Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl_stapling.c @ 4874:d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Missed in previous commit.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 01 Oct 2012 12:42:43 +0000 |
parents | |
children | 386a06a22c40 |
comparison
equal
deleted
inserted
replaced
4873:dd74fd35ceb5 | 4874:d1a20423c425 |
---|---|
1 | |
2 /* | |
3 * Copyright (C) Maxim Dounin | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 #include <ngx_event.h> | |
11 | |
12 | |
13 #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB | |
14 | |
15 | |
16 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, | |
17 void *data); | |
18 | |
19 | |
20 ngx_int_t | |
21 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | |
22 { | |
23 BIO *bio; | |
24 int len; | |
25 u_char *p, *buf; | |
26 ngx_str_t *staple; | |
27 OCSP_RESPONSE *response; | |
28 | |
29 if (file->len == 0) { | |
30 return NGX_OK; | |
31 } | |
32 | |
33 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { | |
34 return NGX_ERROR; | |
35 } | |
36 | |
37 bio = BIO_new_file((char *) file->data, "r"); | |
38 if (bio == NULL) { | |
39 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
40 "BIO_new_file(\"%s\") failed", file->data); | |
41 return NGX_ERROR; | |
42 } | |
43 | |
44 response = d2i_OCSP_RESPONSE_bio(bio, NULL); | |
45 if (response == NULL) { | |
46 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
47 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data); | |
48 BIO_free(bio); | |
49 return NGX_ERROR; | |
50 } | |
51 | |
52 len = i2d_OCSP_RESPONSE(response, NULL); | |
53 if (len <= 0) { | |
54 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
55 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); | |
56 goto failed; | |
57 } | |
58 | |
59 buf = ngx_pnalloc(cf->pool, len); | |
60 if (buf == NULL) { | |
61 goto failed; | |
62 } | |
63 | |
64 p = buf; | |
65 len = i2d_OCSP_RESPONSE(response, &p); | |
66 if (len <= 0) { | |
67 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
68 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); | |
69 goto failed; | |
70 } | |
71 | |
72 OCSP_RESPONSE_free(response); | |
73 BIO_free(bio); | |
74 | |
75 staple = ngx_palloc(cf->pool, sizeof(ngx_str_t)); | |
76 if (staple == NULL) { | |
77 return NGX_ERROR; | |
78 } | |
79 | |
80 staple->data = buf; | |
81 staple->len = len; | |
82 | |
83 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); | |
84 SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple); | |
85 | |
86 return NGX_OK; | |
87 | |
88 failed: | |
89 | |
90 OCSP_RESPONSE_free(response); | |
91 BIO_free(bio); | |
92 | |
93 return NGX_ERROR; | |
94 } | |
95 | |
96 | |
97 static int | |
98 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) | |
99 { | |
100 u_char *p; | |
101 ngx_str_t *staple; | |
102 ngx_connection_t *c; | |
103 | |
104 c = ngx_ssl_get_connection(ssl_conn); | |
105 | |
106 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
107 "SSL certificate status callback"); | |
108 | |
109 staple = data; | |
110 | |
111 /* we have to copy the staple as OpenSSL will free it by itself */ | |
112 | |
113 p = OPENSSL_malloc(staple->len); | |
114 if (p == NULL) { | |
115 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); | |
116 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
117 } | |
118 | |
119 ngx_memcpy(p, staple->data, staple->len); | |
120 | |
121 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->len); | |
122 | |
123 return SSL_TLSEXT_ERR_OK; | |
124 } | |
125 | |
126 | |
127 #else | |
128 | |
129 | |
130 ngx_int_t | |
131 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | |
132 { | |
133 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | |
134 "\"ssl_stapling\" ignored, not supported"); | |
135 | |
136 return NGX_OK; | |
137 } | |
138 | |
139 | |
140 #endif |