nginx: src/event/ngx_event_openssl

annotate src/event/ngx_event_openssl_stapling.c @ 7653:8409f9df6219

SSL: client certificate validation with OCSP (ticket #1534). OCSP validation for client certificates is enabled by the "ssl_ocsp" directive. OCSP responder can be optionally specified by "ssl_ocsp_responder". When session is reused, peer chain is not available for validation. If the verified chain contains certificates from the peer chain not available at the server, validation will fail.

author	Roman Arutyunyan <arut@nginx.com>
date	Fri, 22 May 2020 17:30:12 +0300
parents	7cffd81015e7
children	b56f725dd4bb

rev	line source
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2 /*
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	3 * Copyright (C) Maxim Dounin
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	5 */
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	6
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	7
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	8 #include <ngx_config.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	9 #include <ngx_core.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	10 #include <ngx_event.h>
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	11 #include <ngx_event_connect.h>
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	12
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	13
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5683 diff changeset	14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	15
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	16
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	17 typedef struct {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	18 ngx_str_t staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	19 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	20
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	21 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	22 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	23
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	24 ngx_addr_t *addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	25 ngx_uint_t naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	26 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	27 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	28 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	29
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	30 SSL_CTX *ssl_ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	31
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	32 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	33 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	34 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	35
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	36 u_char *name;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	37
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	38 time_t valid;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	39 time_t refresh;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	40
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	41 unsigned verify:1;
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	42 unsigned loading:1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	43 } ngx_ssl_stapling_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	44
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	45
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	46 typedef struct {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	47 ngx_addr_t *addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	48 ngx_uint_t naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	49
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	50 ngx_str_t host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	51 ngx_str_t uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	52 in_port_t port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	53 ngx_uint_t depth;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	54
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	55 ngx_resolver_t *resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	56 ngx_msec_t resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	57 } ngx_ssl_ocsp_conf_t;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	58
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	59
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	60 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	61
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	62
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	63 struct ngx_ssl_ocsp_s {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	64 STACK_OF(X509) *certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	65 ngx_uint_t ncert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	66
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	67 int cert_status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	68 ngx_int_t status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	69
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	70 ngx_ssl_ocsp_conf_t *conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	71 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	72 };
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	73
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	74
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	75 struct ngx_ssl_ocsp_ctx_s {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	76 SSL_CTX *ssl_ctx;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	77
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	78 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	79 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	80 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	81
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	82 int status;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	83 time_t valid;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	84
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	85 u_char *name;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	86
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	87 ngx_uint_t naddrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	88 ngx_uint_t naddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	89
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	90 ngx_addr_t *addrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	91 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	92 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	93 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	94
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	95 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	96 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	97
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	98 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	99
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	100 void (handler)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	101 void *data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	102
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	103 ngx_buf_t *request;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	104 ngx_buf_t *response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	105 ngx_peer_connection_t peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	106
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	107 ngx_int_t (process)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	108
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	109 ngx_uint_t state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	110
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	111 ngx_uint_t code;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	112 ngx_uint_t count;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	113 ngx_uint_t flags;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	114 ngx_uint_t done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	115
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	116 u_char *header_name_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	117 u_char *header_name_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	118 u_char *header_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	119 u_char *header_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	120
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	121 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	122 ngx_log_t *log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	123 };
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	124
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	125
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	126 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	127 X509 cert, ngx_str_t file, ngx_str_t *responder, ngx_uint_t verify);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	128 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	129 ngx_ssl_stapling_t staple, ngx_str_t file);
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	130 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	131 ngx_ssl_stapling_t *staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	132 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	133 ngx_ssl_stapling_t staple, ngx_str_t responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	134
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	135 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	136 void *data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	137 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	138 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	139
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	140 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	141
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	142 static void ngx_ssl_stapling_cleanup(void *data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	143
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	144 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	145 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	146 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	147 ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	148
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	149 static ngx_ssl_ocsp_ctx_t ngx_ssl_ocsp_start(ngx_log_t log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	150 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx);
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	151 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	152 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	153 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	154 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	155 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	156 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	157 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	158
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	159 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	160 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	161 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	162 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	163 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	164 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx);
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	165 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	166
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	167 static u_char ngx_ssl_ocsp_log_error(ngx_log_t log, u_char *buf, size_t len);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	168
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	169
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	170 ngx_int_t
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	171 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	172 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	173 {
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	174 X509 *cert;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	175
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	176 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	177 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	178 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	179 {
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	180 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	181 != NGX_OK)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	182 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	183 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	184 }
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	185 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	186
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	187 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	188
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	189 return NGX_OK;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	190 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	191
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	192
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	193 static ngx_int_t
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	194 ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl, X509 *cert,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	195 ngx_str_t file, ngx_str_t responder, ngx_uint_t verify)
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	196 {
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	197 ngx_int_t rc;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	198 ngx_pool_cleanup_t *cln;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	199 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	200
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	201 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	202 if (staple == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	203 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	204 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	205
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	206 cln = ngx_pool_cleanup_add(cf->pool, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	207 if (cln == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	208 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	209 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	210
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	211 cln->handler = ngx_ssl_stapling_cleanup;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	212 cln->data = staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	213
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	214 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	215 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	216 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	217 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	218
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	219 #ifdef SSL_CTRL_SELECT_CURRENT_CERT
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	220 /* OpenSSL 1.0.2+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	221 SSL_CTX_select_current_cert(ssl->ctx, cert);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	222 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	223
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	224 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	225 /* OpenSSL 1.0.1+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	226 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	227 #else
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	228 staple->chain = ssl->ctx->extra_certs;
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	229 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	230
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	231 staple->ssl_ctx = ssl->ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	232 staple->timeout = 60000;
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	233 staple->verify = verify;
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	234 staple->cert = cert;
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	235 staple->name = X509_get_ex_data(staple->cert,
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	236 ngx_ssl_certificate_name_index);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	237
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	238 if (file->len) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	239 /* use OCSP response from the file */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	240
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	241 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	242 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	243 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	244
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	245 return NGX_OK;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	246 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	247
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	248 rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	249
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	250 if (rc == NGX_DECLINED) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	251 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	252 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	253
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	254 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	255 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	256 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	257
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	258 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	259
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	260 if (rc == NGX_DECLINED) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	261 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	262 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	263
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	264 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	265 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	266 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	267
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	268 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	269 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	270
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	271
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	272 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	273 ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	274 ngx_ssl_stapling_t staple, ngx_str_t file)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	275 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	276 BIO *bio;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	277 int len;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	278 u_char p, buf;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	279 OCSP_RESPONSE *response;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	280
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	281 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	282 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	283 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	284
7485 edf5cd6c56fa OCSP stapling: open ssl_stapling_file in binary-mode. Sergey Kandaurov <pluknet@nginx.com> parents: 7067 diff changeset	285 bio = BIO_new_file((char *) file->data, "rb");
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	286 if (bio == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	287 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	288 "BIO_new_file(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	289 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	290 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	291
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	292 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	293 if (response == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	294 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	295 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	296 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	297 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	298 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	299
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	300 len = i2d_OCSP_RESPONSE(response, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	301 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	302 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	303 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	304 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	305 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	306
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	307 buf = ngx_alloc(len, ssl->log);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	308 if (buf == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	309 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	310 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	311
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	312 p = buf;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	313 len = i2d_OCSP_RESPONSE(response, &p);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	314 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	315 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	316 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	317 ngx_free(buf);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	318 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	319 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	320
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	321 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	322 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	323
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	324 staple->staple.data = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	325 staple->staple.len = len;
6205 dcae651b2a0c OCSP stapling: fixed ssl_stapling_file (ticket #769). Maxim Dounin <mdounin@mdounin.ru> parents: 6181 diff changeset	326 staple->valid = NGX_MAX_TIME_T_VALUE;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	327
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	328 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	329
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	330 failed:
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	331
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	332 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	333 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	334
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	335 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	336 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	337
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	338
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	339 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	340 ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	341 ngx_ssl_stapling_t *staple)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	342 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	343 int i, n, rc;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	344 X509 cert, issuer;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	345 X509_STORE *store;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	346 X509_STORE_CTX *store_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	347
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	348 cert = staple->cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	349
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	350 n = sk_X509_num(staple->chain);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	351
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	352 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	353 "SSL get issuer: %d extra certs", n);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	354
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	355 for (i = 0; i < n; i++) {
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	356 issuer = sk_X509_value(staple->chain, i);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	357 if (X509_check_issued(issuer, cert) == X509_V_OK) {
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	358 #if OPENSSL_VERSION_NUMBER >= 0x10100001L
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	359 X509_up_ref(issuer);
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	360 #else
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	361 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	362 #endif
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	363
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	364 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	365 "SSL get issuer: found %p in extra certs", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	366
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	367 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	368
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	369 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	370 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	371 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	372
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	373 store = SSL_CTX_get_cert_store(ssl->ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	374 if (store == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	375 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	376 "SSL_CTX_get_cert_store() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	377 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	378 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	379
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	380 store_ctx = X509_STORE_CTX_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	381 if (store_ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	382 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	383 "X509_STORE_CTX_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	384 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	385 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	386
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	387 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	388 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	389 "X509_STORE_CTX_init() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	390 X509_STORE_CTX_free(store_ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	391 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	392 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	393
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	394 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	395
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	396 if (rc == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	397 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	398 "X509_STORE_CTX_get1_issuer() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	399 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	400 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	401 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	402
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	403 if (rc == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	404 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	405 "\"ssl_stapling\" ignored, "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	406 "issuer certificate not found for certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	407 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	408 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	409 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	410 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	411
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	412 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	413
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	414 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	415 "SSL get issuer: found %p in cert store", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	416
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	417 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	418
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	419 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	420 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	421
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	422
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	423 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	424 ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	425 ngx_ssl_stapling_t staple, ngx_str_t responder)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	426 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	427 char *s;
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	428 ngx_str_t rsp;
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	429 ngx_url_t u;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	430 STACK_OF(OPENSSL_STRING) *aia;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	431
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	432 if (responder->len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	433
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	434 /* extract OCSP responder URL from certificate */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	435
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	436 aia = X509_get1_ocsp(staple->cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	437 if (aia == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	438 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	439 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	440 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	441 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	442 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	443 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	444
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	445 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	446 s = sk_OPENSSL_STRING_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	447 #else
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	448 s = sk_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	449 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	450 if (s == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	451 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	452 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	453 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	454 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	455 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	456 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	457 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	458
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	459 responder = &rsp;
6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	460
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	461 responder->len = ngx_strlen(s);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	462 responder->data = ngx_palloc(cf->pool, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	463 if (responder->data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	464 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	465 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	466 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	467
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	468 ngx_memcpy(responder->data, s, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	469 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	470 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	471
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	472 ngx_memzero(&u, sizeof(ngx_url_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	473
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	474 u.url = *responder;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	475 u.default_port = 80;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	476 u.uri_part = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	477
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	478 if (u.url.len > 7
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	479 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	480 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	481 u.url.len -= 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	482 u.url.data += 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	483
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	484 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	485 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	486 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	487 "invalid URL prefix in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	488 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	489 &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	490 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	491 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	492
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	493 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	494 if (u.err) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	495 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	496 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	497 "%s in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	498 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	499 u.err, &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	500 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	501 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	502
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	503 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	504 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	505
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	506 staple->addrs = u.addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	507 staple->naddrs = u.naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	508 staple->host = u.host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	509 staple->uri = u.uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	510 staple->port = u.port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	511
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	512 if (staple->uri.len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	513 ngx_str_set(&staple->uri, "/");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	514 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	515
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	516 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	517 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	518
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	519
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	520 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	521 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	522 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	523 {
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	524 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	525 ngx_ssl_stapling_t *staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	526
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	527 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	528 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	529 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	530 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	531 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	532 staple->resolver = resolver;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	533 staple->resolver_timeout = resolver_timeout;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	534 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	535
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	536 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	537 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	538
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	539
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	540 static int
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	541 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t ssl_conn, void data)
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	542 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	543 int rc;
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	544 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	545 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	546 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	547 ngx_ssl_stapling_t *staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	548
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	549 c = ngx_ssl_get_connection(ssl_conn);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	550
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	551 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	552 "SSL certificate status callback");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	553
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	554 rc = SSL_TLSEXT_ERR_NOACK;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	555
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	556 cert = SSL_get_certificate(ssl_conn);
7493 dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	557
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	558 if (cert == NULL) {
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	559 return rc;
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	560 }
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	561
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	562 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	563
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	564 if (staple == NULL) {
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	565 return rc;
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	566 }
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	567
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	568 if (staple->staple.len
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	569 && staple->valid >= ngx_time())
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	570 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	571 /* we have to copy ocsp response as OpenSSL will free it by itself */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	572
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	573 p = OPENSSL_malloc(staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	574 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	575 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	576 return SSL_TLSEXT_ERR_NOACK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	577 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	578
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	579 ngx_memcpy(p, staple->staple.data, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	580
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	581 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	582
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	583 rc = SSL_TLSEXT_ERR_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	584 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	585
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	586 ngx_ssl_stapling_update(staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	587
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	588 return rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	589 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	590
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	591
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	592 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	593 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	594 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	595 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	596
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	597 if (staple->host.len == 0
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	598 \|\| staple->loading \|\| staple->refresh >= ngx_time())
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	599 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	600 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	601 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	602
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	603 staple->loading = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	604
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	605 ctx = ngx_ssl_ocsp_start(ngx_cycle->log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	606 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	607 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	608 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	609
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	610 ctx->ssl_ctx = staple->ssl_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	611 ctx->cert = staple->cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	612 ctx->issuer = staple->issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	613 ctx->chain = staple->chain;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	614 ctx->name = staple->name;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	615 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	616
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	617 ctx->addrs = staple->addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	618 ctx->naddrs = staple->naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	619 ctx->host = staple->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	620 ctx->uri = staple->uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	621 ctx->port = staple->port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	622 ctx->timeout = staple->timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	623
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	624 ctx->resolver = staple->resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	625 ctx->resolver_timeout = staple->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	626
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	627 ctx->handler = ngx_ssl_stapling_ocsp_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	628 ctx->data = staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	629
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	630 ngx_ssl_ocsp_request(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	631
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	632 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	633 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	634
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	635
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	636 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	637 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	638 {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	639 time_t now;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	640 ngx_str_t response;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	641 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	642
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	643 staple = ctx->data;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	644 now = ngx_time();
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	645
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	646 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	647 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	648 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	649
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	650 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	651 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	652 "certificate status \"%s\" in the OCSP response",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	653 OCSP_cert_status_str(ctx->status));
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	654 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	655 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	656
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	657 /* copy the response to memory not in ctx->pool */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	658
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	659 response.len = ctx->response->last - ctx->response->pos;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	660 response.data = ngx_alloc(response.len, ctx->log);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	661
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	662 if (response.data == NULL) {
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	663 goto error;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	664 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	665
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	666 ngx_memcpy(response.data, ctx->response->pos, response.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	667
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	668 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	669 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	670 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	671
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	672 staple->staple = response;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	673 staple->valid = ctx->valid;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	674
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	675 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	676 * refresh before the response expires,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	677 * but not earlier than in 5 minutes, and at least in an hour
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	678 */
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	679
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	680 staple->loading = 0;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	681 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	682
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	683 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	684 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	685
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	686 error:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	687
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	688 staple->loading = 0;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	689 staple->refresh = now + 300;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	690
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	691 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	692 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	693
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	694
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	695 static time_t
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	696 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time)
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	697 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	698 BIO *bio;
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	699 char *value;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	700 size_t len;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	701 time_t time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	702
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	703 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	704 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	705 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(),
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	706 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	707 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	708 */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	709
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	710 bio = BIO_new(BIO_s_mem());
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	711 if (bio == NULL) {
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	712 return NGX_ERROR;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	713 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	714
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	715 /* fake weekday prepended to match C asctime() format */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	716
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	717 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	718 ASN1_GENERALIZEDTIME_print(bio, asn1time);
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	719 len = BIO_get_mem_data(bio, &value);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	720
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	721 time = ngx_parse_http_time((u_char *) value, len);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	722
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	723 BIO_free(bio);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	724
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	725 return time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	726 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	727
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	728
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	729 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	730 ngx_ssl_stapling_cleanup(void *data)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	731 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	732 ngx_ssl_stapling_t *staple = data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	733
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	734 if (staple->issuer) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	735 X509_free(staple->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	736 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	737
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	738 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	739 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	740 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	741 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	742
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	743
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	744 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	745 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	746 ngx_uint_t depth)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	747 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	748 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	749 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	750
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	751 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	752 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	753 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	754 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	755
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	756 ocf->depth = depth;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	757
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	758 if (responder->len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	759 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	760
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	761 u.url = *responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	762 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	763 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	764
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	765 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	766 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	767 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	768 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	769 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	770
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	771 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	772 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	773 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	774 "in \"ssl_ocsp_responder\"", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	775 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	776 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	777
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	778 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	779 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	780 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	781 "%s in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	782 "in \"ssl_ocsp_responder\"", u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	783 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	784
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	785 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	786 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	787
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	788 ocf->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	789 ocf->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	790 ocf->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	791 ocf->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	792 ocf->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	793 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	794
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	795 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	796 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	797 "SSL_CTX_set_ex_data() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	798 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	799 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	800
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	801 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	802 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	803
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	804
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	805 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	806 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	807 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	808 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	809 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	810
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	811 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	812 ocf->resolver = resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	813 ocf->resolver_timeout = resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	814
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	815 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	816 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	817
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	818
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	819 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	820 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	821 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	822 X509 *cert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	823 SSL_CTX *ssl_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	824 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	825 X509_STORE *store;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	826 X509_STORE_CTX *store_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	827 STACK_OF(X509) *chain;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	828 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	829 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	830
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	831 if (c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	832 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	833 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	834 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	835
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	836 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	837 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	838 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	839
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	840 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	841 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	842
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	843 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	844
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	845 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	846 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	847 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	848 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	849
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	850 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	851 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	852 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	853
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	854 cert = SSL_get_peer_certificate(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	855 if (cert == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	856 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	857 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	858
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	859 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	860 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	861 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	862 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	863
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	864 c->ssl->ocsp = ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	865
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	866 ocsp->status = NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	867 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	868 ocsp->conf = ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	869
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	870 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	871
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	872 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	873
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	874 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	875 ocsp->certs = X509_chain_up_ref(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	876 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	877 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	878 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	879 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	880
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	881 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	882
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	883 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	884 store = SSL_CTX_get_cert_store(ssl_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	885 if (store == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	886 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	887 "SSL_CTX_get_cert_store() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	888 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	889 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	890
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	891 store_ctx = X509_STORE_CTX_new();
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	892 if (store_ctx == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	893 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	894 "X509_STORE_CTX_new() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	895 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	896 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	897
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	898 chain = SSL_get_peer_cert_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	899
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	900 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	901 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	902 "X509_STORE_CTX_init() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	903 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	904 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	905 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	906
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	907 rc = X509_verify_cert(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	908 if (rc <= 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	909 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	910 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	911 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	912 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	913
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	914 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	915 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	916 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	917 "X509_STORE_CTX_get1_chain() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	918 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	919 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	920 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	921
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	922 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	923 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	924
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	925 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	926 "ssl ocsp validate, certs:%i", sk_X509_num(ocsp->certs));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	927
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	928 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	929
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	930 if (ocsp->status == NGX_AGAIN) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	931 c->ssl->in_ocsp = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	932 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	933 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	934
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	935 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	936 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	937
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	938
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	939 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	940 ngx_ssl_ocsp_validate_next(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	941 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	942 ngx_uint_t n;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	943 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	944 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	945 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	946
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	947 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	948 ocf = ocsp->conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	949
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	950 n = sk_X509_num(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	951
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	952 for ( ;; ) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	953
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	954 if (ocsp->ncert == n - 1 \|\| (ocf->depth == 2 && ocsp->ncert == 1)) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	955 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	956 "ssl ocsp validated, certs:%ui", ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	957 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	958 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	959
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	960 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	961 "ssl ocsp validate cert:%ui", ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	962
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	963 ctx = ngx_ssl_ocsp_start(c->log);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	964 if (ctx == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	965 goto failed;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	966 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	967
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	968 ocsp->ctx = ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	969
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	970 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	971 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	972 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	973 ctx->chain = ocsp->certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	974
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	975 ctx->resolver = ocf->resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	976 ctx->resolver_timeout = ocf->resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	977
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	978 ctx->handler = ngx_ssl_ocsp_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	979 ctx->data = c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	980
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	981 ctx->addrs = ocf->addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	982 ctx->naddrs = ocf->naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	983 ctx->host = ocf->host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	984 ctx->uri = ocf->uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	985 ctx->port = ocf->port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	986
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	987 if (ngx_ssl_ocsp_responder(c, ctx) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	988 goto failed;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	989 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	990
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	991 if (ctx->uri.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	992 ngx_str_set(&ctx->uri, "/");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	993 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	994
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	995 ocsp->ncert++;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	996
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	997 break;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	998 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	999
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1000 ngx_ssl_ocsp_request(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1001 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1002
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1003 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1004
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1005 ocsp->status = NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1006 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1007
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1008 failed:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1009
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1010 ocsp->status = NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1011 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1012
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1013
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1014 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1015 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1016 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1017 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1018 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1019 ngx_connection_t *c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1020
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1021 c = ctx->data;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1022 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1023 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1024
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1025 rc = ngx_ssl_ocsp_verify(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1026 if (rc != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1027 ocsp->status = rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1028 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1029 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1030 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1031
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1032 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1033 ocsp->cert_status = ctx->status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1034 ocsp->status = NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1035 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1036 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1037 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1038
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1039 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1040
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1041 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1042
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1043 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1044
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1045 if (ocsp->status == NGX_AGAIN \|\| !c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1046 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1047 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1048
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1049 c->ssl->handshaked = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1050
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1051 c->ssl->handler(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1052 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1053
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1054
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1055 static ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1056 ngx_ssl_ocsp_responder(ngx_connection_t c, ngx_ssl_ocsp_ctx_t ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1057 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1058 char *s;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1059 ngx_str_t responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1060 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1061 STACK_OF(OPENSSL_STRING) *aia;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1062
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1063 if (ctx->host.len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1064 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1065 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1066
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1067 /* extract OCSP responder URL from certificate */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1068
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1069 aia = X509_get1_ocsp(ctx->cert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1070 if (aia == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1071 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1072 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1073 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1074 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1075
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1076 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1077 s = sk_OPENSSL_STRING_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1078 #else
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1079 s = sk_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1080 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1081 if (s == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1082 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1083 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1084 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1085 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1086 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1087
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1088 responder.len = ngx_strlen(s);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1089 responder.data = ngx_palloc(ctx->pool, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1090 if (responder.data == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1091 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1092 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1093 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1094
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1095 ngx_memcpy(responder.data, s, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1096 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1097
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1098 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1099
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1100 u.url = responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1101 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1102 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1103 u.no_resolve = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1104
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1105 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1106 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1107 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1108 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1109 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1110
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1111 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1112 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1113 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1114 "in certificate", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1115 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1116 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1117
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1118 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1119 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1120 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1121 "%s in OCSP responder \"%V\" in certificate",
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1122 u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1123 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1124
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1125 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1126 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1127
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1128 if (u.host.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1129 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1130 "empty host in OCSP responder in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1131 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1132 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1133
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1134 ctx->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1135 ctx->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1136 ctx->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1137 ctx->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1138 ctx->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1139
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1140 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1141 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1142
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1143
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1144 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1145 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1146 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1147 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1148
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1149 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1150 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1151 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1152 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1153
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1154 if (ocsp->status == NGX_ERROR) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1155 *s = "certificate status request failed";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1156 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1157 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1158
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1159 switch (ocsp->cert_status) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1160
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1161 case V_OCSP_CERTSTATUS_GOOD:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1162 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1163
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1164 case V_OCSP_CERTSTATUS_REVOKED:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1165 *s = "certificate revoked";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1166 break;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1167
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1168 default: /* V_OCSP_CERTSTATUS_UNKNOWN */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1169 *s = "certificate status unknown";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1170 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1171
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1172 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1173 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1174
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1175
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1176 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1177 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1178 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1179 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1180
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1181 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1182 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1183 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1184 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1185
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1186 if (ocsp->ctx) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1187 ngx_ssl_ocsp_done(ocsp->ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1188 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1189 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1190
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1191 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1192 sk_X509_pop_free(ocsp->certs, X509_free);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1193 ocsp->certs = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1194 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1195 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1196
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1197
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1198 static ngx_ssl_ocsp_ctx_t *
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1199 ngx_ssl_ocsp_start(ngx_log_t *log)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1200 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1201 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1202 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1203
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1204 pool = ngx_create_pool(2048, log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1205 if (pool == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1206 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1207 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1208
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1209 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1210 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1211 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1212 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1213 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1214
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1215 log = ngx_palloc(pool, sizeof(ngx_log_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1216 if (log == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1217 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1218 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1219 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1220
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1221 ctx->pool = pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1222
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1223 log = ctx->pool->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1224
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1225 ctx->pool->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1226 ctx->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1227
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1228 log->handler = ngx_ssl_ocsp_log_error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1229 log->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1230 log->action = "requesting certificate status";
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1231
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1232 return ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1233 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1234
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1235
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1236 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1237 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1238 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1239 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1240 "ssl ocsp done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1241
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1242 if (ctx->peer.connection) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1243 ngx_close_connection(ctx->peer.connection);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1244 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1245
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1246 ngx_destroy_pool(ctx->pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1247 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1248
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1249
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1250 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1251 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1252 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1253 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1254 "ssl ocsp error");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1255
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1256 ctx->code = 0;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1257 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1258 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1259
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1260
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1261 static void
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1262 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx)
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1263 {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1264 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1265 "ssl ocsp next");
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1266
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1267 if (++ctx->naddr >= ctx->naddrs) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1268 ngx_ssl_ocsp_error(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1269 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1270 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1271
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1272 ctx->request->pos = ctx->request->start;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1273
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1274 if (ctx->response) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1275 ctx->response->last = ctx->response->pos;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1276 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1277
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1278 if (ctx->peer.connection) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1279 ngx_close_connection(ctx->peer.connection);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1280 ctx->peer.connection = NULL;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1281 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1282
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1283 ctx->state = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1284 ctx->count = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1285 ctx->done = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1286
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1287 ngx_ssl_ocsp_connect(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1288 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1289
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1290
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1291 static void
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1292 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1293 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1294 ngx_resolver_ctx_t *resolve, temp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1295
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1296 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1297 "ssl ocsp request");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1298
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1299 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1300 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1301 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1302 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1303
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1304 if (ctx->resolver) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1305 /* resolve OCSP responder hostname */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1306
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1307 temp.name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1308
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1309 resolve = ngx_resolve_start(ctx->resolver, &temp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1310 if (resolve == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1311 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1312 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1313 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1314
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1315 if (resolve == NGX_NO_RESOLVER) {
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1316 if (ctx->naddrs == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1317 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1318 "no resolver defined to resolve %V", &ctx->host);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1319
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1320 ngx_ssl_ocsp_error(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1321 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1322 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1323
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1324 ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1325 "no resolver defined to resolve %V", &ctx->host);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1326 goto connect;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1327 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1328
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1329 resolve->name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1330 resolve->handler = ngx_ssl_ocsp_resolve_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1331 resolve->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1332 resolve->timeout = ctx->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1333
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1334 if (ngx_resolve_name(resolve) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1335 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1336 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1337 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1338
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1339 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1340 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1341
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1342 connect:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1343
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1344 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1345 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1346
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1347
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1348 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1349 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1350 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1351 ngx_ssl_ocsp_ctx_t *ctx = resolve->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1352
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1353 u_char *p;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1354 size_t len;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1355 socklen_t socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1356 ngx_uint_t i;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1357 struct sockaddr *sockaddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1358
5234 a855ae7e6377 OCSP stapling: fixed incorrect debug level. Ruslan Ermilov <ru@nginx.com> parents: 5215 diff changeset	1359 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1360 "ssl ocsp resolve handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1361
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1362 if (resolve->state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1363 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1364 "%V could not be resolved (%i: %s)",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1365 &resolve->name, resolve->state,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1366 ngx_resolver_strerror(resolve->state));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1367 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1368 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1369
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1370 #if (NGX_DEBUG)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1371 {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1372 u_char text[NGX_SOCKADDR_STRLEN];
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1373 ngx_str_t addr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1374
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1375 addr.data = text;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1376
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1377 for (i = 0; i < resolve->naddrs; i++) {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1378 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1379 resolve->addrs[i].socklen,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1380 text, NGX_SOCKADDR_STRLEN, 0);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1381
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1382 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1383 "name was resolved to %V", &addr);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1384
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1385 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1386 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1387 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1388
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1389 ctx->naddrs = resolve->naddrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1390 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1391
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1392 if (ctx->addrs == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1393 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1394 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1395
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1396 for (i = 0; i < resolve->naddrs; i++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1397
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1398 socklen = resolve->addrs[i].socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1399
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1400 sockaddr = ngx_palloc(ctx->pool, socklen);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1401 if (sockaddr == NULL) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1402 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1403 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1404
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1405 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen);
6593 b3b7e33083ac Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. Roman Arutyunyan <arut@nginx.com> parents: 6549 diff changeset	1406 ngx_inet_set_port(sockaddr, ctx->port);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1407
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1408 ctx->addrs[i].sockaddr = sockaddr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1409 ctx->addrs[i].socklen = socklen;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1410
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1411 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1412 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1413 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1414 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1415
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1416 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1417
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1418 ctx->addrs[i].name.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1419 ctx->addrs[i].name.data = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1420 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1421
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1422 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1423
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1424 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1425 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1426
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1427 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1428
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1429 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1430 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1431 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1432
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1433
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1434 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1435 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1436 {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1437 ngx_int_t rc;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1438 ngx_addr_t *addr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1439
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1440 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1441 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1442
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1443 addr = &ctx->addrs[ctx->naddr];
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1444
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1445 ctx->peer.sockaddr = addr->sockaddr;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1446 ctx->peer.socklen = addr->socklen;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1447 ctx->peer.name = &addr->name;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1448 ctx->peer.get = ngx_event_get_peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1449 ctx->peer.log = ctx->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1450 ctx->peer.log_error = NGX_ERROR_ERR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1451
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1452 rc = ngx_event_connect_peer(&ctx->peer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1453
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1454 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1455 "ssl ocsp connect peer done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1456
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1457 if (rc == NGX_ERROR) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1458 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1459 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1460 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1461
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1462 if (rc == NGX_BUSY \|\| rc == NGX_DECLINED) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1463 ngx_ssl_ocsp_next(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1464 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1465 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1466
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1467 ctx->peer.connection->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1468 ctx->peer.connection->pool = ctx->pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1469
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1470 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1471 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1472
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1473 ctx->process = ngx_ssl_ocsp_process_status_line;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1474
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1475 if (ctx->timeout) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1476 ngx_add_timer(ctx->peer.connection->read, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1477 ngx_add_timer(ctx->peer.connection->write, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1478 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1479
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1480 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1481 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1482 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1483 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1484 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1485
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1486
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1487 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1488 ngx_ssl_ocsp_write_handler(ngx_event_t *wev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1489 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1490 ssize_t n, size;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1491 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1492 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1493
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1494 c = wev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1495 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1496
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1497 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1498 "ssl ocsp write handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1499
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1500 if (wev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1501 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1502 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1503 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1504 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1505 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1506
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1507 size = ctx->request->last - ctx->request->pos;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1508
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1509 n = ngx_send(c, ctx->request->pos, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1510
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1511 if (n == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1512 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1513 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1514 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1515
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1516 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1517 ctx->request->pos += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1518
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1519 if (n == size) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1520 wev->handler = ngx_ssl_ocsp_dummy_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1521
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1522 if (wev->timer_set) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1523 ngx_del_timer(wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1524 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1525
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1526 if (ngx_handle_write_event(wev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1527 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1528 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1529
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1530 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1531 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1532 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1533
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1534 if (!wev->timer_set && ctx->timeout) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1535 ngx_add_timer(wev, ctx->timeout);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1536 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1537 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1538
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1539
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1540 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1541 ngx_ssl_ocsp_read_handler(ngx_event_t *rev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1542 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1543 ssize_t n, size;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1544 ngx_int_t rc;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1545 ngx_connection_t *c;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1546 ngx_ssl_ocsp_ctx_t *ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1547
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1548 c = rev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1549 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1550
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1551 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1552 "ssl ocsp read handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1553
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1554 if (rev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1555 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1556 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1557 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1558 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1559 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1560
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1561 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1562 ctx->response = ngx_create_temp_buf(ctx->pool, 16384);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1563 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1564 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1565 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1566 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1567 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1568
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1569 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1570
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1571 size = ctx->response->end - ctx->response->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1572
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1573 n = ngx_recv(c, ctx->response->last, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1574
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1575 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1576 ctx->response->last += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1577
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1578 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1579
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1580 if (rc == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1581 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1582 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1583 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1584
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1585 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1586 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1587
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1588 if (n == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1589
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1590 if (ngx_handle_read_event(rev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1591 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1592 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1593
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1594 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1595 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1596
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1597 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1598 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1599
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1600 ctx->done = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1601
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1602 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1603
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1604 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1605 /* ctx->handler() was called */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1606 return;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1607 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1608
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1609 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1610 "OCSP responder prematurely closed connection");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1611
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1612 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1613 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1614
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1615
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1616 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1617 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1618 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1619 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1620 "ssl ocsp dummy handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1621 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1622
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1623
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1624 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1625 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1626 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1627 int len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1628 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1629 uintptr_t escape;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1630 ngx_str_t binary, base64;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1631 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1632 OCSP_CERTID *id;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1633 OCSP_REQUEST *ocsp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1634
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1635 ocsp = OCSP_REQUEST_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1636 if (ocsp == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1637 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1638 "OCSP_REQUEST_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1639 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1640 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1641
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1642 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1643 if (id == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1644 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1645 "OCSP_cert_to_id() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1646 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1647 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1648
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1649 if (OCSP_request_add0_id(ocsp, id) == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1650 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1651 "OCSP_request_add0_id() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	1652 OCSP_CERTID_free(id);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1653 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1654 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1655
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1656 len = i2d_OCSP_REQUEST(ocsp, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1657 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1658 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1659 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1660 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1661 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1662
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1663 binary.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1664 binary.data = ngx_palloc(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1665 if (binary.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1666 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1667 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1668
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1669 p = binary.data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1670 len = i2d_OCSP_REQUEST(ocsp, &p);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1671 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1672 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1673 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1674 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1675 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1676
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1677 base64.len = ngx_base64_encoded_length(binary.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1678 base64.data = ngx_palloc(ctx->pool, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1679 if (base64.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1680 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1681 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1682
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1683 ngx_encode_base64(&base64, &binary);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1684
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1685 escape = ngx_escape_uri(NULL, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1686 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1687
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1688 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1689 "ssl ocsp request length %z, escape %d",
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6206 diff changeset	1690 base64.len, (int) escape);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1691
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1692 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1693 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1694 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1695 + sizeof(CRLF) - 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1696
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1697 b = ngx_create_temp_buf(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1698 if (b == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1699 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1700 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1701
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1702 p = b->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1703
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1704 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1705 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1706
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1707 if (ctx->uri.data[ctx->uri.len - 1] != '/') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1708 *p++ = '/';
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1709 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1710
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1711 if (escape == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1712 p = ngx_cpymem(p, base64.data, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1713
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1714 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1715 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1716 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1717 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1718
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1719 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1720 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1721 p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1722 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1723
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1724 /* add "\r\n" at the header end */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1725 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1726
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1727 b->last = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1728 ctx->request = b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1729
5683 48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1730 OCSP_REQUEST_free(ocsp);
48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1731
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1732 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1733
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1734 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1735
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1736 OCSP_REQUEST_free(ocsp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1737
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1738 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1739 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1740
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1741
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1742 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1743 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1744 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1745 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1746
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1747 rc = ngx_ssl_ocsp_parse_status_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1748
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1749 if (rc == NGX_OK) {
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1750 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1751 "ssl ocsp status %ui \"%*s\"",
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1752 ctx->code,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1753 ctx->header_end - ctx->header_start,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1754 ctx->header_start);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1755
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1756 ctx->process = ngx_ssl_ocsp_process_headers;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1757 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1758 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1759
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1760 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1761 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1762 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1763
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1764 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1765
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1766 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1767 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1768
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1769 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1770 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1771
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1772
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1773 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1774 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1775 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1776 u_char ch;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1777 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1778 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1779 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1780 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1781 sw_H,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1782 sw_HT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1783 sw_HTT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1784 sw_HTTP,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1785 sw_first_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1786 sw_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1787 sw_first_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1788 sw_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1789 sw_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1790 sw_space_after_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1791 sw_status_text,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1792 sw_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1793 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1794
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1795 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1796 "ssl ocsp process status line");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1797
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1798 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1799 b = ctx->response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1800
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1801 for (p = b->pos; p < b->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1802 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1803
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1804 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1805
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1806 /* "HTTP/" */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1807 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1808 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1809 case 'H':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1810 state = sw_H;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1811 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1812 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1813 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1814 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1815 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1816
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1817 case sw_H:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1818 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1819 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1820 state = sw_HT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1821 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1822 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1823 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1824 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1825 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1826
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1827 case sw_HT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1828 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1829 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1830 state = sw_HTT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1831 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1832 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1833 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1834 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1835 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1836
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1837 case sw_HTT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1838 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1839 case 'P':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1840 state = sw_HTTP;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1841 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1842 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1843 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1844 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1845 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1846
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1847 case sw_HTTP:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1848 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1849 case '/':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1850 state = sw_first_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1851 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1852 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1853 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1854 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1855 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1856
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1857 /* the first digit of major HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1858 case sw_first_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1859 if (ch < '1' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1860 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1861 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1862
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1863 state = sw_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1864 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1865
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1866 /* the major HTTP version or dot */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1867 case sw_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1868 if (ch == '.') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1869 state = sw_first_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1870 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1871 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1872
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1873 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1874 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1875 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1876
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1877 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1878
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1879 /* the first digit of minor HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1880 case sw_first_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1881 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1882 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1883 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1884
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1885 state = sw_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1886 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1887
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1888 /* the minor HTTP version or the end of the request line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1889 case sw_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1890 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1891 state = sw_status;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1892 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1893 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1894
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1895 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1896 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1897 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1898
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1899 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1900
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1901 /* HTTP status code */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1902 case sw_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1903 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1904 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1905 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1906
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1907 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1908 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1909 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1910
7067 e3723f2a11b7 Parenthesized ASCII-related calculations. Valentin Bartenev <vbart@nginx.com> parents: 6842 diff changeset	1911 ctx->code = ctx->code * 10 + (ch - '0');
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1912
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1913 if (++ctx->count == 3) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1914 state = sw_space_after_status;
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1915 ctx->header_start = p - 2;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1916 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1917
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1918 break;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1919
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1920 /* space or end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1921 case sw_space_after_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1922 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1923 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1924 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1925 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1926 case '.': /* IIS may send 403.1, 403.2, etc */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1927 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1928 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1929 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1930 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1931 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1932 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1933 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1934 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1935 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1936 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1937 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1938 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1939
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1940 /* any text until end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1941 case sw_status_text:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1942 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1943 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1944 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1945 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1946 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1947 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1948 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1949 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1950 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1951
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1952 /* end of status line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1953 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1954 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1955 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1956 ctx->header_end = p - 1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1957 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1958 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1959 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1960 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1961 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1962 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1963
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1964 b->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1965 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1966
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1967 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1968
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1969 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1970
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1971 b->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1972 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1973
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1974 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1975 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1976
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1977
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1978 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1979 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1980 {
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	1981 size_t len;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1982 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1983
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1984 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1985 "ssl ocsp process headers");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1986
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1987 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1988 rc = ngx_ssl_ocsp_parse_header_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1989
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1990 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1991
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1992 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1993 "ssl ocsp header \"%s: %s\"",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1994 ctx->header_name_end - ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1995 ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1996 ctx->header_end - ctx->header_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1997 ctx->header_start);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1998
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	1999 len = ctx->header_name_end - ctx->header_name_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2000
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2001 if (len == sizeof("Content-Type") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2002 && ngx_strncasecmp(ctx->header_name_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2003 (u_char *) "Content-Type",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2004 sizeof("Content-Type") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2005 == 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2006 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2007 len = ctx->header_end - ctx->header_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2008
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2009 if (len != sizeof("application/ocsp-response") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2010 \|\| ngx_strncasecmp(ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2011 (u_char *) "application/ocsp-response",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2012 sizeof("application/ocsp-response") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2013 != 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2014 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2015 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2016 "OCSP responder sent invalid "
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2017 "\"Content-Type\" header: \"%*s\"",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2018 ctx->header_end - ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2019 ctx->header_start);
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2020 return NGX_ERROR;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2021 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2022
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2023 continue;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2024 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2025
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2026 /* TODO: honor Content-Length */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2027
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2028 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2029 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2030
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2031 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2032 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2033 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2034
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2035 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2036 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2037 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2038
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2039 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2040
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2041 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2042 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2043
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2044 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2045 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2046
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2047 ctx->process = ngx_ssl_ocsp_process_body;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2048 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2049 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2050
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2051
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2052 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2053 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2054 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2055 u_char c, ch, *p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2056 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2057 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2058 sw_name,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2059 sw_space_before_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2060 sw_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2061 sw_space_after_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2062 sw_almost_done,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2063 sw_header_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2064 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2065
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2066 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2067
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2068 for (p = ctx->response->pos; p < ctx->response->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2069 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2070
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2071 #if 0
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2072 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2073 "s:%d in:'%02Xd:%c'", state, ch, ch);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2074 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2075
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2076 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2077
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2078 /* first char */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2079 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2080
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2081 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2082 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2083 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2084 state = sw_header_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2085 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2086 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2087 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2088 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2089 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2090 state = sw_name;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2091 ctx->header_name_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2092
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2093 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2094 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2095 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2096 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2097
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2098 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2099 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2100 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2101
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2102 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2103 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2104 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2105
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2106 /* header name */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2107 case sw_name:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2108 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2109 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2110 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2111 }
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2112
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2113 if (ch == ':') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2114 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2115 state = sw_space_before_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2116 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2117 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2118
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2119 if (ch == '-') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2120 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2121 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2122
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2123 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2124 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2125 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2126
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2127 if (ch == CR) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2128 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2129 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2130 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2131 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2132 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2133 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2134
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2135 if (ch == LF) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2136 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2137 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2138 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2139 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2140 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2141
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2142 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2143
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2144 /* space* before header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2145 case sw_space_before_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2146 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2147 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2148 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2149 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2150 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2151 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2152 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2153 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2154 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2155 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2156 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2157 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2158 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2159 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2160 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2161 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2162 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2163 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2164
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2165 /* header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2166 case sw_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2167 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2168 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2169 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2170 state = sw_space_after_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2171 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2172 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2173 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2174 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2175 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2176 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2177 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2178 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2179 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2180 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2181
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2182 /* space* before end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2183 case sw_space_after_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2184 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2185 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2186 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2187 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2188 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2189 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2190 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2191 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2192 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2193 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2194 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2195 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2196 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2197
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2198 /* end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2199 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2200 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2201 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2202 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2203 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2204 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2205 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2206
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2207 /* end of header */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2208 case sw_header_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2209 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2210 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2211 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2212 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2213 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2214 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2215 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2216 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2217
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2218 ctx->response->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2219 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2220
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2221 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2222
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2223 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2224
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2225 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2226 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2227
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2228 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2229
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2230 header_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2231
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2232 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2233 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2234
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2235 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2236 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2237
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2238
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2239 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2240 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2241 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2242 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2243 "ssl ocsp process body");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2244
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2245 if (ctx->done) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2246 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2247 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2248 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2249
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2250 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2251 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2252
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2253
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2254 static ngx_int_t
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2255 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2256 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2257 int n;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2258 size_t len;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2259 X509_STORE *store;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2260 const u_char *p;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2261 OCSP_CERTID *id;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2262 OCSP_RESPONSE *ocsp;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2263 OCSP_BASICRESP *basic;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2264 ASN1_GENERALIZEDTIME thisupdate, nextupdate;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2265
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2266 ocsp = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2267 basic = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2268 id = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2269
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2270 if (ctx->code != 200) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2271 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2272 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2273
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2274 /* check the response */
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2275
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2276 len = ctx->response->last - ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2277 p = ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2278
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2279 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2280 if (ocsp == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2281 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2282 "d2i_OCSP_RESPONSE() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2283 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2284 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2285
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2286 n = OCSP_response_status(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2287
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2288 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2289 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2290 "OCSP response not successful (%d: %s)",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2291 n, OCSP_response_status_str(n));
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2292 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2293 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2294
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2295 basic = OCSP_response_get1_basic(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2296 if (basic == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2297 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2298 "OCSP_response_get1_basic() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2299 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2300 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2301
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2302 store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2303 if (store == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2304 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2305 "SSL_CTX_get_cert_store() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2306 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2307 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2308
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	2309 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2310 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2311 "OCSP_basic_verify() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2312 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2313 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2314
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2315 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2316 if (id == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2317 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2318 "OCSP_cert_to_id() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2319 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2320 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2321
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2322 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2323 &thisupdate, &nextupdate)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2324 != 1)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2325 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2326 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2327 "certificate status not found in the OCSP response");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2328 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2329 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2330
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2331 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2332 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2333 "OCSP_check_validity() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2334 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2335 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2336
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2337 if (nextupdate) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2338 ctx->valid = ngx_ssl_stapling_time(nextupdate);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2339 if (ctx->valid == (time_t) NGX_ERROR) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2340 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2341 "invalid nextUpdate time in certificate status");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2342 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2343 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2344
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2345 } else {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2346 ctx->valid = NGX_MAX_TIME_T_VALUE;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2347 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2348
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2349 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2350 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2351 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2352
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2353 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2354 "ssl ocsp response, %s, %uz",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2355 OCSP_cert_status_str(ctx->status), len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2356
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2357 return NGX_OK;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2358
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2359 error:
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2360
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2361 if (id) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2362 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2363 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2364
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2365 if (basic) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2366 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2367 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2368
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2369 if (ocsp) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2370 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2371 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2372
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2373 return NGX_ERROR;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2374 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2375
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2376
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2377 static u_char *
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2378 ngx_ssl_ocsp_log_error(ngx_log_t log, u_char buf, size_t len)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2379 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2380 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2381 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2382
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2383 p = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2384
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2385 if (log->action) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2386 p = ngx_snprintf(buf, len, " while %s", log->action);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2387 len -= p - buf;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2388 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2389 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2390
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2391 ctx = log->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2392
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2393 if (ctx) {
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2394 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2395 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2396 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2397 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2398
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2399 if (ctx && ctx->peer.name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2400 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2401 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2402 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2403 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2404
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2405 if (ctx && ctx->name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2406 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2407 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2408 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2409 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2410
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2411 return p;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2412 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2413
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2414
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2415 #else
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2416
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2417
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2418 ngx_int_t
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2419 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2420 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2421 {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2422 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2423 "\"ssl_stapling\" ignored, not supported");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2424
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2425 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2426 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2427
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2428
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2429 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2430 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2431 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2432 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2433 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2434 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2435
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2436
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2437 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2438 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2439 ngx_uint_t depth)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2440 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2441 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2442 "\"ssl_ocsp\" is not supported on this platform");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2443
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2444 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2445 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2446
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2447
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2448 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2449 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2450 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2451 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2452 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2453 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2454
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2455
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2456 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2457 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2458 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2459 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2460 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2461
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2462
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2463 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2464 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2465 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2466 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2467 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2468
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2469
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2470 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2471 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2472 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2473 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2474
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2475
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2476 #endif

Mercurial > hg > nginx

annotate src/event/ngx_event_openssl_stapling.c @ 7653:8409f9df6219