Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl_stapling.c @ 7897:6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Sun, 17 May 2020 14:24:35 +0300 |
parents | abb6cc8f1dd8 |
children | 7cffd81015e7 |
comparison
equal
deleted
inserted
replaced
7896:abb6cc8f1dd8 | 7897:6ca8e15caf1f |
---|---|
28 | 28 |
29 SSL_CTX *ssl_ctx; | 29 SSL_CTX *ssl_ctx; |
30 | 30 |
31 X509 *cert; | 31 X509 *cert; |
32 X509 *issuer; | 32 X509 *issuer; |
33 STACK_OF(X509) *chain; | |
33 | 34 |
34 u_char *name; | 35 u_char *name; |
35 | 36 |
36 time_t valid; | 37 time_t valid; |
37 time_t refresh; | 38 time_t refresh; |
46 struct ngx_ssl_ocsp_ctx_s { | 47 struct ngx_ssl_ocsp_ctx_s { |
47 SSL_CTX *ssl_ctx; | 48 SSL_CTX *ssl_ctx; |
48 | 49 |
49 X509 *cert; | 50 X509 *cert; |
50 X509 *issuer; | 51 X509 *issuer; |
52 STACK_OF(X509) *chain; | |
51 | 53 |
52 int status; | 54 int status; |
53 time_t valid; | 55 time_t valid; |
54 | 56 |
55 u_char *name; | 57 u_char *name; |
177 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { | 179 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
178 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); | 180 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
179 return NGX_ERROR; | 181 return NGX_ERROR; |
180 } | 182 } |
181 | 183 |
184 #ifdef SSL_CTRL_SELECT_CURRENT_CERT | |
185 /* OpenSSL 1.0.2+ */ | |
186 SSL_CTX_select_current_cert(ssl->ctx, cert); | |
187 #endif | |
188 | |
189 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
190 /* OpenSSL 1.0.1+ */ | |
191 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain); | |
192 #else | |
193 staple->chain = ssl->ctx->extra_certs; | |
194 #endif | |
195 | |
182 staple->ssl_ctx = ssl->ctx; | 196 staple->ssl_ctx = ssl->ctx; |
183 staple->timeout = 60000; | 197 staple->timeout = 60000; |
184 staple->verify = verify; | 198 staple->verify = verify; |
185 staple->cert = cert; | 199 staple->cert = cert; |
186 staple->name = X509_get_ex_data(staple->cert, | 200 staple->name = X509_get_ex_data(staple->cert, |
293 { | 307 { |
294 int i, n, rc; | 308 int i, n, rc; |
295 X509 *cert, *issuer; | 309 X509 *cert, *issuer; |
296 X509_STORE *store; | 310 X509_STORE *store; |
297 X509_STORE_CTX *store_ctx; | 311 X509_STORE_CTX *store_ctx; |
298 STACK_OF(X509) *chain; | |
299 | 312 |
300 cert = staple->cert; | 313 cert = staple->cert; |
301 | 314 |
302 #ifdef SSL_CTRL_SELECT_CURRENT_CERT | 315 n = sk_X509_num(staple->chain); |
303 /* OpenSSL 1.0.2+ */ | |
304 SSL_CTX_select_current_cert(ssl->ctx, cert); | |
305 #endif | |
306 | |
307 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
308 /* OpenSSL 1.0.1+ */ | |
309 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | |
310 #else | |
311 chain = ssl->ctx->extra_certs; | |
312 #endif | |
313 | |
314 n = sk_X509_num(chain); | |
315 | 316 |
316 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, | 317 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
317 "SSL get issuer: %d extra certs", n); | 318 "SSL get issuer: %d extra certs", n); |
318 | 319 |
319 for (i = 0; i < n; i++) { | 320 for (i = 0; i < n; i++) { |
320 issuer = sk_X509_value(chain, i); | 321 issuer = sk_X509_value(staple->chain, i); |
321 if (X509_check_issued(issuer, cert) == X509_V_OK) { | 322 if (X509_check_issued(issuer, cert) == X509_V_OK) { |
322 #if OPENSSL_VERSION_NUMBER >= 0x10100001L | 323 #if OPENSSL_VERSION_NUMBER >= 0x10100001L |
323 X509_up_ref(issuer); | 324 X509_up_ref(issuer); |
324 #else | 325 #else |
325 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); | 326 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); |
571 } | 572 } |
572 | 573 |
573 ctx->ssl_ctx = staple->ssl_ctx; | 574 ctx->ssl_ctx = staple->ssl_ctx; |
574 ctx->cert = staple->cert; | 575 ctx->cert = staple->cert; |
575 ctx->issuer = staple->issuer; | 576 ctx->issuer = staple->issuer; |
577 ctx->chain = staple->chain; | |
576 ctx->name = staple->name; | 578 ctx->name = staple->name; |
577 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); | 579 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
578 | 580 |
579 ctx->addrs = staple->addrs; | 581 ctx->addrs = staple->addrs; |
580 ctx->host = staple->host; | 582 ctx->host = staple->host; |
1718 { | 1720 { |
1719 int n; | 1721 int n; |
1720 size_t len; | 1722 size_t len; |
1721 X509_STORE *store; | 1723 X509_STORE *store; |
1722 const u_char *p; | 1724 const u_char *p; |
1723 STACK_OF(X509) *chain; | |
1724 OCSP_CERTID *id; | 1725 OCSP_CERTID *id; |
1725 OCSP_RESPONSE *ocsp; | 1726 OCSP_RESPONSE *ocsp; |
1726 OCSP_BASICRESP *basic; | 1727 OCSP_BASICRESP *basic; |
1727 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; | 1728 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; |
1728 | 1729 |
1767 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, | 1768 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
1768 "SSL_CTX_get_cert_store() failed"); | 1769 "SSL_CTX_get_cert_store() failed"); |
1769 goto error; | 1770 goto error; |
1770 } | 1771 } |
1771 | 1772 |
1772 #ifdef SSL_CTRL_SELECT_CURRENT_CERT | 1773 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) { |
1773 /* OpenSSL 1.0.2+ */ | |
1774 SSL_CTX_select_current_cert(ctx->ssl_ctx, ctx->cert); | |
1775 #endif | |
1776 | |
1777 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS | |
1778 /* OpenSSL 1.0.1+ */ | |
1779 SSL_CTX_get_extra_chain_certs(ctx->ssl_ctx, &chain); | |
1780 #else | |
1781 chain = ctx->ssl_ctx->extra_certs; | |
1782 #endif | |
1783 | |
1784 if (OCSP_basic_verify(basic, chain, store, ctx->flags) != 1) { | |
1785 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, | 1774 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
1786 "OCSP_basic_verify() failed"); | 1775 "OCSP_basic_verify() failed"); |
1787 goto error; | 1776 goto error; |
1788 } | 1777 } |
1789 | 1778 |