Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl_stapling.c @ 7898:7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.
This also fixes the issue with unsupported responder address families
(ticket #1330).
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 22 May 2020 20:35:05 +0300 |
parents | 6ca8e15caf1f |
children | 8409f9df6219 |
comparison
equal
deleted
inserted
replaced
7897:6ca8e15caf1f | 7898:7cffd81015e7 |
---|---|
20 | 20 |
21 ngx_resolver_t *resolver; | 21 ngx_resolver_t *resolver; |
22 ngx_msec_t resolver_timeout; | 22 ngx_msec_t resolver_timeout; |
23 | 23 |
24 ngx_addr_t *addrs; | 24 ngx_addr_t *addrs; |
25 ngx_uint_t naddrs; | |
25 ngx_str_t host; | 26 ngx_str_t host; |
26 ngx_str_t uri; | 27 ngx_str_t uri; |
27 in_port_t port; | 28 in_port_t port; |
28 | 29 |
29 SSL_CTX *ssl_ctx; | 30 SSL_CTX *ssl_ctx; |
55 time_t valid; | 56 time_t valid; |
56 | 57 |
57 u_char *name; | 58 u_char *name; |
58 | 59 |
59 ngx_uint_t naddrs; | 60 ngx_uint_t naddrs; |
61 ngx_uint_t naddr; | |
60 | 62 |
61 ngx_addr_t *addrs; | 63 ngx_addr_t *addrs; |
62 ngx_str_t host; | 64 ngx_str_t host; |
63 ngx_str_t uri; | 65 ngx_str_t uri; |
64 in_port_t port; | 66 in_port_t port; |
112 | 114 |
113 static void ngx_ssl_stapling_cleanup(void *data); | 115 static void ngx_ssl_stapling_cleanup(void *data); |
114 | 116 |
115 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void); | 117 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void); |
116 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); | 118 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
119 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx); | |
117 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); | 120 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
118 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); | 121 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
119 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); | 122 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
120 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); | 123 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
121 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); | 124 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
467 | 470 |
468 return NGX_ERROR; | 471 return NGX_ERROR; |
469 } | 472 } |
470 | 473 |
471 staple->addrs = u.addrs; | 474 staple->addrs = u.addrs; |
475 staple->naddrs = u.naddrs; | |
472 staple->host = u.host; | 476 staple->host = u.host; |
473 staple->uri = u.uri; | 477 staple->uri = u.uri; |
474 staple->port = u.port; | 478 staple->port = u.port; |
475 | 479 |
476 if (staple->uri.len == 0) { | 480 if (staple->uri.len == 0) { |
577 ctx->chain = staple->chain; | 581 ctx->chain = staple->chain; |
578 ctx->name = staple->name; | 582 ctx->name = staple->name; |
579 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); | 583 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
580 | 584 |
581 ctx->addrs = staple->addrs; | 585 ctx->addrs = staple->addrs; |
586 ctx->naddrs = staple->naddrs; | |
582 ctx->host = staple->host; | 587 ctx->host = staple->host; |
583 ctx->uri = staple->uri; | 588 ctx->uri = staple->uri; |
584 ctx->port = staple->port; | 589 ctx->port = staple->port; |
585 ctx->timeout = staple->timeout; | 590 ctx->timeout = staple->timeout; |
586 | 591 |
767 ctx->handler(ctx); | 772 ctx->handler(ctx); |
768 } | 773 } |
769 | 774 |
770 | 775 |
771 static void | 776 static void |
777 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx) | |
778 { | |
779 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | |
780 "ssl ocsp next"); | |
781 | |
782 if (++ctx->naddr >= ctx->naddrs) { | |
783 ngx_ssl_ocsp_error(ctx); | |
784 return; | |
785 } | |
786 | |
787 ctx->request->pos = ctx->request->start; | |
788 | |
789 if (ctx->response) { | |
790 ctx->response->last = ctx->response->pos; | |
791 } | |
792 | |
793 if (ctx->peer.connection) { | |
794 ngx_close_connection(ctx->peer.connection); | |
795 ctx->peer.connection = NULL; | |
796 } | |
797 | |
798 ctx->state = 0; | |
799 ctx->count = 0; | |
800 ctx->done = 0; | |
801 | |
802 ngx_ssl_ocsp_connect(ctx); | |
803 } | |
804 | |
805 | |
806 static void | |
772 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) | 807 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
773 { | 808 { |
774 ngx_resolver_ctx_t *resolve, temp; | 809 ngx_resolver_ctx_t *resolve, temp; |
775 | 810 |
776 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 811 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
904 | 939 |
905 | 940 |
906 static void | 941 static void |
907 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) | 942 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
908 { | 943 { |
909 ngx_int_t rc; | 944 ngx_int_t rc; |
910 | 945 ngx_addr_t *addr; |
911 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 946 |
912 "ssl ocsp connect"); | 947 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
913 | 948 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs); |
914 /* TODO: use all ip addresses */ | 949 |
915 | 950 addr = &ctx->addrs[ctx->naddr]; |
916 ctx->peer.sockaddr = ctx->addrs[0].sockaddr; | 951 |
917 ctx->peer.socklen = ctx->addrs[0].socklen; | 952 ctx->peer.sockaddr = addr->sockaddr; |
918 ctx->peer.name = &ctx->addrs[0].name; | 953 ctx->peer.socklen = addr->socklen; |
954 ctx->peer.name = &addr->name; | |
919 ctx->peer.get = ngx_event_get_peer; | 955 ctx->peer.get = ngx_event_get_peer; |
920 ctx->peer.log = ctx->log; | 956 ctx->peer.log = ctx->log; |
921 ctx->peer.log_error = NGX_ERROR_ERR; | 957 ctx->peer.log_error = NGX_ERROR_ERR; |
922 | 958 |
923 rc = ngx_event_connect_peer(&ctx->peer); | 959 rc = ngx_event_connect_peer(&ctx->peer); |
924 | 960 |
925 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 961 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
926 "ssl ocsp connect peer done"); | 962 "ssl ocsp connect peer done"); |
927 | 963 |
928 if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { | 964 if (rc == NGX_ERROR) { |
929 ngx_ssl_ocsp_error(ctx); | 965 ngx_ssl_ocsp_error(ctx); |
966 return; | |
967 } | |
968 | |
969 if (rc == NGX_BUSY || rc == NGX_DECLINED) { | |
970 ngx_ssl_ocsp_next(ctx); | |
930 return; | 971 return; |
931 } | 972 } |
932 | 973 |
933 ctx->peer.connection->data = ctx; | 974 ctx->peer.connection->data = ctx; |
934 ctx->peer.connection->pool = ctx->pool; | 975 ctx->peer.connection->pool = ctx->pool; |
962 "ssl ocsp write handler"); | 1003 "ssl ocsp write handler"); |
963 | 1004 |
964 if (wev->timedout) { | 1005 if (wev->timedout) { |
965 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, | 1006 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
966 "OCSP responder timed out"); | 1007 "OCSP responder timed out"); |
967 ngx_ssl_ocsp_error(ctx); | 1008 ngx_ssl_ocsp_next(ctx); |
968 return; | 1009 return; |
969 } | 1010 } |
970 | 1011 |
971 size = ctx->request->last - ctx->request->pos; | 1012 size = ctx->request->last - ctx->request->pos; |
972 | 1013 |
973 n = ngx_send(c, ctx->request->pos, size); | 1014 n = ngx_send(c, ctx->request->pos, size); |
974 | 1015 |
975 if (n == NGX_ERROR) { | 1016 if (n == NGX_ERROR) { |
976 ngx_ssl_ocsp_error(ctx); | 1017 ngx_ssl_ocsp_next(ctx); |
977 return; | 1018 return; |
978 } | 1019 } |
979 | 1020 |
980 if (n > 0) { | 1021 if (n > 0) { |
981 ctx->request->pos += n; | 1022 ctx->request->pos += n; |
1016 "ssl ocsp read handler"); | 1057 "ssl ocsp read handler"); |
1017 | 1058 |
1018 if (rev->timedout) { | 1059 if (rev->timedout) { |
1019 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, | 1060 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
1020 "OCSP responder timed out"); | 1061 "OCSP responder timed out"); |
1021 ngx_ssl_ocsp_error(ctx); | 1062 ngx_ssl_ocsp_next(ctx); |
1022 return; | 1063 return; |
1023 } | 1064 } |
1024 | 1065 |
1025 if (ctx->response == NULL) { | 1066 if (ctx->response == NULL) { |
1026 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); | 1067 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
1040 ctx->response->last += n; | 1081 ctx->response->last += n; |
1041 | 1082 |
1042 rc = ctx->process(ctx); | 1083 rc = ctx->process(ctx); |
1043 | 1084 |
1044 if (rc == NGX_ERROR) { | 1085 if (rc == NGX_ERROR) { |
1045 ngx_ssl_ocsp_error(ctx); | 1086 ngx_ssl_ocsp_next(ctx); |
1046 return; | 1087 return; |
1047 } | 1088 } |
1048 | 1089 |
1049 continue; | 1090 continue; |
1050 } | 1091 } |
1071 } | 1112 } |
1072 | 1113 |
1073 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | 1114 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
1074 "OCSP responder prematurely closed connection"); | 1115 "OCSP responder prematurely closed connection"); |
1075 | 1116 |
1076 ngx_ssl_ocsp_error(ctx); | 1117 ngx_ssl_ocsp_next(ctx); |
1077 } | 1118 } |
1078 | 1119 |
1079 | 1120 |
1080 static void | 1121 static void |
1081 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) | 1122 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |