nginx: src/event/ngx_event_openssl

annotate src/event/ngx_event_openssl_stapling.c @ 7736:a46fcf101cfc

Core: added format specifiers to output binary data as hex. Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase) or "X" (uppercase) to output corresponding data in hexadecimal format. In collaboration with Maxim Dounin.

author	Vladimir Homutov <vl@nginx.com>
date	Wed, 28 Oct 2020 10:56:11 +0300
parents	d752a2c76d49
children	ee40e2b1d083

rev	line source
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2 /*
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	3 * Copyright (C) Maxim Dounin
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	5 */
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	6
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	7
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	8 #include <ngx_config.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	9 #include <ngx_core.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	10 #include <ngx_event.h>
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	11 #include <ngx_event_connect.h>
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	12
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	13
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5683 diff changeset	14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	15
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	16
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	17 typedef struct {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	18 ngx_str_t staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	19 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	20
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	21 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	22 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	23
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	24 ngx_addr_t *addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	25 ngx_uint_t naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	26 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	27 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	28 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	29
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	30 SSL_CTX *ssl_ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	31
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	32 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	33 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	34 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	35
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	36 u_char *name;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	37
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	38 time_t valid;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	39 time_t refresh;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	40
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	41 unsigned verify:1;
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	42 unsigned loading:1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	43 } ngx_ssl_stapling_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	44
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	45
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	46 typedef struct {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	47 ngx_addr_t *addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	48 ngx_uint_t naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	49
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	50 ngx_str_t host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	51 ngx_str_t uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	52 in_port_t port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	53 ngx_uint_t depth;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	54
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	55 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	56
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	57 ngx_resolver_t *resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	58 ngx_msec_t resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	59 } ngx_ssl_ocsp_conf_t;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	60
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	61
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	62 typedef struct {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	63 ngx_rbtree_t rbtree;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	64 ngx_rbtree_node_t sentinel;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	65 ngx_queue_t expire_queue;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	66 } ngx_ssl_ocsp_cache_t;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	67
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	68
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	69 typedef struct {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	70 ngx_str_node_t node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	71 ngx_queue_t queue;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	72 int status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	73 time_t valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	74 } ngx_ssl_ocsp_cache_node_t;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	75
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	76
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	77 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	78
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	79
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	80 struct ngx_ssl_ocsp_s {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	81 STACK_OF(X509) *certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	82 ngx_uint_t ncert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	83
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	84 int cert_status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	85 ngx_int_t status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	86
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	87 ngx_ssl_ocsp_conf_t *conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	88 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	89 };
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	90
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	91
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	92 struct ngx_ssl_ocsp_ctx_s {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	93 SSL_CTX *ssl_ctx;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	94
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	95 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	96 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	97 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	98
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	99 int status;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	100 time_t valid;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	101
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	102 u_char *name;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	103
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	104 ngx_uint_t naddrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	105 ngx_uint_t naddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	106
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	107 ngx_addr_t *addrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	108 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	109 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	110 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	111
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	112 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	113 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	114
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	115 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	116
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	117 void (handler)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	118 void *data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	119
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	120 ngx_str_t key;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	121 ngx_buf_t *request;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	122 ngx_buf_t *response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	123 ngx_peer_connection_t peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	124
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	125 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	126
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	127 ngx_int_t (process)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	128
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	129 ngx_uint_t state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	130
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	131 ngx_uint_t code;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	132 ngx_uint_t count;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	133 ngx_uint_t flags;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	134 ngx_uint_t done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	135
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	136 u_char *header_name_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	137 u_char *header_name_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	138 u_char *header_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	139 u_char *header_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	140
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	141 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	142 ngx_log_t *log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	143 };
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	144
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	145
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	146 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	147 X509 cert, ngx_str_t file, ngx_str_t *responder, ngx_uint_t verify);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	148 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	149 ngx_ssl_stapling_t staple, ngx_str_t file);
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	150 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	151 ngx_ssl_stapling_t *staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	152 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	153 ngx_ssl_stapling_t staple, ngx_str_t responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	154
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	155 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	156 void *data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	157 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	158 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	159
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	160 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	161
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	162 static void ngx_ssl_stapling_cleanup(void *data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	163
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	164 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	165 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	166 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	167 ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	168
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	169 static ngx_ssl_ocsp_ctx_t ngx_ssl_ocsp_start(ngx_log_t log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	170 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx);
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	171 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	172 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	173 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	174 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	175 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	176 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	177 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	178
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	179 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	180 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	181 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	182 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	183 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	184 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx);
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	185 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	186
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	187 static ngx_int_t ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	188 static ngx_int_t ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	189 static ngx_int_t ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	190
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	191 static u_char ngx_ssl_ocsp_log_error(ngx_log_t log, u_char *buf, size_t len);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	192
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	193
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	194 ngx_int_t
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	195 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	196 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	197 {
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	198 X509 *cert;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	199
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	200 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	201 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	202 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	203 {
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	204 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	205 != NGX_OK)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	206 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	207 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	208 }
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	209 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	210
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	211 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	212
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	213 return NGX_OK;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	214 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	215
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	216
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	217 static ngx_int_t
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	218 ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl, X509 *cert,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	219 ngx_str_t file, ngx_str_t responder, ngx_uint_t verify)
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	220 {
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	221 ngx_int_t rc;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	222 ngx_pool_cleanup_t *cln;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	223 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	224
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	225 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	226 if (staple == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	227 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	228 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	229
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	230 cln = ngx_pool_cleanup_add(cf->pool, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	231 if (cln == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	232 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	233 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	234
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	235 cln->handler = ngx_ssl_stapling_cleanup;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	236 cln->data = staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	237
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	238 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	240 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	241 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	242
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	243 #ifdef SSL_CTRL_SELECT_CURRENT_CERT
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	244 /* OpenSSL 1.0.2+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	245 SSL_CTX_select_current_cert(ssl->ctx, cert);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	246 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	247
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	248 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	249 /* OpenSSL 1.0.1+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	250 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	251 #else
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	252 staple->chain = ssl->ctx->extra_certs;
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	253 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	254
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	255 staple->ssl_ctx = ssl->ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	256 staple->timeout = 60000;
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	257 staple->verify = verify;
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	258 staple->cert = cert;
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	259 staple->name = X509_get_ex_data(staple->cert,
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	260 ngx_ssl_certificate_name_index);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	261
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	262 if (file->len) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	263 /* use OCSP response from the file */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	264
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	265 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	266 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	267 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	268
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	269 return NGX_OK;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	270 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	271
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	272 rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	273
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	274 if (rc == NGX_DECLINED) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	275 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	276 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	277
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	278 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	279 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	280 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	281
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	282 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	283
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	284 if (rc == NGX_DECLINED) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	285 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	286 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	287
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	288 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	289 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	290 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	291
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	292 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	293 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	294
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	295
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	296 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	297 ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	298 ngx_ssl_stapling_t staple, ngx_str_t file)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	299 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	300 BIO *bio;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	301 int len;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	302 u_char p, buf;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	303 OCSP_RESPONSE *response;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	304
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	305 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	306 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	307 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	308
7485 edf5cd6c56fa OCSP stapling: open ssl_stapling_file in binary-mode. Sergey Kandaurov <pluknet@nginx.com> parents: 7067 diff changeset	309 bio = BIO_new_file((char *) file->data, "rb");
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	310 if (bio == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	312 "BIO_new_file(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	313 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	314 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	315
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	316 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	317 if (response == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	318 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	319 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	320 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	321 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	322 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	323
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	324 len = i2d_OCSP_RESPONSE(response, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	325 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	326 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	327 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	328 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	329 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	330
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	331 buf = ngx_alloc(len, ssl->log);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	332 if (buf == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	333 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	334 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	335
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	336 p = buf;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	337 len = i2d_OCSP_RESPONSE(response, &p);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	338 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	340 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	341 ngx_free(buf);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	342 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	343 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	344
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	345 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	346 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	347
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	348 staple->staple.data = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	349 staple->staple.len = len;
6205 dcae651b2a0c OCSP stapling: fixed ssl_stapling_file (ticket #769). Maxim Dounin <mdounin@mdounin.ru> parents: 6181 diff changeset	350 staple->valid = NGX_MAX_TIME_T_VALUE;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	351
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	352 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	353
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	354 failed:
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	355
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	356 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	357 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	358
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	359 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	360 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	361
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	362
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	363 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	364 ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	365 ngx_ssl_stapling_t *staple)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	366 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	367 int i, n, rc;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	368 X509 cert, issuer;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	369 X509_STORE *store;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	370 X509_STORE_CTX *store_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	371
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	372 cert = staple->cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	373
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	374 n = sk_X509_num(staple->chain);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	375
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	376 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	377 "SSL get issuer: %d extra certs", n);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	378
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	379 for (i = 0; i < n; i++) {
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	380 issuer = sk_X509_value(staple->chain, i);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	381 if (X509_check_issued(issuer, cert) == X509_V_OK) {
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	382 #if OPENSSL_VERSION_NUMBER >= 0x10100001L
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	383 X509_up_ref(issuer);
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	384 #else
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	385 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	386 #endif
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	387
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	388 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	389 "SSL get issuer: found %p in extra certs", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	390
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	391 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	392
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	393 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	394 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	395 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	396
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	397 store = SSL_CTX_get_cert_store(ssl->ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	398 if (store == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	399 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	400 "SSL_CTX_get_cert_store() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	401 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	402 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	403
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	404 store_ctx = X509_STORE_CTX_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	405 if (store_ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	407 "X509_STORE_CTX_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	408 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	409 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	410
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	411 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	413 "X509_STORE_CTX_init() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	414 X509_STORE_CTX_free(store_ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	415 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	416 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	417
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	418 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	419
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	420 if (rc == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	421 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	422 "X509_STORE_CTX_get1_issuer() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	423 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	424 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	425 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	426
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	427 if (rc == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	428 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	429 "\"ssl_stapling\" ignored, "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	430 "issuer certificate not found for certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	431 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	432 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	433 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	434 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	435
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	436 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	437
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	439 "SSL get issuer: found %p in cert store", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	440
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	441 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	442
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	443 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	444 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	445
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	446
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	447 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	448 ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	449 ngx_ssl_stapling_t staple, ngx_str_t responder)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	450 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	451 char *s;
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	452 ngx_str_t rsp;
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	453 ngx_url_t u;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	454 STACK_OF(OPENSSL_STRING) *aia;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	455
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	456 if (responder->len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	457
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	458 /* extract OCSP responder URL from certificate */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	459
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	460 aia = X509_get1_ocsp(staple->cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	461 if (aia == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	462 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	463 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	464 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	465 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	466 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	467 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	468
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	469 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	470 s = sk_OPENSSL_STRING_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	471 #else
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	472 s = sk_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	473 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	474 if (s == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	475 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	476 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	477 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	478 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	479 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	480 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	481 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	482
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	483 responder = &rsp;
6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	484
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	485 responder->len = ngx_strlen(s);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	486 responder->data = ngx_palloc(cf->pool, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	487 if (responder->data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	488 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	489 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	490 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	491
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	492 ngx_memcpy(responder->data, s, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	493 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	494 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	495
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	496 ngx_memzero(&u, sizeof(ngx_url_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	497
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	498 u.url = *responder;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	499 u.default_port = 80;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	500 u.uri_part = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	501
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	502 if (u.url.len > 7
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	503 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	504 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	505 u.url.len -= 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	506 u.url.data += 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	507
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	508 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	510 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	511 "invalid URL prefix in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	512 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	513 &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	514 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	515 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	516
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	517 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	518 if (u.err) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	519 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	520 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	521 "%s in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	522 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	523 u.err, &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	524 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	525 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	526
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	527 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	528 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	529
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	530 staple->addrs = u.addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	531 staple->naddrs = u.naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	532 staple->host = u.host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	533 staple->uri = u.uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	534 staple->port = u.port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	535
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	536 if (staple->uri.len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	537 ngx_str_set(&staple->uri, "/");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	538 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	539
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	540 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	541 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	542
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	543
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	544 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	545 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	546 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	547 {
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	548 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	549 ngx_ssl_stapling_t *staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	550
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	551 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	552 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	553 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	554 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	555 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	556 staple->resolver = resolver;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	557 staple->resolver_timeout = resolver_timeout;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	558 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	559
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	560 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	561 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	562
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	563
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	564 static int
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	565 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t ssl_conn, void data)
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	566 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	567 int rc;
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	568 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	569 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	570 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	571 ngx_ssl_stapling_t *staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	572
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	573 c = ngx_ssl_get_connection(ssl_conn);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	574
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	575 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	576 "SSL certificate status callback");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	577
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	578 rc = SSL_TLSEXT_ERR_NOACK;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	579
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	580 cert = SSL_get_certificate(ssl_conn);
7493 dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	581
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	582 if (cert == NULL) {
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	583 return rc;
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	584 }
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	585
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	586 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	587
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	588 if (staple == NULL) {
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	589 return rc;
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	590 }
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	591
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	592 if (staple->staple.len
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	593 && staple->valid >= ngx_time())
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	594 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	595 /* we have to copy ocsp response as OpenSSL will free it by itself */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	596
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	597 p = OPENSSL_malloc(staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	598 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	599 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	600 return SSL_TLSEXT_ERR_NOACK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	601 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	602
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	603 ngx_memcpy(p, staple->staple.data, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	604
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	605 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	606
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	607 rc = SSL_TLSEXT_ERR_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	608 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	609
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	610 ngx_ssl_stapling_update(staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	611
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	612 return rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	613 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	614
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	615
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	616 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	617 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	618 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	619 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	620
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	621 if (staple->host.len == 0
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	622 \|\| staple->loading \|\| staple->refresh >= ngx_time())
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	623 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	624 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	625 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	626
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	627 staple->loading = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	628
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	629 ctx = ngx_ssl_ocsp_start(ngx_cycle->log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	630 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	631 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	632 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	633
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	634 ctx->ssl_ctx = staple->ssl_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	635 ctx->cert = staple->cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	636 ctx->issuer = staple->issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	637 ctx->chain = staple->chain;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	638 ctx->name = staple->name;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	639 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	640
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	641 ctx->addrs = staple->addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	642 ctx->naddrs = staple->naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	643 ctx->host = staple->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	644 ctx->uri = staple->uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	645 ctx->port = staple->port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	646 ctx->timeout = staple->timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	647
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	648 ctx->resolver = staple->resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	649 ctx->resolver_timeout = staple->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	650
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	651 ctx->handler = ngx_ssl_stapling_ocsp_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	652 ctx->data = staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	653
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	654 ngx_ssl_ocsp_request(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	655
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	656 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	657 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	658
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	659
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	660 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	661 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	662 {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	663 time_t now;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	664 ngx_str_t response;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	665 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	666
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	667 staple = ctx->data;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	668 now = ngx_time();
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	669
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	670 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	671 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	672 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	673
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	674 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	675 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	676 "certificate status \"%s\" in the OCSP response",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	677 OCSP_cert_status_str(ctx->status));
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	678 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	679 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	680
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	681 /* copy the response to memory not in ctx->pool */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	682
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	683 response.len = ctx->response->last - ctx->response->pos;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	684 response.data = ngx_alloc(response.len, ctx->log);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	685
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	686 if (response.data == NULL) {
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	687 goto error;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	688 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	689
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	690 ngx_memcpy(response.data, ctx->response->pos, response.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	691
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	692 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	693 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	694 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	695
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	696 staple->staple = response;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	697 staple->valid = ctx->valid;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	698
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	699 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	700 * refresh before the response expires,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	701 * but not earlier than in 5 minutes, and at least in an hour
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	702 */
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	703
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	704 staple->loading = 0;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	705 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	706
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	707 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	708 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	709
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	710 error:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	711
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	712 staple->loading = 0;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	713 staple->refresh = now + 300;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	714
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	715 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	716 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	717
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	718
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	719 static time_t
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	720 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time)
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	721 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	722 BIO *bio;
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	723 char *value;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	724 size_t len;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	725 time_t time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	726
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	727 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	728 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	729 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(),
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	730 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	731 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	732 */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	733
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	734 bio = BIO_new(BIO_s_mem());
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	735 if (bio == NULL) {
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	736 return NGX_ERROR;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	737 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	738
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	739 /* fake weekday prepended to match C asctime() format */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	740
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	741 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	742 ASN1_GENERALIZEDTIME_print(bio, asn1time);
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	743 len = BIO_get_mem_data(bio, &value);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	744
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	745 time = ngx_parse_http_time((u_char *) value, len);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	746
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	747 BIO_free(bio);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	748
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	749 return time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	750 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	751
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	752
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	753 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	754 ngx_ssl_stapling_cleanup(void *data)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	755 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	756 ngx_ssl_stapling_t *staple = data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	757
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	758 if (staple->issuer) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	759 X509_free(staple->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	760 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	761
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	762 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	763 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	764 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	765 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	766
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	767
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	768 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	769 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	770 ngx_uint_t depth, ngx_shm_zone_t *shm_zone)
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	771 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	772 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	773 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	774
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	775 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	776 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	777 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	778 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	779
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	780 ocf->depth = depth;
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	781 ocf->shm_zone = shm_zone;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	782
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	783 if (responder->len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	784 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	785
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	786 u.url = *responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	787 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	788 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	789
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	790 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	791 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	792 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	793 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	794 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	795
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	796 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	797 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	798 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	799 "in \"ssl_ocsp_responder\"", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	800 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	801 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	802
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	803 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	804 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	805 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	806 "%s in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	807 "in \"ssl_ocsp_responder\"", u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	808 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	809
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	810 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	811 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	812
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	813 ocf->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	814 ocf->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	815 ocf->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	816 ocf->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	817 ocf->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	818 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	819
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	821 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	822 "SSL_CTX_set_ex_data() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	823 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	824 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	825
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	826 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	827 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	828
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	829
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	830 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	831 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	832 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	833 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	834 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	835
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	836 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	837 ocf->resolver = resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	838 ocf->resolver_timeout = resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	839
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	840 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	841 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	842
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	843
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	844 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	845 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	846 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	847 X509 *cert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	848 SSL_CTX *ssl_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	849 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	850 X509_STORE *store;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	851 X509_STORE_CTX *store_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	852 STACK_OF(X509) *chain;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	853 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	854 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	855
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	856 if (c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	857 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	858 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	859 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	860
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	861 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	862 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	863 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	864
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	865 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	866 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	867
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	868 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	869
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	870 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	871 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	872 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	873 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	874
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	875 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	876 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	877 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	878
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	879 cert = SSL_get_peer_certificate(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	880 if (cert == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	881 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	882 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	883
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	885 if (ocsp == NULL) {
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	886 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	887 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	888 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	889
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	890 c->ssl->ocsp = ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	891
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	892 ocsp->status = NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	893 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	894 ocsp->conf = ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	895
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	896 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	897
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	898 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	899
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	900 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	901 ocsp->certs = X509_chain_up_ref(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	902 if (ocsp->certs == NULL) {
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	903 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	904 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	905 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	906 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	907
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	908 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	909
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	910 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	911 store = SSL_CTX_get_cert_store(ssl_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	912 if (store == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	913 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	914 "SSL_CTX_get_cert_store() failed");
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	915 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	916 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	917 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	918
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	919 store_ctx = X509_STORE_CTX_new();
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	920 if (store_ctx == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	921 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	922 "X509_STORE_CTX_new() failed");
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	923 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	924 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	925 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	926
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	927 chain = SSL_get_peer_cert_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	928
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	929 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	930 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	931 "X509_STORE_CTX_init() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	932 X509_STORE_CTX_free(store_ctx);
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	933 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	934 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	935 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	936
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	937 rc = X509_verify_cert(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	938 if (rc <= 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	939 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	940 X509_STORE_CTX_free(store_ctx);
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	941 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	942 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	943 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	944
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	945 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	946 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	947 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	948 "X509_STORE_CTX_get1_chain() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	949 X509_STORE_CTX_free(store_ctx);
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	950 X509_free(cert);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	951 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	952 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	953
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	954 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	955 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	956
7687 d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	957 X509_free(cert);
d752a2c76d49 OCSP: fixed certificate reference leak. Sergey Kandaurov <pluknet@nginx.com> parents: 7667 diff changeset	958
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	959 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
7655 bd4d1b9db0ee Fixed format specifiers. Sergey Kandaurov <pluknet@nginx.com> parents: 7654 diff changeset	960 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs));
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	961
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	962 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	963
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	964 if (ocsp->status == NGX_AGAIN) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	965 c->ssl->in_ocsp = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	966 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	967 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	968
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	969 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	970 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	971
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	972
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	973 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	974 ngx_ssl_ocsp_validate_next(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	975 {
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	976 ngx_int_t rc;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	977 ngx_uint_t n;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	978 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	979 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	980 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	981
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	982 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	983 ocf = ocsp->conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	984
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	985 n = sk_X509_num(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	986
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	987 for ( ;; ) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	988
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	989 if (ocsp->ncert == n - 1 \|\| (ocf->depth == 2 && ocsp->ncert == 1)) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	990 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	991 "ssl ocsp validated, certs:%ui", ocsp->ncert);
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	992 rc = NGX_OK;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	993 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	994 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	995
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	996 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	997 "ssl ocsp validate cert:%ui", ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	998
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	999 ctx = ngx_ssl_ocsp_start(c->log);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1000 if (ctx == NULL) {
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1001 rc = NGX_ERROR;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1002 goto done;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1003 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1004
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1005 ocsp->ctx = ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1006
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1007 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1008 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1009 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1010 ctx->chain = ocsp->certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1011
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1012 ctx->resolver = ocf->resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1013 ctx->resolver_timeout = ocf->resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1014
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1015 ctx->handler = ngx_ssl_ocsp_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1016 ctx->data = c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1017
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1018 ctx->shm_zone = ocf->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1019
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1020 ctx->addrs = ocf->addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1021 ctx->naddrs = ocf->naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1022 ctx->host = ocf->host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1023 ctx->uri = ocf->uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1024 ctx->port = ocf->port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1025
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1026 rc = ngx_ssl_ocsp_responder(c, ctx);
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1027 if (rc != NGX_OK) {
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1028 goto done;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1029 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1030
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1031 if (ctx->uri.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1032 ngx_str_set(&ctx->uri, "/");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1033 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1034
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1035 ocsp->ncert++;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1036
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1037 rc = ngx_ssl_ocsp_cache_lookup(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1038
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1039 if (rc == NGX_ERROR) {
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1040 goto done;
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1041 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1042
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1043 if (rc == NGX_DECLINED) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1044 break;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1045 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1046
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1047 /* rc == NGX_OK */
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1048
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1049 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1050 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1051 "ssl ocsp cached status \"%s\"",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1052 OCSP_cert_status_str(ctx->status));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1053 ocsp->cert_status = ctx->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1054 goto done;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1055 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1056
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1057 ocsp->ctx = NULL;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1058 ngx_ssl_ocsp_done(ctx);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1059 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1060
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1061 ngx_ssl_ocsp_request(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1062 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1063
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1064 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1065
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1066 ocsp->status = rc;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1067
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1068 if (c->ssl->in_ocsp) {
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1069 c->ssl->handshaked = 1;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1070 c->ssl->handler(c);
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1071 }
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1072 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1073
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1074
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1075 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1076 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1077 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1078 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1079 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1080 ngx_connection_t *c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1081
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1082 c = ctx->data;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1083 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1084 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1085
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1086 rc = ngx_ssl_ocsp_verify(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1087 if (rc != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1088 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1089 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1090
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1091 rc = ngx_ssl_ocsp_cache_store(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1092 if (rc != NGX_OK) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1093 goto done;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1094 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1095
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1096 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1097 ocsp->cert_status = ctx->status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1098 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1099 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1100
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1101 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1102
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1103 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1104
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1105 return;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1106
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1107 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1108
7667 1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1109 ocsp->status = rc;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1110 ngx_ssl_ocsp_done(ctx);
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1111
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1112 if (c->ssl->in_ocsp) {
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1113 c->ssl->handshaked = 1;
1ece2ac2555a OCSP: fixed use-after-free on error. Roman Arutyunyan <arut@nginx.com> parents: 7655 diff changeset	1114 c->ssl->handler(c);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1115 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1116 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1117
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1118
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1119 static ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1120 ngx_ssl_ocsp_responder(ngx_connection_t c, ngx_ssl_ocsp_ctx_t ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1121 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1122 char *s;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1123 ngx_str_t responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1124 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1125 STACK_OF(OPENSSL_STRING) *aia;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1126
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1127 if (ctx->host.len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1128 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1129 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1130
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1131 /* extract OCSP responder URL from certificate */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1132
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1133 aia = X509_get1_ocsp(ctx->cert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1134 if (aia == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1135 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1136 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1137 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1138 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1139
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1140 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1141 s = sk_OPENSSL_STRING_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1142 #else
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1143 s = sk_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1144 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1145 if (s == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1146 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1147 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1148 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1149 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1150 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1151
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1152 responder.len = ngx_strlen(s);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1153 responder.data = ngx_palloc(ctx->pool, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1154 if (responder.data == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1155 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1156 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1157 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1158
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1159 ngx_memcpy(responder.data, s, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1160 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1161
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1162 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1163
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1164 u.url = responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1165 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1166 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1167 u.no_resolve = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1168
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1169 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1170 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1171 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1172 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1173 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1174
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1175 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1176 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1177 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1178 "in certificate", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1179 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1180 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1181
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1182 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1183 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1184 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1185 "%s in OCSP responder \"%V\" in certificate",
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1186 u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1187 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1188
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1189 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1190 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1191
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1192 if (u.host.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1193 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1194 "empty host in OCSP responder in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1195 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1196 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1197
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1198 ctx->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1199 ctx->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1200 ctx->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1201 ctx->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1202 ctx->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1203
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1204 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1205 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1206
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1207
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1208 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1209 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1210 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1211 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1212
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1213 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1214 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1215 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1216 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1217
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1218 if (ocsp->status == NGX_ERROR) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1219 *s = "certificate status request failed";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1220 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1221 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1222
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1223 switch (ocsp->cert_status) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1224
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1225 case V_OCSP_CERTSTATUS_GOOD:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1226 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1227
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1228 case V_OCSP_CERTSTATUS_REVOKED:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1229 *s = "certificate revoked";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1230 break;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1231
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1232 default: /* V_OCSP_CERTSTATUS_UNKNOWN */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1233 *s = "certificate status unknown";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1234 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1235
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1236 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1237 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1238
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1239
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1240 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1241 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1242 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1243 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1244
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1245 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1246 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1247 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1248 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1249
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1250 if (ocsp->ctx) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1251 ngx_ssl_ocsp_done(ocsp->ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1252 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1253 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1254
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1255 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1256 sk_X509_pop_free(ocsp->certs, X509_free);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1257 ocsp->certs = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1258 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1259 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1260
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1261
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1262 static ngx_ssl_ocsp_ctx_t *
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1263 ngx_ssl_ocsp_start(ngx_log_t *log)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1264 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1265 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1266 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1267
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1268 pool = ngx_create_pool(2048, log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1269 if (pool == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1270 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1271 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1272
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1273 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1274 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1275 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1276 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1277 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1278
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1279 log = ngx_palloc(pool, sizeof(ngx_log_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1280 if (log == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1281 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1282 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1283 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1284
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1285 ctx->pool = pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1286
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1287 log = ctx->pool->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1288
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1289 ctx->pool->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1290 ctx->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1291
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1292 log->handler = ngx_ssl_ocsp_log_error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1293 log->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1294 log->action = "requesting certificate status";
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1295
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1296 return ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1297 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1298
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1299
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1300 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1301 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1302 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1303 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1304 "ssl ocsp done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1305
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1306 if (ctx->peer.connection) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1307 ngx_close_connection(ctx->peer.connection);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1308 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1309
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1310 ngx_destroy_pool(ctx->pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1311 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1312
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1313
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1314 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1315 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1316 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1317 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1318 "ssl ocsp error");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1319
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1320 ctx->code = 0;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1321 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1322 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1323
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1324
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1325 static void
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1326 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx)
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1327 {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1328 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1329 "ssl ocsp next");
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1330
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1331 if (++ctx->naddr >= ctx->naddrs) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1332 ngx_ssl_ocsp_error(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1333 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1334 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1335
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1336 ctx->request->pos = ctx->request->start;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1337
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1338 if (ctx->response) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1339 ctx->response->last = ctx->response->pos;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1340 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1341
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1342 if (ctx->peer.connection) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1343 ngx_close_connection(ctx->peer.connection);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1344 ctx->peer.connection = NULL;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1345 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1346
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1347 ctx->state = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1348 ctx->count = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1349 ctx->done = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1350
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1351 ngx_ssl_ocsp_connect(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1352 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1353
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1354
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1355 static void
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1356 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1357 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1358 ngx_resolver_ctx_t *resolve, temp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1359
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1360 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1361 "ssl ocsp request");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1362
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1363 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1364 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1365 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1366 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1367
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1368 if (ctx->resolver) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1369 /* resolve OCSP responder hostname */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1370
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1371 temp.name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1372
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1373 resolve = ngx_resolve_start(ctx->resolver, &temp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1374 if (resolve == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1375 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1376 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1377 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1378
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1379 if (resolve == NGX_NO_RESOLVER) {
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1380 if (ctx->naddrs == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1381 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1382 "no resolver defined to resolve %V", &ctx->host);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1383
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1384 ngx_ssl_ocsp_error(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1385 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1386 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1387
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1388 ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1389 "no resolver defined to resolve %V", &ctx->host);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1390 goto connect;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1391 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1392
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1393 resolve->name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1394 resolve->handler = ngx_ssl_ocsp_resolve_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1395 resolve->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1396 resolve->timeout = ctx->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1397
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1398 if (ngx_resolve_name(resolve) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1399 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1400 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1401 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1402
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1403 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1404 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1405
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1406 connect:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1407
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1408 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1409 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1410
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1411
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1412 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1413 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1414 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1415 ngx_ssl_ocsp_ctx_t *ctx = resolve->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1416
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1417 u_char *p;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1418 size_t len;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1419 socklen_t socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1420 ngx_uint_t i;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1421 struct sockaddr *sockaddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1422
5234 a855ae7e6377 OCSP stapling: fixed incorrect debug level. Ruslan Ermilov <ru@nginx.com> parents: 5215 diff changeset	1423 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1424 "ssl ocsp resolve handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1425
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1426 if (resolve->state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1427 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1428 "%V could not be resolved (%i: %s)",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1429 &resolve->name, resolve->state,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1430 ngx_resolver_strerror(resolve->state));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1431 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1432 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1433
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1434 #if (NGX_DEBUG)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1435 {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1436 u_char text[NGX_SOCKADDR_STRLEN];
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1437 ngx_str_t addr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1438
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1439 addr.data = text;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1440
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1441 for (i = 0; i < resolve->naddrs; i++) {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1442 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1443 resolve->addrs[i].socklen,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1444 text, NGX_SOCKADDR_STRLEN, 0);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1445
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1446 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1447 "name was resolved to %V", &addr);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1448
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1449 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1450 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1451 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1452
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1453 ctx->naddrs = resolve->naddrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1454 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1455
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1456 if (ctx->addrs == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1457 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1458 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1459
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1460 for (i = 0; i < resolve->naddrs; i++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1461
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1462 socklen = resolve->addrs[i].socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1463
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1464 sockaddr = ngx_palloc(ctx->pool, socklen);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1465 if (sockaddr == NULL) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1466 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1467 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1468
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1469 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen);
6593 b3b7e33083ac Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. Roman Arutyunyan <arut@nginx.com> parents: 6549 diff changeset	1470 ngx_inet_set_port(sockaddr, ctx->port);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1471
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1472 ctx->addrs[i].sockaddr = sockaddr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1473 ctx->addrs[i].socklen = socklen;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1474
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1475 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1476 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1477 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1478 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1479
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1480 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1481
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1482 ctx->addrs[i].name.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1483 ctx->addrs[i].name.data = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1484 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1485
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1486 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1487
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1488 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1489 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1490
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1491 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1492
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1493 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1494 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1495 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1496
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1497
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1498 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1499 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1500 {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1501 ngx_int_t rc;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1502 ngx_addr_t *addr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1503
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1504 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1505 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1506
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1507 addr = &ctx->addrs[ctx->naddr];
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1508
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1509 ctx->peer.sockaddr = addr->sockaddr;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1510 ctx->peer.socklen = addr->socklen;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1511 ctx->peer.name = &addr->name;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1512 ctx->peer.get = ngx_event_get_peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1513 ctx->peer.log = ctx->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1514 ctx->peer.log_error = NGX_ERROR_ERR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1515
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1516 rc = ngx_event_connect_peer(&ctx->peer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1517
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1518 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1519 "ssl ocsp connect peer done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1520
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1521 if (rc == NGX_ERROR) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1522 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1523 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1524 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1525
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1526 if (rc == NGX_BUSY \|\| rc == NGX_DECLINED) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1527 ngx_ssl_ocsp_next(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1528 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1529 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1530
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1531 ctx->peer.connection->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1532 ctx->peer.connection->pool = ctx->pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1533
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1534 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1535 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1536
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1537 ctx->process = ngx_ssl_ocsp_process_status_line;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1538
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1539 if (ctx->timeout) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1540 ngx_add_timer(ctx->peer.connection->read, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1541 ngx_add_timer(ctx->peer.connection->write, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1542 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1543
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1544 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1545 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1546 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1547 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1548 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1549
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1550
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1551 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1552 ngx_ssl_ocsp_write_handler(ngx_event_t *wev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1553 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1554 ssize_t n, size;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1555 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1556 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1557
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1558 c = wev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1559 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1560
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1561 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1562 "ssl ocsp write handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1563
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1564 if (wev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1565 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1566 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1567 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1568 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1569 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1570
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1571 size = ctx->request->last - ctx->request->pos;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1572
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1573 n = ngx_send(c, ctx->request->pos, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1574
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1575 if (n == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1576 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1577 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1578 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1579
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1580 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1581 ctx->request->pos += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1582
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1583 if (n == size) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1584 wev->handler = ngx_ssl_ocsp_dummy_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1585
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1586 if (wev->timer_set) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1587 ngx_del_timer(wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1588 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1589
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1590 if (ngx_handle_write_event(wev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1591 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1592 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1593
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1594 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1595 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1596 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1597
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1598 if (!wev->timer_set && ctx->timeout) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1599 ngx_add_timer(wev, ctx->timeout);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1600 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1601 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1602
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1603
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1604 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1605 ngx_ssl_ocsp_read_handler(ngx_event_t *rev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1606 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1607 ssize_t n, size;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1608 ngx_int_t rc;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1609 ngx_connection_t *c;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1610 ngx_ssl_ocsp_ctx_t *ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1611
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1612 c = rev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1613 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1614
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1615 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1616 "ssl ocsp read handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1617
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1618 if (rev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1619 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1620 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1621 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1622 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1623 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1624
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1625 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1626 ctx->response = ngx_create_temp_buf(ctx->pool, 16384);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1627 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1628 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1629 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1630 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1631 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1632
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1633 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1634
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1635 size = ctx->response->end - ctx->response->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1636
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1637 n = ngx_recv(c, ctx->response->last, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1638
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1639 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1640 ctx->response->last += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1641
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1642 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1643
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1644 if (rc == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1645 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1646 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1647 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1648
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1649 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1650 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1651
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1652 if (n == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1653
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1654 if (ngx_handle_read_event(rev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1655 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1656 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1657
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1658 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1659 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1660
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1661 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1662 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1663
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1664 ctx->done = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1665
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1666 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1667
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1668 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1669 /* ctx->handler() was called */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1670 return;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1671 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1672
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1673 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1674 "OCSP responder prematurely closed connection");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1675
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1676 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1677 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1678
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1679
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1680 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1681 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1682 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1683 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1684 "ssl ocsp dummy handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1685 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1686
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1687
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1688 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1689 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1690 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1691 int len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1692 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1693 uintptr_t escape;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1694 ngx_str_t binary, base64;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1695 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1696 OCSP_CERTID *id;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1697 OCSP_REQUEST *ocsp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1698
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1699 ocsp = OCSP_REQUEST_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1700 if (ocsp == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1701 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1702 "OCSP_REQUEST_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1703 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1704 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1705
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1706 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1707 if (id == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1708 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1709 "OCSP_cert_to_id() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1710 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1711 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1712
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1713 if (OCSP_request_add0_id(ocsp, id) == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1714 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1715 "OCSP_request_add0_id() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	1716 OCSP_CERTID_free(id);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1717 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1718 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1719
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1720 len = i2d_OCSP_REQUEST(ocsp, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1721 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1722 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1723 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1724 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1725 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1726
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1727 binary.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1728 binary.data = ngx_palloc(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1729 if (binary.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1730 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1731 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1732
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1733 p = binary.data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1734 len = i2d_OCSP_REQUEST(ocsp, &p);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1735 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1736 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1737 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1738 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1739 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1740
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1741 base64.len = ngx_base64_encoded_length(binary.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1742 base64.data = ngx_palloc(ctx->pool, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1743 if (base64.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1744 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1745 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1746
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1747 ngx_encode_base64(&base64, &binary);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1748
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1749 escape = ngx_escape_uri(NULL, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1750 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1751
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1752 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1753 "ssl ocsp request length %z, escape %d",
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6206 diff changeset	1754 base64.len, (int) escape);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1755
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1756 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1757 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1758 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1759 + sizeof(CRLF) - 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1760
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1761 b = ngx_create_temp_buf(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1762 if (b == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1763 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1764 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1765
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1766 p = b->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1767
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1768 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1769 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1770
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1771 if (ctx->uri.data[ctx->uri.len - 1] != '/') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1772 *p++ = '/';
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1773 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1774
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1775 if (escape == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1776 p = ngx_cpymem(p, base64.data, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1777
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1778 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1779 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1780 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1781 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1782
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1783 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1784 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1785 p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1786 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1787
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1788 /* add "\r\n" at the header end */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1789 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1790
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1791 b->last = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1792 ctx->request = b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1793
5683 48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1794 OCSP_REQUEST_free(ocsp);
48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1795
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1796 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1797
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1798 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1799
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1800 OCSP_REQUEST_free(ocsp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1801
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1802 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1803 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1804
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1805
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1806 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1807 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1808 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1809 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1810
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1811 rc = ngx_ssl_ocsp_parse_status_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1812
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1813 if (rc == NGX_OK) {
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1814 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1815 "ssl ocsp status %ui \"%*s\"",
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1816 ctx->code,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1817 ctx->header_end - ctx->header_start,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1818 ctx->header_start);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1819
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1820 ctx->process = ngx_ssl_ocsp_process_headers;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1821 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1822 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1823
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1824 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1825 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1826 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1827
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1828 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1829
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1830 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1831 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1832
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1833 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1834 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1835
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1836
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1837 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1838 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1839 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1840 u_char ch;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1841 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1842 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1843 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1844 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1845 sw_H,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1846 sw_HT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1847 sw_HTT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1848 sw_HTTP,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1849 sw_first_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1850 sw_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1851 sw_first_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1852 sw_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1853 sw_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1854 sw_space_after_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1855 sw_status_text,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1856 sw_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1857 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1858
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1859 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1860 "ssl ocsp process status line");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1861
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1862 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1863 b = ctx->response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1864
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1865 for (p = b->pos; p < b->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1866 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1867
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1868 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1869
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1870 /* "HTTP/" */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1871 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1872 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1873 case 'H':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1874 state = sw_H;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1875 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1876 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1877 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1878 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1879 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1880
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1881 case sw_H:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1882 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1883 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1884 state = sw_HT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1885 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1886 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1887 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1888 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1889 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1890
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1891 case sw_HT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1892 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1893 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1894 state = sw_HTT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1895 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1896 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1897 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1898 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1899 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1900
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1901 case sw_HTT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1902 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1903 case 'P':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1904 state = sw_HTTP;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1905 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1906 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1907 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1908 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1909 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1910
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1911 case sw_HTTP:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1912 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1913 case '/':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1914 state = sw_first_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1915 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1916 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1917 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1918 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1919 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1920
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1921 /* the first digit of major HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1922 case sw_first_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1923 if (ch < '1' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1924 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1925 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1926
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1927 state = sw_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1928 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1929
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1930 /* the major HTTP version or dot */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1931 case sw_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1932 if (ch == '.') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1933 state = sw_first_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1934 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1935 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1936
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1937 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1938 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1939 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1940
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1941 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1942
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1943 /* the first digit of minor HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1944 case sw_first_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1945 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1946 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1947 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1948
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1949 state = sw_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1950 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1951
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1952 /* the minor HTTP version or the end of the request line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1953 case sw_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1954 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1955 state = sw_status;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1956 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1957 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1958
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1959 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1960 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1961 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1962
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1963 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1964
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1965 /* HTTP status code */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1966 case sw_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1967 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1968 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1969 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1970
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1971 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1972 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1973 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1974
7067 e3723f2a11b7 Parenthesized ASCII-related calculations. Valentin Bartenev <vbart@nginx.com> parents: 6842 diff changeset	1975 ctx->code = ctx->code * 10 + (ch - '0');
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1976
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1977 if (++ctx->count == 3) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1978 state = sw_space_after_status;
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1979 ctx->header_start = p - 2;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1980 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1981
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1982 break;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1983
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1984 /* space or end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1985 case sw_space_after_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1986 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1987 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1988 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1989 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1990 case '.': /* IIS may send 403.1, 403.2, etc */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1991 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1992 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1993 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1994 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1995 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1996 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1997 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1998 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1999 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2000 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2001 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2002 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2003
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2004 /* any text until end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2005 case sw_status_text:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2006 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2007 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2008 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2009 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2010 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	2011 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2012 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2013 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2014 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2015
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2016 /* end of status line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2017 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2018 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2019 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	2020 ctx->header_end = p - 1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2021 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2022 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2023 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2024 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2025 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2026 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2027
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2028 b->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2029 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2030
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2031 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2032
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2033 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2034
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2035 b->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2036 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2037
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2038 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2039 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2040
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2041
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2042 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2043 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2044 {
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2045 size_t len;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2046 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2047
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2048 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2049 "ssl ocsp process headers");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2050
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2051 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2052 rc = ngx_ssl_ocsp_parse_header_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2053
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2054 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2055
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2056 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2057 "ssl ocsp header \"%s: %s\"",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2058 ctx->header_name_end - ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2059 ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2060 ctx->header_end - ctx->header_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2061 ctx->header_start);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2062
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2063 len = ctx->header_name_end - ctx->header_name_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2064
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2065 if (len == sizeof("Content-Type") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2066 && ngx_strncasecmp(ctx->header_name_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2067 (u_char *) "Content-Type",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2068 sizeof("Content-Type") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2069 == 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2070 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2071 len = ctx->header_end - ctx->header_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2072
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2073 if (len != sizeof("application/ocsp-response") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2074 \|\| ngx_strncasecmp(ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2075 (u_char *) "application/ocsp-response",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2076 sizeof("application/ocsp-response") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2077 != 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2078 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2079 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2080 "OCSP responder sent invalid "
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2081 "\"Content-Type\" header: \"%*s\"",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2082 ctx->header_end - ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2083 ctx->header_start);
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2084 return NGX_ERROR;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2085 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2086
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2087 continue;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2088 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2089
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2090 /* TODO: honor Content-Length */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2091
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2092 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2093 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2094
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2095 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2096 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2097 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2098
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2099 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2100 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2101 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2102
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2103 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2104
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2105 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2106 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2107
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2108 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2109 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2110
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2111 ctx->process = ngx_ssl_ocsp_process_body;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2112 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2113 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2114
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2115
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2116 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2117 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2118 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2119 u_char c, ch, *p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2120 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2121 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2122 sw_name,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2123 sw_space_before_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2124 sw_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2125 sw_space_after_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2126 sw_almost_done,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2127 sw_header_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2128 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2129
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2130 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2131
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2132 for (p = ctx->response->pos; p < ctx->response->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2133 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2134
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2135 #if 0
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2136 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2137 "s:%d in:'%02Xd:%c'", state, ch, ch);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2138 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2139
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2140 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2141
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2142 /* first char */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2143 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2144
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2145 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2146 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2147 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2148 state = sw_header_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2149 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2150 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2151 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2152 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2153 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2154 state = sw_name;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2155 ctx->header_name_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2156
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2157 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2158 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2159 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2160 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2161
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2162 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2163 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2164 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2165
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2166 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2167 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2168 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2169
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2170 /* header name */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2171 case sw_name:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2172 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2173 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2174 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2175 }
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2176
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2177 if (ch == ':') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2178 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2179 state = sw_space_before_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2180 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2181 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2182
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2183 if (ch == '-') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2184 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2185 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2186
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2187 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2188 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2189 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2190
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2191 if (ch == CR) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2192 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2193 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2194 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2195 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2196 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2197 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2198
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2199 if (ch == LF) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2200 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2201 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2202 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2203 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2204 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2205
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2206 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2207
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2208 /* space* before header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2209 case sw_space_before_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2210 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2211 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2212 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2213 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2214 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2215 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2216 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2217 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2218 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2219 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2220 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2221 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2222 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2223 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2224 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2225 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2226 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2227 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2228
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2229 /* header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2230 case sw_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2231 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2232 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2233 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2234 state = sw_space_after_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2235 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2236 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2237 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2238 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2239 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2240 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2241 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2242 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2243 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2244 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2245
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2246 /* space* before end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2247 case sw_space_after_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2248 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2249 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2250 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2251 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2252 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2253 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2254 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2255 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2256 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2257 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2258 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2259 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2260 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2261
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2262 /* end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2263 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2264 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2265 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2266 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2267 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2268 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2269 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2270
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2271 /* end of header */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2272 case sw_header_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2273 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2274 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2275 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2276 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2277 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2278 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2279 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2280 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2281
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2282 ctx->response->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2283 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2284
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2285 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2286
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2287 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2288
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2289 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2290 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2291
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2292 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2293
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2294 header_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2295
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2296 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2297 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2298
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2299 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2300 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2301
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2302
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2303 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2304 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2305 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2306 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2307 "ssl ocsp process body");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2308
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2309 if (ctx->done) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2310 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2311 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2312 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2313
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2314 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2315 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2316
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2317
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2318 static ngx_int_t
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2319 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2320 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2321 int n;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2322 size_t len;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2323 X509_STORE *store;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2324 const u_char *p;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2325 OCSP_CERTID *id;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2326 OCSP_RESPONSE *ocsp;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2327 OCSP_BASICRESP *basic;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2328 ASN1_GENERALIZEDTIME thisupdate, nextupdate;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2329
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2330 ocsp = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2331 basic = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2332 id = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2333
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2334 if (ctx->code != 200) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2335 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2336 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2337
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2338 /* check the response */
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2339
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2340 len = ctx->response->last - ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2341 p = ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2342
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2343 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2344 if (ocsp == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2345 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2346 "d2i_OCSP_RESPONSE() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2347 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2348 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2349
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2350 n = OCSP_response_status(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2351
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2352 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2353 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2354 "OCSP response not successful (%d: %s)",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2355 n, OCSP_response_status_str(n));
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2356 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2357 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2358
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2359 basic = OCSP_response_get1_basic(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2360 if (basic == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2361 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2362 "OCSP_response_get1_basic() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2363 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2364 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2365
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2366 store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2367 if (store == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2368 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2369 "SSL_CTX_get_cert_store() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2370 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2371 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2372
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	2373 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2374 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2375 "OCSP_basic_verify() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2376 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2377 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2378
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2379 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2380 if (id == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2381 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2382 "OCSP_cert_to_id() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2383 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2384 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2385
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2386 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2387 &thisupdate, &nextupdate)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2388 != 1)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2389 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2390 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2391 "certificate status not found in the OCSP response");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2392 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2393 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2394
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2395 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2396 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2397 "OCSP_check_validity() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2398 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2399 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2400
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2401 if (nextupdate) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2402 ctx->valid = ngx_ssl_stapling_time(nextupdate);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2403 if (ctx->valid == (time_t) NGX_ERROR) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2404 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2405 "invalid nextUpdate time in certificate status");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2406 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2407 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2408
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2409 } else {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2410 ctx->valid = NGX_MAX_TIME_T_VALUE;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2411 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2412
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2413 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2414 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2415 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2416
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2417 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2418 "ssl ocsp response, %s, %uz",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2419 OCSP_cert_status_str(ctx->status), len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2420
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2421 return NGX_OK;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2422
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2423 error:
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2424
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2425 if (id) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2426 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2427 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2428
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2429 if (basic) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2430 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2431 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2432
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2433 if (ocsp) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2434 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2435 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2436
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2437 return NGX_ERROR;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2438 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2439
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2440
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2441 ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2442 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t shm_zone, void data)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2443 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2444 size_t len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2445 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2446 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2447
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2448 if (data) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2449 shm_zone->data = data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2450 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2451 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2452
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2453 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2454
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2455 if (shm_zone->shm.exists) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2456 shm_zone->data = shpool->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2457 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2458 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2459
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2460 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_ocsp_cache_t));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2461 if (cache == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2462 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2463 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2464
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2465 shpool->data = cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2466 shm_zone->data = cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2467
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2468 ngx_rbtree_init(&cache->rbtree, &cache->sentinel,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2469 ngx_str_rbtree_insert_value);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2470
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2471 ngx_queue_init(&cache->expire_queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2472
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2473 len = sizeof(" in OCSP cache \"\"") + shm_zone->shm.name.len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2474
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2475 shpool->log_ctx = ngx_slab_alloc(shpool, len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2476 if (shpool->log_ctx == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2477 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2478 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2479
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2480 ngx_sprintf(shpool->log_ctx, " in OCSP cache \"%V\"%Z",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2481 &shm_zone->shm.name);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2482
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2483 shpool->log_nomem = 0;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2484
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2485 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2486 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2487
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2488
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2489 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2490 ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2491 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2492 uint32_t hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2493 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2494 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2495 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2496 ngx_ssl_ocsp_cache_node_t *node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2497
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2498 shm_zone = ctx->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2499
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2500 if (shm_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2501 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2502 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2503
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2504 if (ngx_ssl_ocsp_create_key(ctx) != NGX_OK) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2505 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2506 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2507
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2508 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache lookup");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2509
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2510 cache = shm_zone->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2511 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2512 hash = ngx_hash_key(ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2513
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2514 ngx_shmtx_lock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2515
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2516 node = (ngx_ssl_ocsp_cache_node_t *)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2517 ngx_str_rbtree_lookup(&cache->rbtree, &ctx->key, hash);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2518
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2519 if (node) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2520 if (node->valid > ngx_time()) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2521 ctx->status = node->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2522 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2523
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2524 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2525 "ssl ocsp cache hit, %s",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2526 OCSP_cert_status_str(ctx->status));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2527
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2528 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2529 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2530
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2531 ngx_queue_remove(&node->queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2532 ngx_rbtree_delete(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2533 ngx_slab_free_locked(shpool, node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2534
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2535 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2536
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2537 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2538 "ssl ocsp cache expired");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2539
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2540 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2541 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2542
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2543 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2544
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2545 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache miss");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2546
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2547 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2548 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2549
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2550
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2551 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2552 ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2553 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2554 time_t now, valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2555 uint32_t hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2556 ngx_queue_t *q;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2557 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2558 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2559 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2560 ngx_ssl_ocsp_cache_node_t *node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2561
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2562 shm_zone = ctx->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2563
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2564 if (shm_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2565 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2566 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2567
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2568 valid = ctx->valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2569
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2570 now = ngx_time();
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2571
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2572 if (valid < now) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2573 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2574 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2575
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2576 if (valid == NGX_MAX_TIME_T_VALUE) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2577 valid = now + 3600;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2578 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2579
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2580 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2581 "ssl ocsp cache store, valid:%T", valid - now);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2582
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2583 cache = shm_zone->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2584 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2585 hash = ngx_hash_key(ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2586
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2587 ngx_shmtx_lock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2588
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2589 node = ngx_slab_calloc_locked(shpool,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2590 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2591 if (node == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2592
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2593 if (!ngx_queue_empty(&cache->expire_queue)) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2594 q = ngx_queue_last(&cache->expire_queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2595 node = ngx_queue_data(q, ngx_ssl_ocsp_cache_node_t, queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2596
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2597 ngx_rbtree_delete(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2598 ngx_queue_remove(q);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2599 ngx_slab_free_locked(shpool, node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2600
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2601 node = ngx_slab_alloc_locked(shpool,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2602 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2603 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2604
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2605 if (node == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2606 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2607 ngx_log_error(NGX_LOG_ALERT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2608 "could not allocate new entry%s", shpool->log_ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2609 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2610 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2611 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2612
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2613 node->node.str.len = ctx->key.len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2614 node->node.str.data = (u_char *) node + sizeof(ngx_ssl_ocsp_cache_node_t);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2615 ngx_memcpy(node->node.str.data, ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2616 node->node.node.key = hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2617 node->status = ctx->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2618 node->valid = valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2619
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2620 ngx_rbtree_insert(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2621 ngx_queue_insert_head(&cache->expire_queue, &node->queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2622
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2623 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2624
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2625 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2626 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2627
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2628
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2629 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2630 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2631 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2632 u_char *p;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2633 X509_NAME *name;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2634 ASN1_INTEGER *serial;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2635
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2636 p = ngx_pnalloc(ctx->pool, 60);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2637 if (p == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2638 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2639 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2640
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2641 ctx->key.data = p;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2642 ctx->key.len = 60;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2643
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2644 name = X509_get_subject_name(ctx->issuer);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2645 if (X509_NAME_digest(name, EVP_sha1(), p, NULL) == 0) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2646 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2647 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2648
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2649 p += 20;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2650
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2651 if (X509_pubkey_digest(ctx->issuer, EVP_sha1(), p, NULL) == 0) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2652 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2653 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2654
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2655 p += 20;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2656
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2657 serial = X509_get_serialNumber(ctx->cert);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2658 if (serial->length > 20) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2659 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2660 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2661
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2662 p = ngx_cpymem(p, serial->data, serial->length);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2663 ngx_memzero(p, 20 - serial->length);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2664
7736 a46fcf101cfc Core: added format specifiers to output binary data as hex. Vladimir Homutov <vl@nginx.com> parents: 7687 diff changeset	2665 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
a46fcf101cfc Core: added format specifiers to output binary data as hex. Vladimir Homutov <vl@nginx.com> parents: 7687 diff changeset	2666 "ssl ocsp key %xV", &ctx->key);
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2667
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2668 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2669 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2670
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2671
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2672 static u_char *
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2673 ngx_ssl_ocsp_log_error(ngx_log_t log, u_char buf, size_t len)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2674 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2675 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2676 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2677
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2678 p = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2679
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2680 if (log->action) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2681 p = ngx_snprintf(buf, len, " while %s", log->action);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2682 len -= p - buf;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2683 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2684 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2685
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2686 ctx = log->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2687
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2688 if (ctx) {
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2689 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2690 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2691 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2692 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2693
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2694 if (ctx && ctx->peer.name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2695 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2696 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2697 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2698 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2699
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2700 if (ctx && ctx->name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2701 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2702 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2703 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2704 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2705
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2706 return p;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2707 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2708
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2709
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2710 #else
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2711
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2712
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2713 ngx_int_t
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2714 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2715 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2716 {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2717 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2718 "\"ssl_stapling\" ignored, not supported");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2719
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2720 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2721 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2722
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2723
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2724 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2725 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2726 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2727 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2728 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2729 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2730
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2731
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2732 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2733 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2734 ngx_uint_t depth, ngx_shm_zone_t *shm_zone)
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2735 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2736 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2737 "\"ssl_ocsp\" is not supported on this platform");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2738
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2739 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2740 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2741
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2742
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2743 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2744 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2745 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2746 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2747 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2748 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2749
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2750
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2751 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2752 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2753 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2754 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2755 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2756
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2757
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2758 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2759 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2760 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2761 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2762 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2763
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2764
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2765 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2766 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2767 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2768 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2769
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2770
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2771 ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2772 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t shm_zone, void data)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2773 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2774 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2775 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2776
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2777
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2778 #endif

Mercurial > hg > nginx

annotate src/event/ngx_event_openssl_stapling.c @ 7736:a46fcf101cfc