 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
575 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
576 "SSL certificate status callback"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
577 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
578 rc = SSL_TLSEXT_ERR_NOACK; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
579 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
580 cert = SSL_get_certificate(ssl_conn); |
7493
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
581 |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
582 if (cert == NULL) { |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
583 return rc; |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
584 } |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
585 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
586 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
587 |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
588 if (staple == NULL) { |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
589 return rc; |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
590 } |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
591 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
592 if (staple->staple.len |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
593 && staple->valid >= ngx_time()) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
594 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
595 /* we have to copy ocsp response as OpenSSL will free it by itself */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
596 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
597 p = OPENSSL_malloc(staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
598 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
599 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
600 return SSL_TLSEXT_ERR_NOACK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
601 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
602 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
603 ngx_memcpy(p, staple->staple.data, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
604 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
605 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
606 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
607 rc = SSL_TLSEXT_ERR_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
608 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
609 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
610 ngx_ssl_stapling_update(staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
611 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
612 return rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
613 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
614 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
615 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
616 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
617 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
618 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
619 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
620 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
621 if (staple->host.len == 0 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
622 || staple->loading || staple->refresh >= ngx_time()) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
623 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
624 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
625 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
626 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
627 staple->loading = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
628 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
629 ctx = ngx_ssl_ocsp_start(ngx_cycle->log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
630 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
631 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
632 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
633 |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
634 ctx->ssl_ctx = staple->ssl_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
635 ctx->cert = staple->cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
636 ctx->issuer = staple->issuer; |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
637 ctx->chain = staple->chain; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
638 ctx->name = staple->name; |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
639 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
640 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
641 ctx->addrs = staple->addrs; |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
642 ctx->naddrs = staple->naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
643 ctx->host = staple->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
644 ctx->uri = staple->uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
645 ctx->port = staple->port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
646 ctx->timeout = staple->timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
647 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
648 ctx->resolver = staple->resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
649 ctx->resolver_timeout = staple->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
650 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
651 ctx->handler = ngx_ssl_stapling_ocsp_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
652 ctx->data = staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
653 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
654 ngx_ssl_ocsp_request(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
655 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
656 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
657 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
658 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
659 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
660 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
661 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
662 { |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
663 time_t now; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
664 ngx_str_t response; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
665 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
666 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
667 staple = ctx->data; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
668 now = ngx_time(); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
669 |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
670 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
671 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
672 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
673 |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
674 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
675 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
676 "certificate status \"%s\" in the OCSP response", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
677 OCSP_cert_status_str(ctx->status)); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
678 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
679 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
680 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
681 /* copy the response to memory not in ctx->pool */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
682 |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
683 response.len = ctx->response->last - ctx->response->pos; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
684 response.data = ngx_alloc(response.len, ctx->log); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
685 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
686 if (response.data == NULL) { |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
687 goto error; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
688 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
689 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
690 ngx_memcpy(response.data, ctx->response->pos, response.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
691 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
692 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
693 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
694 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
695 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
696 staple->staple = response; |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
697 staple->valid = ctx->valid; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
698 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
699 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
700 * refresh before the response expires, |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
701 * but not earlier than in 5 minutes, and at least in an hour |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
702 */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
703 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
704 staple->loading = 0; |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
705 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
706 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
707 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
708 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
709 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
710 error: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
711 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
712 staple->loading = 0; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
713 staple->refresh = now + 300; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
714 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
715 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
716 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
717 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
718 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
719 static time_t |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
720 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
721 { |
6810 | 722 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
723 char *value; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
724 size_t len; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
725 time_t time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
726 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
727 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
728 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
729 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(), |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
730 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
731 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
732 */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
733 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
734 bio = BIO_new(BIO_s_mem()); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
735 if (bio == NULL) { |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
736 return NGX_ERROR; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
737 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
738 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
739 /* fake weekday prepended to match C asctime() format */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
740 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
741 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
742 ASN1_GENERALIZEDTIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
743 len = BIO_get_mem_data(bio, &value); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
744 |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
745 time = ngx_parse_http_time((u_char *) value, len); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
746 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
747 BIO_free(bio); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
748 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
749 return time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
750 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
751 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
752 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
753 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
754 ngx_ssl_stapling_cleanup(void *data) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
755 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
756 ngx_ssl_stapling_t *staple = data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
757 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
758 if (staple->issuer) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
759 X509_free(staple->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
760 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
761 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
762 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
763 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
764 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
765 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
766 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
767 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
768 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
769 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
770 ngx_uint_t depth, ngx_shm_zone_t *shm_zone) |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
771 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
772 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
773 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
774 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
775 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
776 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
777 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
778 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
779 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
780 ocf->depth = depth; |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
781 ocf->shm_zone = shm_zone; |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
782 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
783 if (responder->len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
784 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
785 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
786 u.url = *responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
787 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
788 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
789 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
790 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
791 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
792 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
793 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
794 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
795 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
796 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
797 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
798 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
799 "in \"ssl_ocsp_responder\"", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
800 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
801 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
802 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
803 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
804 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
805 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
806 "%s in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
807 "in \"ssl_ocsp_responder\"", u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
808 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
809 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
810 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
811 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
812 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
813 ocf->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
814 ocf->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
815 ocf->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
816 ocf->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
817 ocf->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
818 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
819 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
821 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
822 "SSL_CTX_set_ex_data() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
823 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
824 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
825 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
826 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
827 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
828 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
829 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
830 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
831 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
832 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
833 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
834 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
835 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
836 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
837 ocf->resolver = resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
838 ocf->resolver_timeout = resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
839 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
840 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
841 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
842 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
843 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
844 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
845 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
846 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
847 X509 *cert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
848 SSL_CTX *ssl_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
849 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
850 X509_STORE *store; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
851 X509_STORE_CTX *store_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
852 STACK_OF(X509) *chain; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
853 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
854 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
855 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
856 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
857 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
858 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
859 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
860 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
861 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
862 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
863 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
864 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
865 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
866 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
867 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
868 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
869 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
870 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
871 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
872 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
873 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
874 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
875 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
876 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
877 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
878 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
879 cert = SSL_get_peer_certificate(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
880 if (cert == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
881 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
882 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
883 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
885 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
886 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
887 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
888 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
889 c->ssl->ocsp = ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
890 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
891 ocsp->status = NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
892 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
893 ocsp->conf = ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
894 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
895 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
896 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
897 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
898 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
899 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
900 ocsp->certs = X509_chain_up_ref(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
901 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
902 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
903 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
904 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
905 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
906 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
907 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
908 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
909 store = SSL_CTX_get_cert_store(ssl_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
910 if (store == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
911 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
912 "SSL_CTX_get_cert_store() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
913 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
914 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
915 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
916 store_ctx = X509_STORE_CTX_new(); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
917 if (store_ctx == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
918 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
919 "X509_STORE_CTX_new() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
920 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
921 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
922 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
923 chain = SSL_get_peer_cert_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
924 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
925 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
926 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
927 "X509_STORE_CTX_init() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
928 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
929 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
930 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
931 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
932 rc = X509_verify_cert(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
933 if (rc <= 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
934 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
935 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
936 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
937 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
938 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
939 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
940 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
941 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
942 "X509_STORE_CTX_get1_chain() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
943 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
944 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
945 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
946 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
947 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
948 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
949 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
950 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
7901
bd4d1b9db0ee
Fixed format specifiers.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7900
diff
changeset
|
951 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
952 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
953 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
954 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
955 if (ocsp->status == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
956 c->ssl->in_ocsp = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
957 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
958 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
959 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
960 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
961 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
962 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
963 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
964 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
965 ngx_ssl_ocsp_validate_next(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
966 { |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
967 ngx_int_t rc; |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
968 ngx_uint_t n; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
969 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
970 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
971 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
972 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
973 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
974 ocf = ocsp->conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
975 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
976 n = sk_X509_num(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
977 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
978 for ( ;; ) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
979 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
980 if (ocsp->ncert == n - 1 || (ocf->depth == 2 && ocsp->ncert == 1)) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
981 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
982 "ssl ocsp validated, certs:%ui", ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
983 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
984 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
985 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
986 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
987 "ssl ocsp validate cert:%ui", ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
988 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
989 ctx = ngx_ssl_ocsp_start(c->log); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
990 if (ctx == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
991 goto failed; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
992 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
993 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
994 ocsp->ctx = ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
995 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
996 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
997 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
998 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
999 ctx->chain = ocsp->certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1000 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1001 ctx->resolver = ocf->resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1002 ctx->resolver_timeout = ocf->resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1003 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1004 ctx->handler = ngx_ssl_ocsp_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1005 ctx->data = c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1006 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1007 ctx->shm_zone = ocf->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1008 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1009 ctx->addrs = ocf->addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1010 ctx->naddrs = ocf->naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1011 ctx->host = ocf->host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1012 ctx->uri = ocf->uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1013 ctx->port = ocf->port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1014 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1015 if (ngx_ssl_ocsp_responder(c, ctx) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1016 goto failed; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1017 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1018 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1019 if (ctx->uri.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1020 ngx_str_set(&ctx->uri, "/"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1021 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1022 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1023 ocsp->ncert++; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1024 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1025 rc = ngx_ssl_ocsp_cache_lookup(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1026 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1027 if (rc == NGX_ERROR) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1028 goto failed; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1029 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1030 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1031 if (rc == NGX_DECLINED) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1032 break; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1033 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1034 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1035 /* rc == NGX_OK */ |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1036 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1037 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1038 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1039 "ssl ocsp cached status \"%s\"", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1040 OCSP_cert_status_str(ctx->status)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1041 ocsp->cert_status = ctx->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1042 goto done; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1043 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1044 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1045 ocsp->ctx = NULL; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1046 ngx_ssl_ocsp_done(ctx); |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1047 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1048 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1049 ngx_ssl_ocsp_request(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1050 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1051 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1052 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1053 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1054 ocsp->status = NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1055 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1056 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1057 failed: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1058 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1059 ocsp->status = NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1060 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1061 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1062 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1063 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1064 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1065 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1066 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1067 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1068 ngx_connection_t *c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1069 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1070 c = ctx->data; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1071 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1072 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1073 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1074 rc = ngx_ssl_ocsp_verify(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1075 if (rc != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1076 ocsp->status = rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1077 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1078 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1079 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1080 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1081 rc = ngx_ssl_ocsp_cache_store(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1082 if (rc != NGX_OK) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1083 ocsp->status = rc; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1084 ngx_ssl_ocsp_done(ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1085 goto done; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1086 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
1087 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1088 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1089 ocsp->cert_status = ctx->status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1090 ocsp->status = NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1091 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1092 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1093 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1094 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1095 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1096 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1097 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1098 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1099 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1100 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1101 if (ocsp->status == NGX_AGAIN || !c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1102 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1103 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1104 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1105 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1106 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1107 c->ssl->handler(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1108 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1109 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1110 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1111 static ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1112 ngx_ssl_ocsp_responder(ngx_connection_t *c, ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1113 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1114 char *s; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1115 ngx_str_t responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1116 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1117 STACK_OF(OPENSSL_STRING) *aia; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1118 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1119 if (ctx->host.len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1120 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1121 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1122 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1123 /* extract OCSP responder URL from certificate */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1124 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1125 aia = X509_get1_ocsp(ctx->cert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1126 if (aia == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1127 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1128 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1129 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1130 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1131 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1132 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1133 s = sk_OPENSSL_STRING_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1134 #else |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1135 s = sk_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1136 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1137 if (s == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1138 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1139 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1140 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1141 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1142 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1143 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1144 responder.len = ngx_strlen(s); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1145 responder.data = ngx_palloc(ctx->pool, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1146 if (responder.data == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1147 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1148 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1149 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1150 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1151 ngx_memcpy(responder.data, s, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1152 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1153 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1154 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1155 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1156 u.url = responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1157 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1158 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1159 u.no_resolve = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1160 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1161 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1162 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1163 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1164 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1165 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1166 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1167 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1168 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1169 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1170 "in certificate", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1171 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1172 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1173 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1174 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1175 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1176 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1177 "%s in OCSP responder \"%V\" in certificate", |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1178 u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1179 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1180 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1181 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1182 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1183 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1184 if (u.host.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1185 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1186 "empty host in OCSP responder in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1187 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1188 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1189 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1190 ctx->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1191 ctx->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1192 ctx->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1193 ctx->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1194 ctx->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1195 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1196 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1197 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1198 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1199 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1200 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1201 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1202 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1203 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1204 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1205 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1206 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1207 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1208 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1209 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1210 if (ocsp->status == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1211 *s = "certificate status request failed"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1212 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1213 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1214 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1215 switch (ocsp->cert_status) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1216 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1217 case V_OCSP_CERTSTATUS_GOOD: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1218 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1219 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1220 case V_OCSP_CERTSTATUS_REVOKED: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1221 *s = "certificate revoked"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1222 break; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1223 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1224 default: /* V_OCSP_CERTSTATUS_UNKNOWN */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1225 *s = "certificate status unknown"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1226 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1227 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1228 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1229 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1230 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1231 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1232 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1233 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1234 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1235 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1236 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1237 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1238 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1239 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1240 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1241 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1242 if (ocsp->ctx) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1243 ngx_ssl_ocsp_done(ocsp->ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1244 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1245 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1246 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1247 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1248 sk_X509_pop_free(ocsp->certs, X509_free); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1249 ocsp->certs = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1250 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1251 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1252 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1253 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1254 static ngx_ssl_ocsp_ctx_t * |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1255 ngx_ssl_ocsp_start(ngx_log_t *log) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1256 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1257 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1258 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1259 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1260 pool = ngx_create_pool(2048, log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1261 if (pool == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1262 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1263 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1264 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1265 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1266 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1267 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1268 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1269 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1270 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1271 log = ngx_palloc(pool, sizeof(ngx_log_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1272 if (log == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1273 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1274 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1275 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1276 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1277 ctx->pool = pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1278 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1279 *log = *ctx->pool->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1280 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1281 ctx->pool->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1282 ctx->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1283 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1284 log->handler = ngx_ssl_ocsp_log_error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1285 log->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1286 log->action = "requesting certificate status"; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1287 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1288 return ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1289 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1290 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1291 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1292 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1293 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1294 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1295 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1296 "ssl ocsp done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1297 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1298 if (ctx->peer.connection) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1299 ngx_close_connection(ctx->peer.connection); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1300 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1301 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1302 ngx_destroy_pool(ctx->pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1303 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1304 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1305 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1306 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1307 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1308 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1309 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1310 "ssl ocsp error"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1311 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1312 ctx->code = 0; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1313 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1314 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1315 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1316 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1317 static void |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1318 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx) |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1319 { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1320 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1321 "ssl ocsp next"); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1322 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1323 if (++ctx->naddr >= ctx->naddrs) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1324 ngx_ssl_ocsp_error(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1325 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1326 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1327 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1328 ctx->request->pos = ctx->request->start; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1329 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1330 if (ctx->response) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1331 ctx->response->last = ctx->response->pos; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1332 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1333 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1334 if (ctx->peer.connection) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1335 ngx_close_connection(ctx->peer.connection); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1336 ctx->peer.connection = NULL; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1337 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1338 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1339 ctx->state = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1340 ctx->count = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1341 ctx->done = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1342 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1343 ngx_ssl_ocsp_connect(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1344 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1345 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1346 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1347 static void |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1348 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1349 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1350 ngx_resolver_ctx_t *resolve, temp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1351 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1352 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1353 "ssl ocsp request"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1354 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1355 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1356 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1357 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1358 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1359 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1360 if (ctx->resolver) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1361 /* resolve OCSP responder hostname */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1362 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1363 temp.name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1364 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1365 resolve = ngx_resolve_start(ctx->resolver, &temp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1366 if (resolve == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1367 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1368 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1369 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1370 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1371 if (resolve == NGX_NO_RESOLVER) { |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1372 if (ctx->naddrs == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1373 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1374 "no resolver defined to resolve %V", &ctx->host); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1375 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1376 ngx_ssl_ocsp_error(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1377 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1378 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1379 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1380 ngx_log_error(NGX_LOG_WARN, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1381 "no resolver defined to resolve %V", &ctx->host); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1382 goto connect; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1383 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1384 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1385 resolve->name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1386 resolve->handler = ngx_ssl_ocsp_resolve_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1387 resolve->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1388 resolve->timeout = ctx->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1389 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1390 if (ngx_resolve_name(resolve) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1391 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1392 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1393 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1394 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1395 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1396 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1397 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1398 connect: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1399 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1400 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1401 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1402 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1403 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1404 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1405 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1406 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1407 ngx_ssl_ocsp_ctx_t *ctx = resolve->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1408 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1409 u_char *p; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1410 size_t len; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1411 socklen_t socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1412 ngx_uint_t i; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1413 struct sockaddr *sockaddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1414 |
5234
a855ae7e6377
OCSP stapling: fixed incorrect debug level.
Ruslan Ermilov <ru@nginx.com>
parents:
5215
diff
changeset
|
1415 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1416 "ssl ocsp resolve handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1417 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1418 if (resolve->state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1419 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1420 "%V could not be resolved (%i: %s)", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1421 &resolve->name, resolve->state, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1422 ngx_resolver_strerror(resolve->state)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1423 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1424 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1425 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1426 #if (NGX_DEBUG) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1427 { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1428 u_char text[NGX_SOCKADDR_STRLEN]; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1429 ngx_str_t addr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1430 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1431 addr.data = text; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1432 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1433 for (i = 0; i < resolve->naddrs; i++) { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1434 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1435 resolve->addrs[i].socklen, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1436 text, NGX_SOCKADDR_STRLEN, 0); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1437 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1439 "name was resolved to %V", &addr); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1440 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1441 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1442 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1443 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1444 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1445 ctx->naddrs = resolve->naddrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1446 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1447 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1448 if (ctx->addrs == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1449 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1450 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1451 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1452 for (i = 0; i < resolve->naddrs; i++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1453 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1454 socklen = resolve->addrs[i].socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1455 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1456 sockaddr = ngx_palloc(ctx->pool, socklen); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1457 if (sockaddr == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1458 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1459 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1460 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1461 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen); |
6593
b3b7e33083ac
Introduced ngx_inet_get_port() and ngx_inet_set_port() functions.
Roman Arutyunyan <arut@nginx.com>
parents:
6549
diff
changeset
|
1462 ngx_inet_set_port(sockaddr, ctx->port); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1463 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1464 ctx->addrs[i].sockaddr = sockaddr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1465 ctx->addrs[i].socklen = socklen; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1466 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1467 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1468 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1469 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1470 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1471 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1472 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1473 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1474 ctx->addrs[i].name.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1475 ctx->addrs[i].name.data = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1476 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1477 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1478 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1479 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1480 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1481 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1482 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1483 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1484 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1485 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1486 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1487 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1488 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1489 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1490 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1491 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1492 { |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1493 ngx_int_t rc; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1494 ngx_addr_t *addr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1495 |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1496 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1497 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1498 |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1499 addr = &ctx->addrs[ctx->naddr]; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1500 |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1501 ctx->peer.sockaddr = addr->sockaddr; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1502 ctx->peer.socklen = addr->socklen; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1503 ctx->peer.name = &addr->name; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1504 ctx->peer.get = ngx_event_get_peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1505 ctx->peer.log = ctx->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1506 ctx->peer.log_error = NGX_ERROR_ERR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1507 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1508 rc = ngx_event_connect_peer(&ctx->peer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1509 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1510 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1511 "ssl ocsp connect peer done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1512 |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1513 if (rc == NGX_ERROR) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1514 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1515 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1516 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1517 |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1518 if (rc == NGX_BUSY || rc == NGX_DECLINED) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1519 ngx_ssl_ocsp_next(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1520 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1521 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1522 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1523 ctx->peer.connection->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1524 ctx->peer.connection->pool = ctx->pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1525 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1526 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1527 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1528 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1529 ctx->process = ngx_ssl_ocsp_process_status_line; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1530 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1531 if (ctx->timeout) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1532 ngx_add_timer(ctx->peer.connection->read, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1533 ngx_add_timer(ctx->peer.connection->write, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1534 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1535 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1536 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1537 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1538 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1539 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1540 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1541 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1542 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1543 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1544 ngx_ssl_ocsp_write_handler(ngx_event_t *wev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1545 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1546 ssize_t n, size; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1547 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1548 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1549 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1550 c = wev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1551 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1552 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1553 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1554 "ssl ocsp write handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1555 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1556 if (wev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1557 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1558 "OCSP responder timed out"); |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1559 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1560 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1561 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1562 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1563 size = ctx->request->last - ctx->request->pos; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1564 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1565 n = ngx_send(c, ctx->request->pos, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1566 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1567 if (n == NGX_ERROR) { |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1568 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1569 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1570 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1571 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1572 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1573 ctx->request->pos += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1574 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1575 if (n == size) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1576 wev->handler = ngx_ssl_ocsp_dummy_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1577 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1578 if (wev->timer_set) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1579 ngx_del_timer(wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1580 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1581 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1582 if (ngx_handle_write_event(wev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1583 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1584 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1585 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1586 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1587 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1588 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1589 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
1590 if (!wev->timer_set && ctx->timeout) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1591 ngx_add_timer(wev, ctx->timeout); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1592 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1593 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1594 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1595 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1596 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1597 ngx_ssl_ocsp_read_handler(ngx_event_t *rev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1598 { |
6810 | 1599 ssize_t n, size; |
1600 ngx_int_t rc; | |
1601 ngx_connection_t *c; | |
1602 ngx_ssl_ocsp_ctx_t *ctx; | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1603 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1604 c = rev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1605 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1606 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1607 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1608 "ssl ocsp read handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1609 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1610 if (rev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1611 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1612 "OCSP responder timed out"); |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1613 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1614 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1615 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1616 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1617 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1618 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1619 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1620 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1621 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1622 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1623 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1624 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1625 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1626 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1627 size = ctx->response->end - ctx->response->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1628 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1629 n = ngx_recv(c, ctx->response->last, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1630 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1631 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1632 ctx->response->last += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1633 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1634 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1635 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1636 if (rc == NGX_ERROR) { |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1637 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1638 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1639 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1640 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1641 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1642 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1643 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1644 if (n == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1645 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1646 if (ngx_handle_read_event(rev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1647 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1648 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1649 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1650 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1651 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1652 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1653 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1654 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1655 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1656 ctx->done = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1657 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1658 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1659 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1660 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1661 /* ctx->handler() was called */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1662 return; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1663 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1664 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1665 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1666 "OCSP responder prematurely closed connection"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1667 |
7898
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7897
diff
changeset
|
1668 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1669 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1670 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1671 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1672 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1673 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1674 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1675 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1676 "ssl ocsp dummy handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1677 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1678 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1679 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1680 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1681 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1682 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1683 int len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1684 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1685 uintptr_t escape; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1686 ngx_str_t binary, base64; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1687 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1688 OCSP_CERTID *id; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1689 OCSP_REQUEST *ocsp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1690 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1691 ocsp = OCSP_REQUEST_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1692 if (ocsp == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1693 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1694 "OCSP_REQUEST_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1695 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1696 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1697 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1698 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1699 if (id == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1700 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1701 "OCSP_cert_to_id() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1702 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1703 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1704 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1705 if (OCSP_request_add0_id(ocsp, id) == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1706 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1707 "OCSP_request_add0_id() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
1708 OCSP_CERTID_free(id); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1709 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1710 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1711 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1712 len = i2d_OCSP_REQUEST(ocsp, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1713 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1714 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1715 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1716 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1717 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1718 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1719 binary.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1720 binary.data = ngx_palloc(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1721 if (binary.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1722 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1723 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1724 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1725 p = binary.data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1726 len = i2d_OCSP_REQUEST(ocsp, &p); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1727 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1728 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1729 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1730 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1731 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1732 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1733 base64.len = ngx_base64_encoded_length(binary.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1734 base64.data = ngx_palloc(ctx->pool, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1735 if (base64.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1736 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1737 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1738 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1739 ngx_encode_base64(&base64, &binary); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1740 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1741 escape = ngx_escape_uri(NULL, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1742 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1743 |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1744 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1745 "ssl ocsp request length %z, escape %d", |
6480 | 1746 base64.len, (int) escape); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1747 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1748 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1749 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1750 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1751 + sizeof(CRLF) - 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1752 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1753 b = ngx_create_temp_buf(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1754 if (b == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1755 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1756 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1757 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1758 p = b->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1759 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1760 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1761 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1762 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1763 if (ctx->uri.data[ctx->uri.len - 1] != '/') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1764 *p++ = '/'; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1765 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1766 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1767 if (escape == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1768 p = ngx_cpymem(p, base64.data, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1769 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1770 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1771 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1772 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1773 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1774 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1775 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1776 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1777 p = ngx_cpymem(p, ctx->host.data, ctx->host.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1778 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1779 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1780 /* add "\r\n" at the header end */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1781 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1782 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1783 b->last = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1784 ctx->request = b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1785 |
5683
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1786 OCSP_REQUEST_free(ocsp); |
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1787 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1788 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1789 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1790 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1791 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1792 OCSP_REQUEST_free(ocsp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1793 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1794 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1795 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1796 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1797 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1798 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1799 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1800 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1801 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1802 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1803 rc = ngx_ssl_ocsp_parse_status_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1804 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1805 if (rc == NGX_OK) { |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1806 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1807 "ssl ocsp status %ui \"%*s\"", |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1808 ctx->code, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1809 ctx->header_end - ctx->header_start, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1810 ctx->header_start); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1811 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1812 ctx->process = ngx_ssl_ocsp_process_headers; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1813 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1814 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1815 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1816 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1817 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1818 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1819 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1820 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1821 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1822 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1823 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1824 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1825 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1826 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1827 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1828 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1829 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1830 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1831 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1832 u_char ch; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1833 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1834 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1835 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1836 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1837 sw_H, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1838 sw_HT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1839 sw_HTT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1840 sw_HTTP, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1841 sw_first_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1842 sw_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1843 sw_first_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1844 sw_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1845 sw_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1846 sw_space_after_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1847 sw_status_text, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1848 sw_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1849 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1850 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1851 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1852 "ssl ocsp process status line"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1853 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1854 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1855 b = ctx->response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1856 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1857 for (p = b->pos; p < b->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1858 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1859 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1860 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1861 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1862 /* "HTTP/" */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1863 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1864 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1865 case 'H': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1866 state = sw_H; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1867 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1868 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1869 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1870 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1871 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1872 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1873 case sw_H: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1874 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1875 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1876 state = sw_HT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1877 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1878 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1879 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1880 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1881 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1882 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1883 case sw_HT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1884 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1885 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1886 state = sw_HTT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1887 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1888 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1889 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1890 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1891 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1892 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1893 case sw_HTT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1894 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1895 case 'P': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1896 state = sw_HTTP; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1897 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1898 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1899 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1900 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1901 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1902 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1903 case sw_HTTP: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1904 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1905 case '/': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1906 state = sw_first_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1907 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1908 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1909 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1910 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1911 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1912 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1913 /* the first digit of major HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1914 case sw_first_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1915 if (ch < '1' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1916 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1917 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1918 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1919 state = sw_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1920 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1921 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1922 /* the major HTTP version or dot */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1923 case sw_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1924 if (ch == '.') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1925 state = sw_first_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1926 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1927 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1928 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1929 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1930 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1931 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1932 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1933 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1934 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1935 /* the first digit of minor HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1936 case sw_first_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1937 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1938 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1939 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1940 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1941 state = sw_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1942 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1943 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1944 /* the minor HTTP version or the end of the request line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1945 case sw_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1946 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1947 state = sw_status; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1948 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1949 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1950 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1951 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1952 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1953 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1954 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1955 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1956 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1957 /* HTTP status code */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1958 case sw_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1959 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1960 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1961 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1962 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1963 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1964 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1965 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1966 |
7067
e3723f2a11b7
Parenthesized ASCII-related calculations.
Valentin Bartenev <vbart@nginx.com>
parents:
6842
diff
changeset
|
1967 ctx->code = ctx->code * 10 + (ch - '0'); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1968 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1969 if (++ctx->count == 3) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1970 state = sw_space_after_status; |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1971 ctx->header_start = p - 2; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1972 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1973 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1974 break; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1975 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1976 /* space or end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1977 case sw_space_after_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1978 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1979 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1980 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1981 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1982 case '.': /* IIS may send 403.1, 403.2, etc */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1983 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1984 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1985 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1986 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1987 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1988 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1989 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1990 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1991 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1992 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1993 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1994 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1995 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1996 /* any text until end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1997 case sw_status_text: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1998 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1999 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2000 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2001 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2002 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
2003 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2004 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2005 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2006 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2007 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2008 /* end of status line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2009 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2010 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2011 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
2012 ctx->header_end = p - 1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2013 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2014 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2015 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2016 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2017 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2018 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2019 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2020 b->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2021 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2022 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2023 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2024 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2025 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2026 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2027 b->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2028 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2029 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2030 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2031 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2032 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2033 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2034 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2035 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2036 { |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2037 size_t len; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2038 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2039 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2040 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2041 "ssl ocsp process headers"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2042 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2043 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2044 rc = ngx_ssl_ocsp_parse_header_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2045 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2046 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2047 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2048 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2049 "ssl ocsp header \"%*s: %*s\"", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2050 ctx->header_name_end - ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2051 ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2052 ctx->header_end - ctx->header_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2053 ctx->header_start); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2054 |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2055 len = ctx->header_name_end - ctx->header_name_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2056 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2057 if (len == sizeof("Content-Type") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2058 && ngx_strncasecmp(ctx->header_name_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2059 (u_char *) "Content-Type", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2060 sizeof("Content-Type") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2061 == 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2062 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2063 len = ctx->header_end - ctx->header_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2064 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2065 if (len != sizeof("application/ocsp-response") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2066 || ngx_strncasecmp(ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2067 (u_char *) "application/ocsp-response", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2068 sizeof("application/ocsp-response") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2069 != 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2070 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2071 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2072 "OCSP responder sent invalid " |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2073 "\"Content-Type\" header: \"%*s\"", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2074 ctx->header_end - ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2075 ctx->header_start); |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2076 return NGX_ERROR; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2077 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2078 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2079 continue; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2080 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2081 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2082 /* TODO: honor Content-Length */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2083 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2084 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2085 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2086 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2087 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2088 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2089 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2090 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2091 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2092 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2093 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2094 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2095 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2096 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2097 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2098 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2099 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2100 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2101 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2102 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2103 ctx->process = ngx_ssl_ocsp_process_body; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2104 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2105 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2106 |
6810 | 2107 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2108 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2109 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2110 { |
6810 | 2111 u_char c, ch, *p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2112 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2113 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2114 sw_name, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2115 sw_space_before_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2116 sw_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2117 sw_space_after_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2118 sw_almost_done, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2119 sw_header_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2120 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2121 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2122 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2123 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2124 for (p = ctx->response->pos; p < ctx->response->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2125 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2126 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2127 #if 0 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2128 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2129 "s:%d in:'%02Xd:%c'", state, ch, ch); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2130 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2131 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2132 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2133 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2134 /* first char */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2135 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2136 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2137 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2138 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2139 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2140 state = sw_header_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2141 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2142 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2143 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2144 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2145 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2146 state = sw_name; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2147 ctx->header_name_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2148 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2149 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2150 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2151 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2152 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2153 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2154 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2155 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2156 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2157 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2158 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2159 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2160 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2161 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2162 /* header name */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2163 case sw_name: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2164 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2165 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2166 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2167 } |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2168 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2169 if (ch == ':') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2170 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2171 state = sw_space_before_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2172 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2173 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2174 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2175 if (ch == '-') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2176 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2177 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2178 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2179 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2180 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2181 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2182 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2183 if (ch == CR) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2184 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2185 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2186 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2187 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2188 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2189 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2190 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2191 if (ch == LF) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2192 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2193 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2194 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2195 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2196 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2197 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2198 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2199 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2200 /* space* before header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2201 case sw_space_before_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2202 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2203 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2204 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2205 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2206 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2207 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2208 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2209 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2210 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2211 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2212 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2213 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2214 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2215 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2216 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2217 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2218 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2219 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2220 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2221 /* header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2222 case sw_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2223 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2224 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2225 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2226 state = sw_space_after_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2227 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2228 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2229 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2230 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2231 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2232 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2233 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2234 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2235 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2236 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2237 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2238 /* space* before end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2239 case sw_space_after_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2240 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2241 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2242 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2243 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2244 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2245 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2246 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2247 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2248 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2249 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2250 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2251 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2252 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2253 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2254 /* end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2255 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2256 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2257 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2258 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2259 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2260 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2261 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2262 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2263 /* end of header */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2264 case sw_header_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2265 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2266 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2267 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2268 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2269 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2270 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2271 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2272 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2273 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2274 ctx->response->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2275 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2276 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2277 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2278 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2279 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2280 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2281 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2282 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2283 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2284 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2285 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2286 header_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2287 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2288 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2289 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2290 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2291 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2292 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2293 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2294 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2295 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2296 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2297 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2298 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2299 "ssl ocsp process body"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2300 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2301 if (ctx->done) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2302 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2303 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2304 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2305 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2306 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2307 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2308 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2309 |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2310 static ngx_int_t |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2311 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2312 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2313 int n; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2314 size_t len; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2315 X509_STORE *store; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2316 const u_char *p; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2317 OCSP_CERTID *id; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2318 OCSP_RESPONSE *ocsp; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2319 OCSP_BASICRESP *basic; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2320 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2321 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2322 ocsp = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2323 basic = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2324 id = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2325 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2326 if (ctx->code != 200) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2327 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2328 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2329 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2330 /* check the response */ |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2331 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2332 len = ctx->response->last - ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2333 p = ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2334 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2335 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2336 if (ocsp == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2337 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2338 "d2i_OCSP_RESPONSE() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2339 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2340 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2341 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2342 n = OCSP_response_status(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2343 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2344 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2345 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2346 "OCSP response not successful (%d: %s)", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2347 n, OCSP_response_status_str(n)); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2348 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2349 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2350 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2351 basic = OCSP_response_get1_basic(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2352 if (basic == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2353 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2354 "OCSP_response_get1_basic() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2355 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2356 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2357 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2358 store = SSL_CTX_get_cert_store(ctx->ssl_ctx); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2359 if (store == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2360 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2361 "SSL_CTX_get_cert_store() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2362 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2363 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2364 |
7897
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7896
diff
changeset
|
2365 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) { |
7896
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2366 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2367 "OCSP_basic_verify() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2368 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2369 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2370 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2371 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2372 if (id == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2373 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2374 "OCSP_cert_to_id() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2375 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2376 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2377 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2378 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2379 &thisupdate, &nextupdate) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2380 != 1) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2381 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2382 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2383 "certificate status not found in the OCSP response"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2384 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2385 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2386 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2387 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2388 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2389 "OCSP_check_validity() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2390 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2391 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2392 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2393 if (nextupdate) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2394 ctx->valid = ngx_ssl_stapling_time(nextupdate); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2395 if (ctx->valid == (time_t) NGX_ERROR) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2396 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2397 "invalid nextUpdate time in certificate status"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2398 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2399 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2400 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2401 } else { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2402 ctx->valid = NGX_MAX_TIME_T_VALUE; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2403 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2404 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2405 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2406 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2407 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2408 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2409 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2410 "ssl ocsp response, %s, %uz", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2411 OCSP_cert_status_str(ctx->status), len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2412 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2413 return NGX_OK; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2414 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2415 error: |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2416 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2417 if (id) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2418 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2419 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2420 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2421 if (basic) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2422 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2423 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2424 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2425 if (ocsp) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2426 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2427 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2428 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2429 return NGX_ERROR; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2430 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2431 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2432 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2433 ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2434 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2435 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2436 size_t len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2437 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2438 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2439 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2440 if (data) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2441 shm_zone->data = data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2442 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2443 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2444 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2445 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2446 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2447 if (shm_zone->shm.exists) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2448 shm_zone->data = shpool->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2449 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2450 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2451 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2452 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_ocsp_cache_t)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2453 if (cache == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2454 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2455 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2456 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2457 shpool->data = cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2458 shm_zone->data = cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2459 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2460 ngx_rbtree_init(&cache->rbtree, &cache->sentinel, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2461 ngx_str_rbtree_insert_value); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2462 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2463 ngx_queue_init(&cache->expire_queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2464 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2465 len = sizeof(" in OCSP cache \"\"") + shm_zone->shm.name.len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2466 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2467 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2468 if (shpool->log_ctx == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2469 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2470 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2471 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2472 ngx_sprintf(shpool->log_ctx, " in OCSP cache \"%V\"%Z", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2473 &shm_zone->shm.name); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2474 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2475 shpool->log_nomem = 0; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2476 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2477 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2478 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2479 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2480 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2481 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2482 ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2483 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2484 uint32_t hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2485 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2486 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2487 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2488 ngx_ssl_ocsp_cache_node_t *node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2489 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2490 shm_zone = ctx->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2491 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2492 if (shm_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2493 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2494 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2495 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2496 if (ngx_ssl_ocsp_create_key(ctx) != NGX_OK) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2497 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2498 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2499 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2500 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache lookup"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2501 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2502 cache = shm_zone->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2503 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2504 hash = ngx_hash_key(ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2505 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2506 ngx_shmtx_lock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2507 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2508 node = (ngx_ssl_ocsp_cache_node_t *) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2509 ngx_str_rbtree_lookup(&cache->rbtree, &ctx->key, hash); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2510 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2511 if (node) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2512 if (node->valid > ngx_time()) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2513 ctx->status = node->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2514 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2515 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2516 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2517 "ssl ocsp cache hit, %s", |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2518 OCSP_cert_status_str(ctx->status)); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2519 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2520 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2521 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2522 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2523 ngx_queue_remove(&node->queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2524 ngx_rbtree_delete(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2525 ngx_slab_free_locked(shpool, node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2526 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2527 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2528 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2529 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2530 "ssl ocsp cache expired"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2531 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2532 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2533 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2534 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2535 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2536 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2537 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache miss"); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2538 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2539 return NGX_DECLINED; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2540 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2541 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2542 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2543 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2544 ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2545 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2546 time_t now, valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2547 uint32_t hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2548 ngx_queue_t *q; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2549 ngx_shm_zone_t *shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2550 ngx_slab_pool_t *shpool; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2551 ngx_ssl_ocsp_cache_t *cache; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2552 ngx_ssl_ocsp_cache_node_t *node; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2553 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2554 shm_zone = ctx->shm_zone; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2555 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2556 if (shm_zone == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2557 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2558 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2559 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2560 valid = ctx->valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2561 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2562 now = ngx_time(); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2563 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2564 if (valid < now) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2565 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2566 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2567 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2568 if (valid == NGX_MAX_TIME_T_VALUE) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2569 valid = now + 3600; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2570 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2571 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2572 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2573 "ssl ocsp cache store, valid:%T", valid - now); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2574 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2575 cache = shm_zone->data; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2576 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2577 hash = ngx_hash_key(ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2578 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2579 ngx_shmtx_lock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2580 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2581 node = ngx_slab_calloc_locked(shpool, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2582 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2583 if (node == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2584 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2585 if (!ngx_queue_empty(&cache->expire_queue)) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2586 q = ngx_queue_last(&cache->expire_queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2587 node = ngx_queue_data(q, ngx_ssl_ocsp_cache_node_t, queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2588 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2589 ngx_rbtree_delete(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2590 ngx_queue_remove(q); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2591 ngx_slab_free_locked(shpool, node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2592 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2593 node = ngx_slab_alloc_locked(shpool, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2594 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2595 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2596 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2597 if (node == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2598 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2599 ngx_log_error(NGX_LOG_ALERT, ctx->log, 0, |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2600 "could not allocate new entry%s", shpool->log_ctx); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2601 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2602 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2603 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2604 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2605 node->node.str.len = ctx->key.len; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2606 node->node.str.data = (u_char *) node + sizeof(ngx_ssl_ocsp_cache_node_t); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2607 ngx_memcpy(node->node.str.data, ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2608 node->node.node.key = hash; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2609 node->status = ctx->status; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2610 node->valid = valid; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2611 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2612 ngx_rbtree_insert(&cache->rbtree, &node->node.node); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2613 ngx_queue_insert_head(&cache->expire_queue, &node->queue); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2614 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2615 ngx_shmtx_unlock(&shpool->mutex); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2616 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2617 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2618 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2619 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2620 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2621 static ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2622 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2623 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2624 u_char *p; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2625 X509_NAME *name; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2626 ASN1_INTEGER *serial; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2627 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2628 p = ngx_pnalloc(ctx->pool, 60); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2629 if (p == NULL) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2630 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2631 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2632 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2633 ctx->key.data = p; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2634 ctx->key.len = 60; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2635 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2636 name = X509_get_subject_name(ctx->issuer); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2637 if (X509_NAME_digest(name, EVP_sha1(), p, NULL) == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2638 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2639 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2640 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2641 p += 20; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2642 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2643 if (X509_pubkey_digest(ctx->issuer, EVP_sha1(), p, NULL) == 0) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2644 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2645 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2646 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2647 p += 20; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2648 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2649 serial = X509_get_serialNumber(ctx->cert); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2650 if (serial->length > 20) { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2651 return NGX_ERROR; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2652 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2653 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2654 p = ngx_cpymem(p, serial->data, serial->length); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2655 ngx_memzero(p, 20 - serial->length); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2656 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2657 #if (NGX_DEBUG) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2658 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2659 u_char buf[120]; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2660 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2661 ngx_hex_dump(buf, ctx->key.data, ctx->key.len); |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2662 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2663 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7901
bd4d1b9db0ee
Fixed format specifiers.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7900
diff
changeset
|
2664 "ssl ocsp key %*s", sizeof(buf), buf); |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2665 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2666 #endif |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2667 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2668 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2669 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2670 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2671 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2672 static u_char * |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2673 ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2674 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2675 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2676 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2677 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2678 p = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2679 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2680 if (log->action) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2681 p = ngx_snprintf(buf, len, " while %s", log->action); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2682 len -= p - buf; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2683 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2684 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2685 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2686 ctx = log->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2687 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2688 if (ctx) { |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2689 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2690 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2691 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2692 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2693 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2694 if (ctx && ctx->peer.name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2695 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2696 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2697 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2698 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2699 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2700 if (ctx && ctx->name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2701 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2702 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2703 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2704 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2705 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2706 return p; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2707 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2708 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2709 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2710 #else |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2711 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2712 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2713 ngx_int_t |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2714 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2715 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2716 { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2717 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2718 "\"ssl_stapling\" ignored, not supported"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2719 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2720 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2721 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2722 |
6810 | 2723 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2724 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2725 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2726 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2727 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2728 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2729 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2730 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2731 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2732 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2733 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2734 ngx_uint_t depth, ngx_shm_zone_t *shm_zone) |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2735 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2736 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2737 "\"ssl_ocsp\" is not supported on this platform"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2738 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2739 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2740 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2741 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2742 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2743 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2744 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2745 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2746 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2747 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2748 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2749 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2750 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2751 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2752 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2753 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2754 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2755 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2756 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2757 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2758 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2759 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2760 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2761 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2762 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2763 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2764 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2765 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2766 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2767 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2768 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2769 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7898
diff
changeset
|
2770 |
7900
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2771 ngx_int_t |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2772 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2773 { |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2774 return NGX_OK; |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2775 } |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2776 |
b56f725dd4bb
OCSP: certificate status cache.
Roman Arutyunyan <arut@nginx.com>
parents:
7899
diff
changeset
|
2777 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2778 #endif |