Mercurial > hg > nginx
annotate src/event/ngx_event_openssl_stapling.c @ 7653:8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".
When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Fri, 22 May 2020 17:30:12 +0300 |
parents | 7cffd81015e7 |
children | b56f725dd4bb |
rev | line source |
---|---|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 /* |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 * Copyright (C) Maxim Dounin |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 * Copyright (C) Nginx, Inc. |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 */ |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 #include <ngx_event.h> |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
11 #include <ngx_event_connect.h> |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
12 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
13 |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5683
diff
changeset
|
14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
15 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
16 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
17 typedef struct { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
18 ngx_str_t staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
19 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
20 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
21 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
22 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
23 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
24 ngx_addr_t *addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
25 ngx_uint_t naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
26 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
27 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
28 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
29 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
30 SSL_CTX *ssl_ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
31 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
32 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
33 X509 *issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
34 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
35 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
36 u_char *name; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
37 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
38 time_t valid; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
39 time_t refresh; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
40 |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
41 unsigned verify:1; |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
42 unsigned loading:1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
43 } ngx_ssl_stapling_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
44 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
45 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
46 typedef struct { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
47 ngx_addr_t *addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
48 ngx_uint_t naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
49 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
50 ngx_str_t host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
51 ngx_str_t uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
52 in_port_t port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
53 ngx_uint_t depth; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
54 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
55 ngx_resolver_t *resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
56 ngx_msec_t resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
57 } ngx_ssl_ocsp_conf_t; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
58 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
59 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
60 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
61 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
62 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
63 struct ngx_ssl_ocsp_s { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
64 STACK_OF(X509) *certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
65 ngx_uint_t ncert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
66 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
67 int cert_status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
68 ngx_int_t status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
69 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
70 ngx_ssl_ocsp_conf_t *conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
71 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
72 }; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
73 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
74 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
75 struct ngx_ssl_ocsp_ctx_s { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
76 SSL_CTX *ssl_ctx; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
77 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
78 X509 *cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
79 X509 *issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
80 STACK_OF(X509) *chain; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
81 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
82 int status; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
83 time_t valid; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
84 |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
85 u_char *name; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
86 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
87 ngx_uint_t naddrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
88 ngx_uint_t naddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
89 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
90 ngx_addr_t *addrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
91 ngx_str_t host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
92 ngx_str_t uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
93 in_port_t port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
94 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
95 ngx_resolver_t *resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
96 ngx_msec_t resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
97 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
98 ngx_msec_t timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
99 |
6810 | 100 void (*handler)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
101 void *data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
102 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
103 ngx_buf_t *request; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
104 ngx_buf_t *response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
105 ngx_peer_connection_t peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
106 |
6810 | 107 ngx_int_t (*process)(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
108 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
109 ngx_uint_t state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
110 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
111 ngx_uint_t code; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
112 ngx_uint_t count; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
113 ngx_uint_t flags; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
114 ngx_uint_t done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
115 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
116 u_char *header_name_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
117 u_char *header_name_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
118 u_char *header_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
119 u_char *header_end; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
120 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
121 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
122 ngx_log_t *log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
123 }; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
124 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
125 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
126 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
127 X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
128 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
129 ngx_ssl_stapling_t *staple, ngx_str_t *file); |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
130 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
131 ngx_ssl_stapling_t *staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
132 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
133 ngx_ssl_stapling_t *staple, ngx_str_t *responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
134 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
135 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
136 void *data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
137 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
138 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
139 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
140 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
141 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
142 static void ngx_ssl_stapling_cleanup(void *data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
143 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
144 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
145 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
146 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
147 ngx_ssl_ocsp_ctx_t *ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
148 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
149 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(ngx_log_t *log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
150 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
151 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
152 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
153 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
154 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
155 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
156 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
157 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
158 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
159 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
160 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
161 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
162 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
163 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
164 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx); |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
165 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
166 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
167 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
168 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
169 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
170 ngx_int_t |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
171 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
172 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
173 { |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
174 X509 *cert; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
175 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
176 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
177 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
178 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
179 { |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
180 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
181 != NGX_OK) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
182 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
183 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
184 } |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
185 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
186 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
187 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
188 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
189 return NGX_OK; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
190 } |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
191 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
192 |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
193 static ngx_int_t |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
194 ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
195 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify) |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
196 { |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
197 ngx_int_t rc; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
198 ngx_pool_cleanup_t *cln; |
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
199 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
200 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
201 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
202 if (staple == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
203 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
204 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
205 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
206 cln = ngx_pool_cleanup_add(cf->pool, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
207 if (cln == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
208 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
209 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
210 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
211 cln->handler = ngx_ssl_stapling_cleanup; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
212 cln->data = staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
213 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
214 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
215 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
216 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
217 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
218 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
219 #ifdef SSL_CTRL_SELECT_CURRENT_CERT |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
220 /* OpenSSL 1.0.2+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
221 SSL_CTX_select_current_cert(ssl->ctx, cert); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
222 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
223 |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
224 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
225 /* OpenSSL 1.0.1+ */ |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
226 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain); |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
227 #else |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
228 staple->chain = ssl->ctx->extra_certs; |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
229 #endif |
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
230 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
231 staple->ssl_ctx = ssl->ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
232 staple->timeout = 60000; |
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
233 staple->verify = verify; |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
234 staple->cert = cert; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
235 staple->name = X509_get_ex_data(staple->cert, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
236 ngx_ssl_certificate_name_index); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
237 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
238 if (file->len) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
239 /* use OCSP response from the file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
240 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
241 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
242 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
243 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
244 |
6547
e222a97d46c1
OCSP stapling: additional function to configure stapling on a cert.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6546
diff
changeset
|
245 return NGX_OK; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
246 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
247 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
248 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
249 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
250 if (rc == NGX_DECLINED) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
251 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
252 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
253 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
254 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
255 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
256 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
257 |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
258 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
259 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
260 if (rc == NGX_DECLINED) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
261 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
262 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
263 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
264 if (rc != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
265 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
266 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
267 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
268 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
269 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
270 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
271 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
272 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
273 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
274 ngx_ssl_stapling_t *staple, ngx_str_t *file) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
275 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
276 BIO *bio; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
277 int len; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
278 u_char *p, *buf; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
279 OCSP_RESPONSE *response; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
280 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
281 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
282 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
283 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
284 |
7485
edf5cd6c56fa
OCSP stapling: open ssl_stapling_file in binary-mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7067
diff
changeset
|
285 bio = BIO_new_file((char *) file->data, "rb"); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
286 if (bio == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
287 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
288 "BIO_new_file(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
289 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
290 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
291 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
292 response = d2i_OCSP_RESPONSE_bio(bio, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
293 if (response == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
294 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
295 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
296 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
297 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
298 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
299 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
300 len = i2d_OCSP_RESPONSE(response, NULL); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
301 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
302 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
303 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
304 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
305 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
306 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
307 buf = ngx_alloc(len, ssl->log); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
308 if (buf == NULL) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
309 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
310 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
311 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
312 p = buf; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
313 len = i2d_OCSP_RESPONSE(response, &p); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
314 if (len <= 0) { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
315 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
316 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
317 ngx_free(buf); |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
318 goto failed; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
319 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
320 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
321 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
322 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
323 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
324 staple->staple.data = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
325 staple->staple.len = len; |
6205
dcae651b2a0c
OCSP stapling: fixed ssl_stapling_file (ticket #769).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6181
diff
changeset
|
326 staple->valid = NGX_MAX_TIME_T_VALUE; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
327 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
328 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
329 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
330 failed: |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
331 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
332 OCSP_RESPONSE_free(response); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
333 BIO_free(bio); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
334 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
335 return NGX_ERROR; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
336 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
337 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
338 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
339 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
340 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
341 ngx_ssl_stapling_t *staple) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
342 { |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
343 int i, n, rc; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
344 X509 *cert, *issuer; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
345 X509_STORE *store; |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
346 X509_STORE_CTX *store_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
347 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
348 cert = staple->cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
349 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
350 n = sk_X509_num(staple->chain); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
351 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
352 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
353 "SSL get issuer: %d extra certs", n); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
354 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
355 for (i = 0; i < n; i++) { |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
356 issuer = sk_X509_value(staple->chain, i); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
357 if (X509_check_issued(issuer, cert) == X509_V_OK) { |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
358 #if OPENSSL_VERSION_NUMBER >= 0x10100001L |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
359 X509_up_ref(issuer); |
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
360 #else |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
361 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); |
6491
45f2385a47e6
SSL: X509 was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6480
diff
changeset
|
362 #endif |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
363 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
364 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
365 "SSL get issuer: found %p in extra certs", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
366 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
367 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
368 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
369 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
370 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
371 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
372 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
373 store = SSL_CTX_get_cert_store(ssl->ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
374 if (store == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
375 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
376 "SSL_CTX_get_cert_store() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
377 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
378 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
379 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
380 store_ctx = X509_STORE_CTX_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
381 if (store_ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
382 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
383 "X509_STORE_CTX_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
384 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
385 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
386 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
387 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
388 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
389 "X509_STORE_CTX_init() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
390 X509_STORE_CTX_free(store_ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
391 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
392 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
393 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
394 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
395 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
396 if (rc == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
397 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
398 "X509_STORE_CTX_get1_issuer() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
399 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
400 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
401 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
402 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
403 if (rc == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
404 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
405 "\"ssl_stapling\" ignored, " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
406 "issuer certificate not found for certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
407 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
408 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
409 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
410 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
411 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
412 X509_STORE_CTX_free(store_ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
413 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
414 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
415 "SSL get issuer: found %p in cert store", issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
416 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
417 staple->issuer = issuer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
418 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
419 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
420 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
421 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
422 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
423 static ngx_int_t |
6544
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
424 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
458e01ef46e6
OCSP stapling: staple provided in arguments.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6491
diff
changeset
|
425 ngx_ssl_stapling_t *staple, ngx_str_t *responder) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
426 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
427 char *s; |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
428 ngx_str_t rsp; |
6810 | 429 ngx_url_t u; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
430 STACK_OF(OPENSSL_STRING) *aia; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
431 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
432 if (responder->len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
433 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
434 /* extract OCSP responder URL from certificate */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
435 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
436 aia = X509_get1_ocsp(staple->cert); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
437 if (aia == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
438 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
439 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
440 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
441 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
442 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
443 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
444 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
445 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
446 s = sk_OPENSSL_STRING_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
447 #else |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
448 s = sk_value(aia, 0); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
449 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
450 if (s == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
451 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
452 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
453 "no OCSP responder URL in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
454 staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
455 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
456 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
457 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
458 |
6688
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
459 responder = &rsp; |
6acbe9964ceb
OCSP stapling: fixed using wrong responder with multiple certs.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6593
diff
changeset
|
460 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
461 responder->len = ngx_strlen(s); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
462 responder->data = ngx_palloc(cf->pool, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
463 if (responder->data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
464 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
465 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
466 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
467 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
468 ngx_memcpy(responder->data, s, responder->len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
469 X509_email_free(aia); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
470 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
471 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
472 ngx_memzero(&u, sizeof(ngx_url_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
473 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
474 u.url = *responder; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
475 u.default_port = 80; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
476 u.uri_part = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
477 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
478 if (u.url.len > 7 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
479 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
480 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
481 u.url.len -= 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
482 u.url.data += 7; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
483 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
484 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
485 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
486 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
487 "invalid URL prefix in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
488 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
489 &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
490 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
491 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
492 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
493 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
494 if (u.err) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
495 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
496 "\"ssl_stapling\" ignored, " |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
497 "%s in OCSP responder \"%V\" " |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
498 "in the certificate \"%s\"", |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6811
diff
changeset
|
499 u.err, &u.url, staple->name); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
500 return NGX_DECLINED; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
501 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
502 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
503 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
504 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
505 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
506 staple->addrs = u.addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
507 staple->naddrs = u.naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
508 staple->host = u.host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
509 staple->uri = u.uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
510 staple->port = u.port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
511 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
512 if (staple->uri.len == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
513 ngx_str_set(&staple->uri, "/"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
514 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
515 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
516 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
517 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
518 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
519 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
520 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
521 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
522 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
523 { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6544
diff
changeset
|
524 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
525 ngx_ssl_stapling_t *staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
526 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
527 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
528 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
529 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
530 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
531 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
532 staple->resolver = resolver; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
533 staple->resolver_timeout = resolver_timeout; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6547
diff
changeset
|
534 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
535 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
536 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
537 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
538 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
539 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
540 static int |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
541 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
542 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
543 int rc; |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
544 X509 *cert; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
545 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
546 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
547 ngx_ssl_stapling_t *staple; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
548 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
549 c = ngx_ssl_get_connection(ssl_conn); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
550 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
551 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
552 "SSL certificate status callback"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
553 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
554 rc = SSL_TLSEXT_ERR_NOACK; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
555 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
556 cert = SSL_get_certificate(ssl_conn); |
7493
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
557 |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
558 if (cert == NULL) { |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
559 return rc; |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
560 } |
dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7485
diff
changeset
|
561 |
6546
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
562 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
563 |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
564 if (staple == NULL) { |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
565 return rc; |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
566 } |
a2d5d45f1525
OCSP stapling: staple now extracted via SSL_get_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
567 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
568 if (staple->staple.len |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
569 && staple->valid >= ngx_time()) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
570 { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
571 /* we have to copy ocsp response as OpenSSL will free it by itself */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
572 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
573 p = OPENSSL_malloc(staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
574 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
575 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
576 return SSL_TLSEXT_ERR_NOACK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
577 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
578 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
579 ngx_memcpy(p, staple->staple.data, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
580 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
581 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
582 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
583 rc = SSL_TLSEXT_ERR_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
584 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
585 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
586 ngx_ssl_stapling_update(staple); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
587 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
588 return rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
589 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
590 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
591 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
592 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
593 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
594 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
595 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
596 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
597 if (staple->host.len == 0 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
598 || staple->loading || staple->refresh >= ngx_time()) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
599 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
600 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
601 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
602 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
603 staple->loading = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
604 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
605 ctx = ngx_ssl_ocsp_start(ngx_cycle->log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
606 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
607 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
608 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
609 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
610 ctx->ssl_ctx = staple->ssl_ctx; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
611 ctx->cert = staple->cert; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
612 ctx->issuer = staple->issuer; |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
613 ctx->chain = staple->chain; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
614 ctx->name = staple->name; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
615 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
616 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
617 ctx->addrs = staple->addrs; |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
618 ctx->naddrs = staple->naddrs; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
619 ctx->host = staple->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
620 ctx->uri = staple->uri; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
621 ctx->port = staple->port; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
622 ctx->timeout = staple->timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
623 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
624 ctx->resolver = staple->resolver; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
625 ctx->resolver_timeout = staple->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
626 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
627 ctx->handler = ngx_ssl_stapling_ocsp_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
628 ctx->data = staple; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
629 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
630 ngx_ssl_ocsp_request(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
631 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
632 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
633 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
634 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
635 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
636 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
637 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
638 { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
639 time_t now; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
640 ngx_str_t response; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
641 ngx_ssl_stapling_t *staple; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
642 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
643 staple = ctx->data; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
644 now = ngx_time(); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
645 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
646 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
647 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
648 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
649 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
650 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
651 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
652 "certificate status \"%s\" in the OCSP response", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
653 OCSP_cert_status_str(ctx->status)); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
654 goto error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
655 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
656 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
657 /* copy the response to memory not in ctx->pool */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
658 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
659 response.len = ctx->response->last - ctx->response->pos; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
660 response.data = ngx_alloc(response.len, ctx->log); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
661 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
662 if (response.data == NULL) { |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
663 goto error; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
664 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
665 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
666 ngx_memcpy(response.data, ctx->response->pos, response.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
667 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
668 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
669 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
670 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
671 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
672 staple->staple = response; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
673 staple->valid = ctx->valid; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
674 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
675 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
676 * refresh before the response expires, |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
677 * but not earlier than in 5 minutes, and at least in an hour |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
678 */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
679 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
680 staple->loading = 0; |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
681 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
682 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
683 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
684 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
685 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
686 error: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
687 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
688 staple->loading = 0; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
689 staple->refresh = now + 300; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
690 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
691 ngx_ssl_ocsp_done(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
692 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
693 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
694 |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
695 static time_t |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
696 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time) |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
697 { |
6810 | 698 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
699 char *value; |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
700 size_t len; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
701 time_t time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
702 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
703 /* |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
704 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
705 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(), |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
706 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
707 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
708 */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
709 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
710 bio = BIO_new(BIO_s_mem()); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
711 if (bio == NULL) { |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
712 return NGX_ERROR; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
713 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
714 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
715 /* fake weekday prepended to match C asctime() format */ |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
716 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
717 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
718 ASN1_GENERALIZEDTIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
719 len = BIO_get_mem_data(bio, &value); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
720 |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
721 time = ngx_parse_http_time((u_char *) value, len); |
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
722 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
723 BIO_free(bio); |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
724 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
725 return time; |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
726 } |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
727 |
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
728 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
729 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
730 ngx_ssl_stapling_cleanup(void *data) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
731 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
732 ngx_ssl_stapling_t *staple = data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
733 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
734 if (staple->issuer) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
735 X509_free(staple->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
736 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
737 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
738 if (staple->staple.data) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
739 ngx_free(staple->staple.data); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
740 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
741 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
742 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
743 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
744 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
745 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
746 ngx_uint_t depth) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
747 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
748 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
749 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
750 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
751 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
752 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
753 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
754 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
755 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
756 ocf->depth = depth; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
757 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
758 if (responder->len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
759 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
760 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
761 u.url = *responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
762 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
763 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
764 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
765 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
766 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
767 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
768 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
769 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
770 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
771 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
772 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
773 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
774 "in \"ssl_ocsp_responder\"", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
775 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
776 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
777 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
778 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
779 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
780 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
781 "%s in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
782 "in \"ssl_ocsp_responder\"", u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
783 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
784 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
785 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
786 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
787 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
788 ocf->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
789 ocf->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
790 ocf->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
791 ocf->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
792 ocf->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
793 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
794 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
795 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
796 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
797 "SSL_CTX_set_ex_data() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
798 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
799 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
800 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
801 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
802 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
803 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
804 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
805 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
806 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
807 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
808 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
809 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
810 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
811 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
812 ocf->resolver = resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
813 ocf->resolver_timeout = resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
814 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
815 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
816 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
817 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
818 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
819 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
820 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
821 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
822 X509 *cert; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
823 SSL_CTX *ssl_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
824 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
825 X509_STORE *store; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
826 X509_STORE_CTX *store_ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
827 STACK_OF(X509) *chain; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
828 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
829 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
830 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
831 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
832 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
833 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
834 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
835 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
836 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
837 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
838 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
839 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
840 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
841 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
842 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
843 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
844 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
845 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
846 if (ocf == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
847 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
848 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
849 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
850 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
851 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
852 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
853 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
854 cert = SSL_get_peer_certificate(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
855 if (cert == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
856 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
857 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
858 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
859 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
860 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
861 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
862 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
863 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
864 c->ssl->ocsp = ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
865 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
866 ocsp->status = NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
867 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
868 ocsp->conf = ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
869 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
870 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
871 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
872 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
873 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
874 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
875 ocsp->certs = X509_chain_up_ref(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
876 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
877 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
878 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
879 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
880 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
881 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
882 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
883 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
884 store = SSL_CTX_get_cert_store(ssl_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
885 if (store == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
886 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
887 "SSL_CTX_get_cert_store() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
888 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
889 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
890 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
891 store_ctx = X509_STORE_CTX_new(); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
892 if (store_ctx == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
893 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
894 "X509_STORE_CTX_new() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
895 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
896 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
897 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
898 chain = SSL_get_peer_cert_chain(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
899 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
900 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
901 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
902 "X509_STORE_CTX_init() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
903 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
904 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
905 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
906 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
907 rc = X509_verify_cert(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
908 if (rc <= 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
909 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
910 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
911 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
912 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
913 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
914 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
915 if (ocsp->certs == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
916 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
917 "X509_STORE_CTX_get1_chain() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
918 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
919 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
920 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
921 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
922 X509_STORE_CTX_free(store_ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
923 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
924 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
925 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
926 "ssl ocsp validate, certs:%i", sk_X509_num(ocsp->certs)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
927 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
928 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
929 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
930 if (ocsp->status == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
931 c->ssl->in_ocsp = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
932 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
933 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
934 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
935 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
936 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
937 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
938 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
939 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
940 ngx_ssl_ocsp_validate_next(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
941 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
942 ngx_uint_t n; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
943 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
944 ngx_ssl_ocsp_ctx_t *ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
945 ngx_ssl_ocsp_conf_t *ocf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
946 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
947 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
948 ocf = ocsp->conf; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
949 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
950 n = sk_X509_num(ocsp->certs); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
951 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
952 for ( ;; ) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
953 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
954 if (ocsp->ncert == n - 1 || (ocf->depth == 2 && ocsp->ncert == 1)) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
955 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
956 "ssl ocsp validated, certs:%ui", ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
957 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
958 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
959 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
960 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
961 "ssl ocsp validate cert:%ui", ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
962 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
963 ctx = ngx_ssl_ocsp_start(c->log); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
964 if (ctx == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
965 goto failed; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
966 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
967 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
968 ocsp->ctx = ctx; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
969 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
970 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
971 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
972 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
973 ctx->chain = ocsp->certs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
974 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
975 ctx->resolver = ocf->resolver; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
976 ctx->resolver_timeout = ocf->resolver_timeout; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
977 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
978 ctx->handler = ngx_ssl_ocsp_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
979 ctx->data = c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
980 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
981 ctx->addrs = ocf->addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
982 ctx->naddrs = ocf->naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
983 ctx->host = ocf->host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
984 ctx->uri = ocf->uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
985 ctx->port = ocf->port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
986 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
987 if (ngx_ssl_ocsp_responder(c, ctx) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
988 goto failed; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
989 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
990 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
991 if (ctx->uri.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
992 ngx_str_set(&ctx->uri, "/"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
993 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
994 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
995 ocsp->ncert++; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
996 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
997 break; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
998 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
999 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1000 ngx_ssl_ocsp_request(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1001 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1002 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1003 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1004 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1005 ocsp->status = NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1006 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1007 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1008 failed: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1009 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1010 ocsp->status = NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1011 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1012 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1013 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1014 static void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1015 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1016 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1017 ngx_int_t rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1018 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1019 ngx_connection_t *c; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1020 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1021 c = ctx->data; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1022 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1023 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1024 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1025 rc = ngx_ssl_ocsp_verify(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1026 if (rc != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1027 ocsp->status = rc; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1028 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1029 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1030 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1031 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1032 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1033 ocsp->cert_status = ctx->status; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1034 ocsp->status = NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1035 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1036 goto done; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1037 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1038 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1039 ngx_ssl_ocsp_done(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1040 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1041 ngx_ssl_ocsp_validate_next(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1042 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1043 done: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1044 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1045 if (ocsp->status == NGX_AGAIN || !c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1046 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1047 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1048 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1049 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1050 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1051 c->ssl->handler(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1052 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1053 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1054 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1055 static ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1056 ngx_ssl_ocsp_responder(ngx_connection_t *c, ngx_ssl_ocsp_ctx_t *ctx) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1057 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1058 char *s; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1059 ngx_str_t responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1060 ngx_url_t u; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1061 STACK_OF(OPENSSL_STRING) *aia; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1062 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1063 if (ctx->host.len) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1064 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1065 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1066 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1067 /* extract OCSP responder URL from certificate */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1068 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1069 aia = X509_get1_ocsp(ctx->cert); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1070 if (aia == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1071 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1072 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1073 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1074 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1075 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1076 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1077 s = sk_OPENSSL_STRING_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1078 #else |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1079 s = sk_value(aia, 0); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1080 #endif |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1081 if (s == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1082 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1083 "no OCSP responder URL in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1084 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1085 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1086 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1087 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1088 responder.len = ngx_strlen(s); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1089 responder.data = ngx_palloc(ctx->pool, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1090 if (responder.data == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1091 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1092 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1093 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1094 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1095 ngx_memcpy(responder.data, s, responder.len); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1096 X509_email_free(aia); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1097 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1098 ngx_memzero(&u, sizeof(ngx_url_t)); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1099 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1100 u.url = responder; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1101 u.default_port = 80; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1102 u.uri_part = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1103 u.no_resolve = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1104 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1105 if (u.url.len > 7 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1106 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1107 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1108 u.url.len -= 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1109 u.url.data += 7; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1110 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1111 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1112 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1113 "invalid URL prefix in OCSP responder \"%V\" " |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1114 "in certificate", &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1115 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1116 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1117 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1118 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1119 if (u.err) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1120 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1121 "%s in OCSP responder \"%V\" in certificate", |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1122 u.err, &u.url); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1123 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1124 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1125 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1126 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1127 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1128 if (u.host.len == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1129 ngx_log_error(NGX_LOG_ERR, c->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1130 "empty host in OCSP responder in certificate"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1131 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1132 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1133 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1134 ctx->addrs = u.addrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1135 ctx->naddrs = u.naddrs; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1136 ctx->host = u.host; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1137 ctx->uri = u.uri; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1138 ctx->port = u.port; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1139 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1140 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1141 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1142 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1143 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1144 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1145 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1146 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1147 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1148 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1149 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1150 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1151 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1152 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1153 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1154 if (ocsp->status == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1155 *s = "certificate status request failed"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1156 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1157 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1158 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1159 switch (ocsp->cert_status) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1160 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1161 case V_OCSP_CERTSTATUS_GOOD: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1162 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1163 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1164 case V_OCSP_CERTSTATUS_REVOKED: |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1165 *s = "certificate revoked"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1166 break; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1167 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1168 default: /* V_OCSP_CERTSTATUS_UNKNOWN */ |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1169 *s = "certificate status unknown"; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1170 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1171 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1172 return NGX_DECLINED; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1173 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1174 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1175 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1176 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1177 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1178 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1179 ngx_ssl_ocsp_t *ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1180 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1181 ocsp = c->ssl->ocsp; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1182 if (ocsp == NULL) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1183 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1184 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1185 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1186 if (ocsp->ctx) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1187 ngx_ssl_ocsp_done(ocsp->ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1188 ocsp->ctx = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1189 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1190 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1191 if (ocsp->certs) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1192 sk_X509_pop_free(ocsp->certs, X509_free); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1193 ocsp->certs = NULL; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1194 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1195 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1196 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1197 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1198 static ngx_ssl_ocsp_ctx_t * |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1199 ngx_ssl_ocsp_start(ngx_log_t *log) |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1200 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1201 ngx_pool_t *pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1202 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1203 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1204 pool = ngx_create_pool(2048, log); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1205 if (pool == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1206 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1207 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1208 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1209 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1210 if (ctx == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1211 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1212 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1213 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1214 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1215 log = ngx_palloc(pool, sizeof(ngx_log_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1216 if (log == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1217 ngx_destroy_pool(pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1218 return NULL; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1219 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1220 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1221 ctx->pool = pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1222 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1223 *log = *ctx->pool->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1224 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1225 ctx->pool->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1226 ctx->log = log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1227 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1228 log->handler = ngx_ssl_ocsp_log_error; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1229 log->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1230 log->action = "requesting certificate status"; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1231 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1232 return ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1233 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1234 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1235 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1236 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1237 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1238 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1239 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1240 "ssl ocsp done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1241 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1242 if (ctx->peer.connection) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1243 ngx_close_connection(ctx->peer.connection); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1244 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1245 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1246 ngx_destroy_pool(ctx->pool); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1247 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1248 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1249 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1250 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1251 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1252 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1253 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1254 "ssl ocsp error"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1255 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1256 ctx->code = 0; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1257 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1258 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1259 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1260 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1261 static void |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1262 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx) |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1263 { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1264 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1265 "ssl ocsp next"); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1266 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1267 if (++ctx->naddr >= ctx->naddrs) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1268 ngx_ssl_ocsp_error(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1269 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1270 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1271 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1272 ctx->request->pos = ctx->request->start; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1273 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1274 if (ctx->response) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1275 ctx->response->last = ctx->response->pos; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1276 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1277 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1278 if (ctx->peer.connection) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1279 ngx_close_connection(ctx->peer.connection); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1280 ctx->peer.connection = NULL; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1281 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1282 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1283 ctx->state = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1284 ctx->count = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1285 ctx->done = 0; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1286 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1287 ngx_ssl_ocsp_connect(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1288 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1289 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1290 |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1291 static void |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1292 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1293 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1294 ngx_resolver_ctx_t *resolve, temp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1295 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1296 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1297 "ssl ocsp request"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1298 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1299 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1300 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1301 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1302 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1303 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1304 if (ctx->resolver) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1305 /* resolve OCSP responder hostname */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1306 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1307 temp.name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1308 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1309 resolve = ngx_resolve_start(ctx->resolver, &temp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1310 if (resolve == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1311 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1312 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1313 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1314 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1315 if (resolve == NGX_NO_RESOLVER) { |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1316 if (ctx->naddrs == 0) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1317 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1318 "no resolver defined to resolve %V", &ctx->host); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1319 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1320 ngx_ssl_ocsp_error(ctx); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1321 return; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1322 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1323 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1324 ngx_log_error(NGX_LOG_WARN, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1325 "no resolver defined to resolve %V", &ctx->host); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1326 goto connect; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1327 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1328 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1329 resolve->name = ctx->host; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1330 resolve->handler = ngx_ssl_ocsp_resolve_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1331 resolve->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1332 resolve->timeout = ctx->resolver_timeout; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1333 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1334 if (ngx_resolve_name(resolve) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1335 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1336 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1337 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1338 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1339 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1340 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1341 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1342 connect: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1343 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1344 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1345 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1346 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1347 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1348 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1349 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1350 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1351 ngx_ssl_ocsp_ctx_t *ctx = resolve->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1352 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1353 u_char *p; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1354 size_t len; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1355 socklen_t socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1356 ngx_uint_t i; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1357 struct sockaddr *sockaddr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1358 |
5234
a855ae7e6377
OCSP stapling: fixed incorrect debug level.
Ruslan Ermilov <ru@nginx.com>
parents:
5215
diff
changeset
|
1359 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1360 "ssl ocsp resolve handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1361 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1362 if (resolve->state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1363 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1364 "%V could not be resolved (%i: %s)", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1365 &resolve->name, resolve->state, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1366 ngx_resolver_strerror(resolve->state)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1367 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1368 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1369 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1370 #if (NGX_DEBUG) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1371 { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1372 u_char text[NGX_SOCKADDR_STRLEN]; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1373 ngx_str_t addr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1374 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1375 addr.data = text; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1376 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1377 for (i = 0; i < resolve->naddrs; i++) { |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1378 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1379 resolve->addrs[i].socklen, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1380 text, NGX_SOCKADDR_STRLEN, 0); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1381 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1382 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1383 "name was resolved to %V", &addr); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1384 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1385 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1386 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1387 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1388 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1389 ctx->naddrs = resolve->naddrs; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1390 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t)); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1391 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1392 if (ctx->addrs == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1393 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1394 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1395 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1396 for (i = 0; i < resolve->naddrs; i++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1397 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1398 socklen = resolve->addrs[i].socklen; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1399 |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1400 sockaddr = ngx_palloc(ctx->pool, socklen); |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1401 if (sockaddr == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1402 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1403 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1404 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1405 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen); |
6593
b3b7e33083ac
Introduced ngx_inet_get_port() and ngx_inet_set_port() functions.
Roman Arutyunyan <arut@nginx.com>
parents:
6549
diff
changeset
|
1406 ngx_inet_set_port(sockaddr, ctx->port); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1407 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1408 ctx->addrs[i].sockaddr = sockaddr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1409 ctx->addrs[i].socklen = socklen; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1410 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1411 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1412 if (p == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1413 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1414 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1415 |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
1416 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1417 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1418 ctx->addrs[i].name.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1419 ctx->addrs[i].name.data = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1420 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1421 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1422 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1423 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1424 ngx_ssl_ocsp_connect(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1425 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1426 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1427 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1428 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1429 ngx_resolve_name_done(resolve); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1430 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1431 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1432 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1433 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1434 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1435 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1436 { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1437 ngx_int_t rc; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1438 ngx_addr_t *addr; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1439 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1440 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1441 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1442 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1443 addr = &ctx->addrs[ctx->naddr]; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1444 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1445 ctx->peer.sockaddr = addr->sockaddr; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1446 ctx->peer.socklen = addr->socklen; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1447 ctx->peer.name = &addr->name; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1448 ctx->peer.get = ngx_event_get_peer; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1449 ctx->peer.log = ctx->log; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1450 ctx->peer.log_error = NGX_ERROR_ERR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1451 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1452 rc = ngx_event_connect_peer(&ctx->peer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1453 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1454 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1455 "ssl ocsp connect peer done"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1456 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1457 if (rc == NGX_ERROR) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1458 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1459 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1460 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1461 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1462 if (rc == NGX_BUSY || rc == NGX_DECLINED) { |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1463 ngx_ssl_ocsp_next(ctx); |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1464 return; |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1465 } |
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1466 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1467 ctx->peer.connection->data = ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1468 ctx->peer.connection->pool = ctx->pool; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1469 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1470 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1471 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1472 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1473 ctx->process = ngx_ssl_ocsp_process_status_line; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1474 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1475 if (ctx->timeout) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1476 ngx_add_timer(ctx->peer.connection->read, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1477 ngx_add_timer(ctx->peer.connection->write, ctx->timeout); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1478 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1479 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1480 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1481 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1482 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1483 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1484 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1485 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1486 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1487 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1488 ngx_ssl_ocsp_write_handler(ngx_event_t *wev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1489 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1490 ssize_t n, size; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1491 ngx_connection_t *c; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1492 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1493 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1494 c = wev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1495 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1496 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1497 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1498 "ssl ocsp write handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1499 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1500 if (wev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1501 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1502 "OCSP responder timed out"); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1503 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1504 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1505 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1506 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1507 size = ctx->request->last - ctx->request->pos; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1508 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1509 n = ngx_send(c, ctx->request->pos, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1510 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1511 if (n == NGX_ERROR) { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1512 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1513 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1514 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1515 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1516 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1517 ctx->request->pos += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1518 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1519 if (n == size) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1520 wev->handler = ngx_ssl_ocsp_dummy_handler; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1521 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1522 if (wev->timer_set) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1523 ngx_del_timer(wev); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1524 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1525 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1526 if (ngx_handle_write_event(wev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1527 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1528 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1529 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1530 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1531 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1532 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1533 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
1534 if (!wev->timer_set && ctx->timeout) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1535 ngx_add_timer(wev, ctx->timeout); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1536 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1537 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1538 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1539 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1540 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1541 ngx_ssl_ocsp_read_handler(ngx_event_t *rev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1542 { |
6810 | 1543 ssize_t n, size; |
1544 ngx_int_t rc; | |
1545 ngx_connection_t *c; | |
1546 ngx_ssl_ocsp_ctx_t *ctx; | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1547 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1548 c = rev->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1549 ctx = c->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1550 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1551 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1552 "ssl ocsp read handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1553 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1554 if (rev->timedout) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1555 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1556 "OCSP responder timed out"); |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1557 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1558 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1559 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1560 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1561 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1562 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1563 if (ctx->response == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1564 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1565 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1566 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1567 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1568 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1569 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1570 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1571 size = ctx->response->end - ctx->response->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1572 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1573 n = ngx_recv(c, ctx->response->last, size); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1574 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1575 if (n > 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1576 ctx->response->last += n; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1577 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1578 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1579 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1580 if (rc == NGX_ERROR) { |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1581 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1582 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1583 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1584 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1585 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1586 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1587 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1588 if (n == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1589 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1590 if (ngx_handle_read_event(rev, 0) != NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1591 ngx_ssl_ocsp_error(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1592 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1593 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1594 return; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1595 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1596 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1597 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1598 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1599 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1600 ctx->done = 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1601 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1602 rc = ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1603 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1604 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1605 /* ctx->handler() was called */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1606 return; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1607 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1608 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1609 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1610 "OCSP responder prematurely closed connection"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1611 |
7652
7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Roman Arutyunyan <arut@nginx.com>
parents:
7651
diff
changeset
|
1612 ngx_ssl_ocsp_next(ctx); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1613 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1614 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1615 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1616 static void |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1617 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1618 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1619 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1620 "ssl ocsp dummy handler"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1621 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1622 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1623 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1624 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1625 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1626 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1627 int len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1628 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1629 uintptr_t escape; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1630 ngx_str_t binary, base64; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1631 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1632 OCSP_CERTID *id; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1633 OCSP_REQUEST *ocsp; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1634 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1635 ocsp = OCSP_REQUEST_new(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1636 if (ocsp == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1637 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1638 "OCSP_REQUEST_new() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1639 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1640 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1641 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1642 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1643 if (id == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1644 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1645 "OCSP_cert_to_id() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1646 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1647 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1648 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1649 if (OCSP_request_add0_id(ocsp, id) == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1650 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1651 "OCSP_request_add0_id() failed"); |
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
1652 OCSP_CERTID_free(id); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1653 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1654 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1655 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1656 len = i2d_OCSP_REQUEST(ocsp, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1657 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1658 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1659 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1660 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1661 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1662 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1663 binary.len = len; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1664 binary.data = ngx_palloc(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1665 if (binary.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1666 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1667 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1668 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1669 p = binary.data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1670 len = i2d_OCSP_REQUEST(ocsp, &p); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1671 if (len <= 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1672 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1673 "i2d_OCSP_REQUEST() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1674 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1675 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1676 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1677 base64.len = ngx_base64_encoded_length(binary.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1678 base64.data = ngx_palloc(ctx->pool, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1679 if (base64.data == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1680 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1681 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1682 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1683 ngx_encode_base64(&base64, &binary); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1684 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1685 escape = ngx_escape_uri(NULL, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1686 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1687 |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1688 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1689 "ssl ocsp request length %z, escape %d", |
6480 | 1690 base64.len, (int) escape); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1691 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1692 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1693 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1694 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1695 + sizeof(CRLF) - 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1696 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1697 b = ngx_create_temp_buf(ctx->pool, len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1698 if (b == NULL) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1699 goto failed; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1700 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1701 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1702 p = b->last; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1703 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1704 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1705 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1706 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1707 if (ctx->uri.data[ctx->uri.len - 1] != '/') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1708 *p++ = '/'; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1709 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1710 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1711 if (escape == 0) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1712 p = ngx_cpymem(p, base64.data, base64.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1713 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1714 } else { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1715 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1716 NGX_ESCAPE_URI_COMPONENT); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1717 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1718 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1719 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1720 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1721 p = ngx_cpymem(p, ctx->host.data, ctx->host.len); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1722 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1723 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1724 /* add "\r\n" at the header end */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1725 *p++ = CR; *p++ = LF; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1726 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1727 b->last = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1728 ctx->request = b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1729 |
5683
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1730 OCSP_REQUEST_free(ocsp); |
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1731 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1732 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1733 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1734 failed: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1735 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1736 OCSP_REQUEST_free(ocsp); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1737 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1738 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1739 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1740 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1741 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1742 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1743 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1744 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1745 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1746 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1747 rc = ngx_ssl_ocsp_parse_status_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1748 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1749 if (rc == NGX_OK) { |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1750 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1751 "ssl ocsp status %ui \"%*s\"", |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1752 ctx->code, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1753 ctx->header_end - ctx->header_start, |
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1754 ctx->header_start); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1755 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1756 ctx->process = ngx_ssl_ocsp_process_headers; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1757 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1758 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1759 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1760 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1761 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1762 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1763 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1764 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1765 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1766 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1767 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1768 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1769 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1770 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1771 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1772 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1773 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1774 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1775 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1776 u_char ch; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1777 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1778 ngx_buf_t *b; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1779 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1780 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1781 sw_H, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1782 sw_HT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1783 sw_HTT, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1784 sw_HTTP, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1785 sw_first_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1786 sw_major_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1787 sw_first_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1788 sw_minor_digit, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1789 sw_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1790 sw_space_after_status, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1791 sw_status_text, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1792 sw_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1793 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1794 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1795 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1796 "ssl ocsp process status line"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1797 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1798 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1799 b = ctx->response; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1800 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1801 for (p = b->pos; p < b->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1802 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1803 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1804 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1805 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1806 /* "HTTP/" */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1807 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1808 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1809 case 'H': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1810 state = sw_H; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1811 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1812 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1813 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1814 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1815 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1816 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1817 case sw_H: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1818 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1819 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1820 state = sw_HT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1821 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1822 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1823 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1824 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1825 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1826 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1827 case sw_HT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1828 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1829 case 'T': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1830 state = sw_HTT; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1831 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1832 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1833 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1834 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1835 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1836 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1837 case sw_HTT: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1838 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1839 case 'P': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1840 state = sw_HTTP; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1841 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1842 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1843 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1844 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1845 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1846 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1847 case sw_HTTP: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1848 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1849 case '/': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1850 state = sw_first_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1851 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1852 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1853 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1854 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1855 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1856 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1857 /* the first digit of major HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1858 case sw_first_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1859 if (ch < '1' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1860 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1861 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1862 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1863 state = sw_major_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1864 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1865 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1866 /* the major HTTP version or dot */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1867 case sw_major_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1868 if (ch == '.') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1869 state = sw_first_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1870 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1871 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1872 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1873 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1874 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1875 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1876 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1877 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1878 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1879 /* the first digit of minor HTTP version */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1880 case sw_first_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1881 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1882 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1883 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1884 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1885 state = sw_minor_digit; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1886 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1887 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1888 /* the minor HTTP version or the end of the request line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1889 case sw_minor_digit: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1890 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1891 state = sw_status; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1892 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1893 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1894 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1895 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1896 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1897 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1898 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1899 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1900 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1901 /* HTTP status code */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1902 case sw_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1903 if (ch == ' ') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1904 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1905 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1906 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1907 if (ch < '0' || ch > '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1908 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1909 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1910 |
7067
e3723f2a11b7
Parenthesized ASCII-related calculations.
Valentin Bartenev <vbart@nginx.com>
parents:
6842
diff
changeset
|
1911 ctx->code = ctx->code * 10 + (ch - '0'); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1912 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1913 if (++ctx->count == 3) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1914 state = sw_space_after_status; |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1915 ctx->header_start = p - 2; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1916 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1917 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1918 break; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1919 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1920 /* space or end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1921 case sw_space_after_status: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1922 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1923 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1924 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1925 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1926 case '.': /* IIS may send 403.1, 403.2, etc */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1927 state = sw_status_text; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1928 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1929 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1930 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1931 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1932 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1933 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1934 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1935 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1936 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1937 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1938 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1939 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1940 /* any text until end of line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1941 case sw_status_text: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1942 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1943 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1944 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1945 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1946 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1947 ctx->header_end = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1948 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1949 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1950 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1951 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1952 /* end of status line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1953 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1954 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1955 case LF: |
6811
5eb3309d0b9e
OCSP stapling: added http response status logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6810
diff
changeset
|
1956 ctx->header_end = p - 1; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1957 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1958 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1959 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1960 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1961 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1962 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1963 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1964 b->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1965 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1966 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1967 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1968 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1969 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1970 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1971 b->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1972 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1973 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1974 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1975 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1976 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1977 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1978 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1979 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1980 { |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1981 size_t len; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1982 ngx_int_t rc; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1983 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1984 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1985 "ssl ocsp process headers"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1986 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1987 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1988 rc = ngx_ssl_ocsp_parse_header_line(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1989 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1990 if (rc == NGX_OK) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1991 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1992 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1993 "ssl ocsp header \"%*s: %*s\"", |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1994 ctx->header_name_end - ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1995 ctx->header_name_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1996 ctx->header_end - ctx->header_start, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1997 ctx->header_start); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1998 |
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1999 len = ctx->header_name_end - ctx->header_name_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2000 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2001 if (len == sizeof("Content-Type") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2002 && ngx_strncasecmp(ctx->header_name_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2003 (u_char *) "Content-Type", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2004 sizeof("Content-Type") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2005 == 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2006 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2007 len = ctx->header_end - ctx->header_start; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2008 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2009 if (len != sizeof("application/ocsp-response") - 1 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2010 || ngx_strncasecmp(ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2011 (u_char *) "application/ocsp-response", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2012 sizeof("application/ocsp-response") - 1) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2013 != 0) |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2014 { |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2015 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2016 "OCSP responder sent invalid " |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2017 "\"Content-Type\" header: \"%*s\"", |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2018 ctx->header_end - ctx->header_start, |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2019 ctx->header_start); |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2020 return NGX_ERROR; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2021 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2022 |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2023 continue; |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2024 } |
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
2025 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2026 /* TODO: honor Content-Length */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2027 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2028 continue; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2029 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2030 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2031 if (rc == NGX_DONE) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2032 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2033 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2034 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2035 if (rc == NGX_AGAIN) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2036 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2037 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2038 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2039 /* rc == NGX_ERROR */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2040 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2041 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2042 "OCSP responder sent invalid response"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2043 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2044 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2045 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2046 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2047 ctx->process = ngx_ssl_ocsp_process_body; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2048 return ctx->process(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2049 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2050 |
6810 | 2051 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2052 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2053 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2054 { |
6810 | 2055 u_char c, ch, *p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2056 enum { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2057 sw_start = 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2058 sw_name, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2059 sw_space_before_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2060 sw_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2061 sw_space_after_value, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2062 sw_almost_done, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2063 sw_header_almost_done |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2064 } state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2065 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2066 state = ctx->state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2067 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2068 for (p = ctx->response->pos; p < ctx->response->last; p++) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2069 ch = *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2070 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2071 #if 0 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2072 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2073 "s:%d in:'%02Xd:%c'", state, ch, ch); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2074 #endif |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2075 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2076 switch (state) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2077 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2078 /* first char */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2079 case sw_start: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2080 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2081 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2082 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2083 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2084 state = sw_header_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2085 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2086 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2087 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2088 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2089 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2090 state = sw_name; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2091 ctx->header_name_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2092 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2093 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2094 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2095 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2096 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2097 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2098 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2099 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2100 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2101 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2102 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2103 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2104 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2105 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2106 /* header name */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2107 case sw_name: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2108 c = (u_char) (ch | 0x20); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2109 if (c >= 'a' && c <= 'z') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2110 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2111 } |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2112 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2113 if (ch == ':') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2114 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2115 state = sw_space_before_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2116 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2117 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2118 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2119 if (ch == '-') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2120 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2121 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2122 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2123 if (ch >= '0' && ch <= '9') { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2124 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2125 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2126 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2127 if (ch == CR) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2128 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2129 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2130 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2131 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2132 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2133 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2134 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2135 if (ch == LF) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2136 ctx->header_name_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2137 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2138 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2139 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2140 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2141 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2142 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2143 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2144 /* space* before header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2145 case sw_space_before_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2146 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2147 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2148 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2149 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2150 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2151 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2152 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2153 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2154 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2155 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2156 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2157 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2158 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2159 ctx->header_start = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2160 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2161 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2162 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2163 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2164 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2165 /* header value */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2166 case sw_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2167 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2168 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2169 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2170 state = sw_space_after_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2171 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2172 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2173 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2174 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2175 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2176 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2177 ctx->header_end = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2178 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2179 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2180 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2181 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2182 /* space* before end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2183 case sw_space_after_value: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2184 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2185 case ' ': |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2186 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2187 case CR: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2188 state = sw_almost_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2189 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2190 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2191 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2192 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2193 state = sw_value; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2194 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2195 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2196 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2197 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2198 /* end of header line */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2199 case sw_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2200 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2201 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2202 goto done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2203 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2204 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2205 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2206 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2207 /* end of header */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2208 case sw_header_almost_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2209 switch (ch) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2210 case LF: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2211 goto header_done; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2212 default: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2213 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2214 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2215 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2216 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2217 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2218 ctx->response->pos = p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2219 ctx->state = state; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2220 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2221 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2222 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2223 done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2224 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2225 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2226 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2227 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2228 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2229 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2230 header_done: |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2231 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2232 ctx->response->pos = p + 1; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2233 ctx->state = sw_start; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2234 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2235 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2236 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2237 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2238 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2239 static ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2240 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2241 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2242 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2243 "ssl ocsp process body"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2244 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2245 if (ctx->done) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2246 ctx->handler(ctx); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2247 return NGX_DONE; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2248 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2249 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2250 return NGX_AGAIN; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2251 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2252 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2253 |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2254 static ngx_int_t |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2255 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2256 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2257 int n; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2258 size_t len; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2259 X509_STORE *store; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2260 const u_char *p; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2261 OCSP_CERTID *id; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2262 OCSP_RESPONSE *ocsp; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2263 OCSP_BASICRESP *basic; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2264 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2265 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2266 ocsp = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2267 basic = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2268 id = NULL; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2269 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2270 if (ctx->code != 200) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2271 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2272 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2273 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2274 /* check the response */ |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2275 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2276 len = ctx->response->last - ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2277 p = ctx->response->pos; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2278 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2279 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2280 if (ocsp == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2281 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2282 "d2i_OCSP_RESPONSE() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2283 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2284 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2285 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2286 n = OCSP_response_status(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2287 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2288 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2289 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2290 "OCSP response not successful (%d: %s)", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2291 n, OCSP_response_status_str(n)); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2292 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2293 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2294 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2295 basic = OCSP_response_get1_basic(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2296 if (basic == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2297 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2298 "OCSP_response_get1_basic() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2299 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2300 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2301 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2302 store = SSL_CTX_get_cert_store(ctx->ssl_ctx); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2303 if (store == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2304 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2305 "SSL_CTX_get_cert_store() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2306 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2307 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2308 |
7651
6ca8e15caf1f
OCSP stapling: keep extra chain in the staple object.
Roman Arutyunyan <arut@nginx.com>
parents:
7650
diff
changeset
|
2309 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) { |
7650
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2310 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2311 "OCSP_basic_verify() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2312 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2313 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2314 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2315 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2316 if (id == NULL) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2317 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2318 "OCSP_cert_to_id() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2319 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2320 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2321 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2322 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2323 &thisupdate, &nextupdate) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2324 != 1) |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2325 { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2326 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2327 "certificate status not found in the OCSP response"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2328 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2329 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2330 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2331 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2332 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2333 "OCSP_check_validity() failed"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2334 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2335 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2336 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2337 if (nextupdate) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2338 ctx->valid = ngx_ssl_stapling_time(nextupdate); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2339 if (ctx->valid == (time_t) NGX_ERROR) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2340 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2341 "invalid nextUpdate time in certificate status"); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2342 goto error; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2343 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2344 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2345 } else { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2346 ctx->valid = NGX_MAX_TIME_T_VALUE; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2347 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2348 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2349 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2350 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2351 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2352 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2353 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2354 "ssl ocsp response, %s, %uz", |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2355 OCSP_cert_status_str(ctx->status), len); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2356 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2357 return NGX_OK; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2358 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2359 error: |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2360 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2361 if (id) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2362 OCSP_CERTID_free(id); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2363 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2364 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2365 if (basic) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2366 OCSP_BASICRESP_free(basic); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2367 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2368 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2369 if (ocsp) { |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2370 OCSP_RESPONSE_free(ocsp); |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2371 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2372 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2373 return NGX_ERROR; |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2374 } |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2375 |
abb6cc8f1dd8
OCSP stapling: moved response verification to a separate function.
Roman Arutyunyan <arut@nginx.com>
parents:
7509
diff
changeset
|
2376 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2377 static u_char * |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2378 ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2379 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2380 u_char *p; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2381 ngx_ssl_ocsp_ctx_t *ctx; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2382 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2383 p = buf; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2384 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2385 if (log->action) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2386 p = ngx_snprintf(buf, len, " while %s", log->action); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2387 len -= p - buf; |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2388 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2389 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2390 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2391 ctx = log->data; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2392 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2393 if (ctx) { |
6813
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2394 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2395 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2396 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2397 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2398 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2399 if (ctx && ctx->peer.name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2400 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2401 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2402 buf = p; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2403 } |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2404 |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2405 if (ctx && ctx->name) { |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2406 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name); |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2407 len -= p - buf; |
94586180fb41
OCSP stapling: improved error logging context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
2408 buf = p; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2409 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2410 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2411 return p; |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2412 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2413 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2414 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2415 #else |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2416 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2417 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2418 ngx_int_t |
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2419 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
2420 ngx_str_t *responder, ngx_uint_t verify) |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2421 { |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2422 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2423 "\"ssl_stapling\" ignored, not supported"); |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2424 |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2425 return NGX_OK; |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2426 } |
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2427 |
6810 | 2428 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2429 ngx_int_t |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2430 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2431 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2432 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2433 return NGX_OK; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2434 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
2435 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2436 |
7653
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2437 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2438 ngx_ssl_ocsp(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2439 ngx_uint_t depth) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2440 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2441 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2442 "\"ssl_ocsp\" is not supported on this platform"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2443 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2444 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2445 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2446 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2447 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2448 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2449 ngx_ssl_ocsp_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2450 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2451 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2452 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2453 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2454 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2455 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2456 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2457 ngx_ssl_ocsp_validate(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2458 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2459 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2460 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2461 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2462 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2463 ngx_int_t |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2464 ngx_ssl_ocsp_get_status(ngx_connection_t *c, const char **s) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2465 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2466 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2467 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2468 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2469 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2470 void |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2471 ngx_ssl_ocsp_cleanup(ngx_connection_t *c) |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2472 { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2473 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2474 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7652
diff
changeset
|
2475 |
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2476 #endif |