nginx: src/event/ngx_event_openssl

annotate src/event/ngx_event_openssl_stapling.c @ 7660:d33e17499088

Version bump.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 26 May 2020 22:03:00 +0300
parents	bd4d1b9db0ee
children	1ece2ac2555a

rev	line source
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2 /*
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	3 * Copyright (C) Maxim Dounin
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	5 */
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	6
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	7
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	8 #include <ngx_config.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	9 #include <ngx_core.h>
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	10 #include <ngx_event.h>
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	11 #include <ngx_event_connect.h>
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	12
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	13
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5683 diff changeset	14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	15
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	16
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	17 typedef struct {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	18 ngx_str_t staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	19 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	20
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	21 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	22 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	23
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	24 ngx_addr_t *addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	25 ngx_uint_t naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	26 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	27 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	28 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	29
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	30 SSL_CTX *ssl_ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	31
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	32 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	33 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	34 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	35
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	36 u_char *name;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	37
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	38 time_t valid;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	39 time_t refresh;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	40
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	41 unsigned verify:1;
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	42 unsigned loading:1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	43 } ngx_ssl_stapling_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	44
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	45
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	46 typedef struct {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	47 ngx_addr_t *addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	48 ngx_uint_t naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	49
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	50 ngx_str_t host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	51 ngx_str_t uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	52 in_port_t port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	53 ngx_uint_t depth;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	54
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	55 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	56
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	57 ngx_resolver_t *resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	58 ngx_msec_t resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	59 } ngx_ssl_ocsp_conf_t;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	60
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	61
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	62 typedef struct {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	63 ngx_rbtree_t rbtree;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	64 ngx_rbtree_node_t sentinel;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	65 ngx_queue_t expire_queue;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	66 } ngx_ssl_ocsp_cache_t;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	67
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	68
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	69 typedef struct {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	70 ngx_str_node_t node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	71 ngx_queue_t queue;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	72 int status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	73 time_t valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	74 } ngx_ssl_ocsp_cache_node_t;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	75
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	76
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	77 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	78
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	79
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	80 struct ngx_ssl_ocsp_s {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	81 STACK_OF(X509) *certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	82 ngx_uint_t ncert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	83
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	84 int cert_status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	85 ngx_int_t status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	86
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	87 ngx_ssl_ocsp_conf_t *conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	88 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	89 };
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	90
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	91
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	92 struct ngx_ssl_ocsp_ctx_s {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	93 SSL_CTX *ssl_ctx;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	94
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	95 X509 *cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	96 X509 *issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	97 STACK_OF(X509) *chain;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	98
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	99 int status;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	100 time_t valid;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	101
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	102 u_char *name;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	103
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	104 ngx_uint_t naddrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	105 ngx_uint_t naddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	106
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	107 ngx_addr_t *addrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	108 ngx_str_t host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	109 ngx_str_t uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	110 in_port_t port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	111
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	112 ngx_resolver_t *resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	113 ngx_msec_t resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	114
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	115 ngx_msec_t timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	116
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	117 void (handler)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	118 void *data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	119
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	120 ngx_str_t key;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	121 ngx_buf_t *request;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	122 ngx_buf_t *response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	123 ngx_peer_connection_t peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	124
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	125 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	126
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	127 ngx_int_t (process)(ngx_ssl_ocsp_ctx_t ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	128
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	129 ngx_uint_t state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	130
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	131 ngx_uint_t code;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	132 ngx_uint_t count;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	133 ngx_uint_t flags;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	134 ngx_uint_t done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	135
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	136 u_char *header_name_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	137 u_char *header_name_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	138 u_char *header_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	139 u_char *header_end;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	140
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	141 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	142 ngx_log_t *log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	143 };
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	144
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	145
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	146 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	147 X509 cert, ngx_str_t file, ngx_str_t *responder, ngx_uint_t verify);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	148 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	149 ngx_ssl_stapling_t staple, ngx_str_t file);
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	150 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	151 ngx_ssl_stapling_t *staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	152 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	153 ngx_ssl_stapling_t staple, ngx_str_t responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	154
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	155 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	156 void *data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	157 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	158 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	159
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	160 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	161
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	162 static void ngx_ssl_stapling_cleanup(void *data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	163
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	164 static void ngx_ssl_ocsp_validate_next(ngx_connection_t *c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	165 static void ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	166 static ngx_int_t ngx_ssl_ocsp_responder(ngx_connection_t *c,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	167 ngx_ssl_ocsp_ctx_t *ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	168
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	169 static ngx_ssl_ocsp_ctx_t ngx_ssl_ocsp_start(ngx_log_t log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	170 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx);
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	171 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	172 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	173 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	174 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	175 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	176 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	177 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	178
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	179 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	180 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	181 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	182 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	183 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	184 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx);
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	185 static ngx_int_t ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	186
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	187 static ngx_int_t ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	188 static ngx_int_t ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	189 static ngx_int_t ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	190
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	191 static u_char ngx_ssl_ocsp_log_error(ngx_log_t log, u_char *buf, size_t len);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	192
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	193
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	194 ngx_int_t
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	195 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	196 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	197 {
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	198 X509 *cert;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	199
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	200 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	201 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	202 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	203 {
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	204 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	205 != NGX_OK)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	206 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	207 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	208 }
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	209 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	210
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	211 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	212
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	213 return NGX_OK;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	214 }
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	215
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	216
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	217 static ngx_int_t
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	218 ngx_ssl_stapling_certificate(ngx_conf_t cf, ngx_ssl_t ssl, X509 *cert,
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	219 ngx_str_t file, ngx_str_t responder, ngx_uint_t verify)
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	220 {
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	221 ngx_int_t rc;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	222 ngx_pool_cleanup_t *cln;
e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	223 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	224
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	225 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	226 if (staple == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	227 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	228 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	229
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	230 cln = ngx_pool_cleanup_add(cf->pool, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	231 if (cln == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	232 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	233 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	234
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	235 cln->handler = ngx_ssl_stapling_cleanup;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	236 cln->data = staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	237
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	238 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	239 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	240 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	241 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	242
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	243 #ifdef SSL_CTRL_SELECT_CURRENT_CERT
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	244 /* OpenSSL 1.0.2+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	245 SSL_CTX_select_current_cert(ssl->ctx, cert);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	246 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	247
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	248 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	249 /* OpenSSL 1.0.1+ */
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	250 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	251 #else
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	252 staple->chain = ssl->ctx->extra_certs;
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	253 #endif
6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	254
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	255 staple->ssl_ctx = ssl->ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	256 staple->timeout = 60000;
4879 4a804fd04e6c OCSP stapling: ssl_stapling_verify directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4878 diff changeset	257 staple->verify = verify;
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	258 staple->cert = cert;
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	259 staple->name = X509_get_ex_data(staple->cert,
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	260 ngx_ssl_certificate_name_index);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	261
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	262 if (file->len) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	263 /* use OCSP response from the file */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	264
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	265 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	266 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	267 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	268
6547 e222a97d46c1 OCSP stapling: additional function to configure stapling on a cert. Maxim Dounin <mdounin@mdounin.ru> parents: 6546 diff changeset	269 return NGX_OK;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	270 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	271
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	272 rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	273
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	274 if (rc == NGX_DECLINED) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	275 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	276 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	277
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	278 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	279 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	280 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	281
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	282 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	283
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	284 if (rc == NGX_DECLINED) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	285 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	286 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	287
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	288 if (rc != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	289 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	290 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	291
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	292 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	293 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	294
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	295
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	296 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	297 ngx_ssl_stapling_file(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	298 ngx_ssl_stapling_t staple, ngx_str_t file)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	299 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	300 BIO *bio;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	301 int len;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	302 u_char p, buf;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	303 OCSP_RESPONSE *response;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	304
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	305 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	306 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	307 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	308
7485 edf5cd6c56fa OCSP stapling: open ssl_stapling_file in binary-mode. Sergey Kandaurov <pluknet@nginx.com> parents: 7067 diff changeset	309 bio = BIO_new_file((char *) file->data, "rb");
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	310 if (bio == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	311 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	312 "BIO_new_file(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	313 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	314 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	315
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	316 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	317 if (response == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	318 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	319 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	320 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	321 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	322 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	323
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	324 len = i2d_OCSP_RESPONSE(response, NULL);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	325 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	326 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	327 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	328 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	329 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	330
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	331 buf = ngx_alloc(len, ssl->log);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	332 if (buf == NULL) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	333 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	334 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	335
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	336 p = buf;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	337 len = i2d_OCSP_RESPONSE(response, &p);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	338 if (len <= 0) {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	340 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	341 ngx_free(buf);
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	342 goto failed;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	343 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	344
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	345 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	346 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	347
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	348 staple->staple.data = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	349 staple->staple.len = len;
6205 dcae651b2a0c OCSP stapling: fixed ssl_stapling_file (ticket #769). Maxim Dounin <mdounin@mdounin.ru> parents: 6181 diff changeset	350 staple->valid = NGX_MAX_TIME_T_VALUE;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	351
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	352 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	353
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	354 failed:
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	355
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	356 OCSP_RESPONSE_free(response);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	357 BIO_free(bio);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	358
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	359 return NGX_ERROR;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	360 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	361
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	362
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	363 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	364 ngx_ssl_stapling_issuer(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	365 ngx_ssl_stapling_t *staple)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	366 {
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	367 int i, n, rc;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	368 X509 cert, issuer;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	369 X509_STORE *store;
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	370 X509_STORE_CTX *store_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	371
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	372 cert = staple->cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	373
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	374 n = sk_X509_num(staple->chain);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	375
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	376 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	377 "SSL get issuer: %d extra certs", n);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	378
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	379 for (i = 0; i < n; i++) {
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	380 issuer = sk_X509_value(staple->chain, i);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	381 if (X509_check_issued(issuer, cert) == X509_V_OK) {
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	382 #if OPENSSL_VERSION_NUMBER >= 0x10100001L
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	383 X509_up_ref(issuer);
45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	384 #else
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	385 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
6491 45f2385a47e6 SSL: X509 was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6480 diff changeset	386 #endif
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	387
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	388 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	389 "SSL get issuer: found %p in extra certs", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	390
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	391 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	392
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	393 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	394 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	395 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	396
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	397 store = SSL_CTX_get_cert_store(ssl->ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	398 if (store == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	399 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	400 "SSL_CTX_get_cert_store() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	401 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	402 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	403
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	404 store_ctx = X509_STORE_CTX_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	405 if (store_ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	406 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	407 "X509_STORE_CTX_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	408 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	409 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	410
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	411 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	413 "X509_STORE_CTX_init() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	414 X509_STORE_CTX_free(store_ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	415 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	416 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	417
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	418 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	419
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	420 if (rc == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	421 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	422 "X509_STORE_CTX_get1_issuer() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	423 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	424 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	425 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	426
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	427 if (rc == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	428 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	429 "\"ssl_stapling\" ignored, "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	430 "issuer certificate not found for certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	431 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	432 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	433 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	434 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	435
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	436 X509_STORE_CTX_free(store_ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	437
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	439 "SSL get issuer: found %p in cert store", issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	440
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	441 staple->issuer = issuer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	442
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	443 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	444 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	445
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	446
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	447 static ngx_int_t
6544 458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	448 ngx_ssl_stapling_responder(ngx_conf_t cf, ngx_ssl_t ssl,
458e01ef46e6 OCSP stapling: staple provided in arguments. Maxim Dounin <mdounin@mdounin.ru> parents: 6491 diff changeset	449 ngx_ssl_stapling_t staple, ngx_str_t responder)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	450 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	451 char *s;
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	452 ngx_str_t rsp;
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	453 ngx_url_t u;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	454 STACK_OF(OPENSSL_STRING) *aia;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	455
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	456 if (responder->len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	457
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	458 /* extract OCSP responder URL from certificate */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	459
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	460 aia = X509_get1_ocsp(staple->cert);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	461 if (aia == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	462 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	463 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	464 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	465 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	466 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	467 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	468
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	469 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	470 s = sk_OPENSSL_STRING_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	471 #else
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	472 s = sk_value(aia, 0);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	473 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	474 if (s == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	475 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	476 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	477 "no OCSP responder URL in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	478 staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	479 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	480 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	481 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	482
6688 6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	483 responder = &rsp;
6acbe9964ceb OCSP stapling: fixed using wrong responder with multiple certs. Maxim Dounin <mdounin@mdounin.ru> parents: 6593 diff changeset	484
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	485 responder->len = ngx_strlen(s);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	486 responder->data = ngx_palloc(cf->pool, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	487 if (responder->data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	488 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	489 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	490 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	491
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	492 ngx_memcpy(responder->data, s, responder->len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	493 X509_email_free(aia);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	494 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	495
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	496 ngx_memzero(&u, sizeof(ngx_url_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	497
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	498 u.url = *responder;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	499 u.default_port = 80;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	500 u.uri_part = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	501
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	502 if (u.url.len > 7
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	503 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	504 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	505 u.url.len -= 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	506 u.url.data += 7;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	507
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	508 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	509 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	510 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	511 "invalid URL prefix in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	512 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	513 &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	514 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	515 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	516
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	517 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	518 if (u.err) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	519 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	520 "\"ssl_stapling\" ignored, "
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	521 "%s in OCSP responder \"%V\" "
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	522 "in the certificate \"%s\"",
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6811 diff changeset	523 u.err, &u.url, staple->name);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	524 return NGX_DECLINED;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	525 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	526
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	527 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	528 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	529
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	530 staple->addrs = u.addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	531 staple->naddrs = u.naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	532 staple->host = u.host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	533 staple->uri = u.uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	534 staple->port = u.port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	535
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	536 if (staple->uri.len == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	537 ngx_str_set(&staple->uri, "/");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	538 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	539
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	540 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	541 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	542
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	543
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	544 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	545 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	546 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	547 {
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6544 diff changeset	548 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	549 ngx_ssl_stapling_t *staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	550
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	551 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	552 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	553 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	554 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	555 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	556 staple->resolver = resolver;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	557 staple->resolver_timeout = resolver_timeout;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6547 diff changeset	558 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	559
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	560 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	561 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	562
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	563
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	564 static int
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	565 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t ssl_conn, void data)
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	566 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	567 int rc;
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	568 X509 *cert;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	569 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	570 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	571 ngx_ssl_stapling_t *staple;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	572
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	573 c = ngx_ssl_get_connection(ssl_conn);
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	574
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	575 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	576 "SSL certificate status callback");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	577
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	578 rc = SSL_TLSEXT_ERR_NOACK;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	579
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	580 cert = SSL_get_certificate(ssl_conn);
7493 dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	581
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	582 if (cert == NULL) {
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	583 return rc;
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	584 }
dbebbb25ae92 OCSP stapling: fixed segfault with dynamic certificate loading. Maxim Dounin <mdounin@mdounin.ru> parents: 7485 diff changeset	585
6546 a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	586 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	587
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	588 if (staple == NULL) {
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	589 return rc;
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	590 }
a2d5d45f1525 OCSP stapling: staple now extracted via SSL_get_certificate(). Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	591
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	592 if (staple->staple.len
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	593 && staple->valid >= ngx_time())
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	594 {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	595 /* we have to copy ocsp response as OpenSSL will free it by itself */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	596
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	597 p = OPENSSL_malloc(staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	598 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	599 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	600 return SSL_TLSEXT_ERR_NOACK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	601 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	602
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	603 ngx_memcpy(p, staple->staple.data, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	604
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	605 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	606
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	607 rc = SSL_TLSEXT_ERR_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	608 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	609
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	610 ngx_ssl_stapling_update(staple);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	611
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	612 return rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	613 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	614
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	615
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	616 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	617 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	618 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	619 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	620
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	621 if (staple->host.len == 0
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	622 \|\| staple->loading \|\| staple->refresh >= ngx_time())
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	623 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	624 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	625 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	626
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	627 staple->loading = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	628
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	629 ctx = ngx_ssl_ocsp_start(ngx_cycle->log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	630 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	631 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	632 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	633
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	634 ctx->ssl_ctx = staple->ssl_ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	635 ctx->cert = staple->cert;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	636 ctx->issuer = staple->issuer;
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	637 ctx->chain = staple->chain;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	638 ctx->name = staple->name;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	639 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	640
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	641 ctx->addrs = staple->addrs;
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	642 ctx->naddrs = staple->naddrs;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	643 ctx->host = staple->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	644 ctx->uri = staple->uri;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	645 ctx->port = staple->port;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	646 ctx->timeout = staple->timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	647
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	648 ctx->resolver = staple->resolver;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	649 ctx->resolver_timeout = staple->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	650
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	651 ctx->handler = ngx_ssl_stapling_ocsp_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	652 ctx->data = staple;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	653
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	654 ngx_ssl_ocsp_request(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	655
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	656 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	657 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	658
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	659
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	660 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	661 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	662 {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	663 time_t now;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	664 ngx_str_t response;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	665 ngx_ssl_stapling_t *staple;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	666
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	667 staple = ctx->data;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	668 now = ngx_time();
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	669
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	670 if (ngx_ssl_ocsp_verify(ctx) != NGX_OK) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	671 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	672 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	673
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	674 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	675 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	676 "certificate status \"%s\" in the OCSP response",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	677 OCSP_cert_status_str(ctx->status));
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	678 goto error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	679 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	680
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	681 /* copy the response to memory not in ctx->pool */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	682
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	683 response.len = ctx->response->last - ctx->response->pos;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	684 response.data = ngx_alloc(response.len, ctx->log);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	685
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	686 if (response.data == NULL) {
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	687 goto error;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	688 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	689
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	690 ngx_memcpy(response.data, ctx->response->pos, response.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	691
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	692 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	693 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	694 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	695
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	696 staple->staple = response;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	697 staple->valid = ctx->valid;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	698
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	699 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	700 * refresh before the response expires,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	701 * but not earlier than in 5 minutes, and at least in an hour
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	702 */
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	703
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	704 staple->loading = 0;
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	705 staple->refresh = ngx_max(ngx_min(ctx->valid - 300, now + 3600), now + 300);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	706
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	707 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	708 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	709
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	710 error:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	711
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	712 staple->loading = 0;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	713 staple->refresh = now + 300;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	714
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	715 ngx_ssl_ocsp_done(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	716 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	717
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	718
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	719 static time_t
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	720 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time)
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	721 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	722 BIO *bio;
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	723 char *value;
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	724 size_t len;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	725 time_t time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	726
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	727 /*
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	728 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	729 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(),
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	730 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	731 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	732 */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	733
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	734 bio = BIO_new(BIO_s_mem());
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	735 if (bio == NULL) {
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	736 return NGX_ERROR;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	737 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	738
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	739 /* fake weekday prepended to match C asctime() format */
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	740
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	741 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	742 ASN1_GENERALIZEDTIME_print(bio, asn1time);
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	743 len = BIO_get_mem_data(bio, &value);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	744
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	745 time = ngx_parse_http_time((u_char *) value, len);
6181 6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	746
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	747 BIO_free(bio);
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	748
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	749 return time;
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	750 }
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	751
6893a1007a7c OCSP stapling: avoid sending expired responses (ticket #425). Maxim Dounin <mdounin@mdounin.ru> parents: 6064 diff changeset	752
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	753 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	754 ngx_ssl_stapling_cleanup(void *data)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	755 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	756 ngx_ssl_stapling_t *staple = data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	757
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	758 if (staple->issuer) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	759 X509_free(staple->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	760 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	761
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	762 if (staple->staple.data) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	763 ngx_free(staple->staple.data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	764 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	765 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	766
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	767
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	768 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	769 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	770 ngx_uint_t depth, ngx_shm_zone_t *shm_zone)
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	771 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	772 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	773 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	774
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	775 ocf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_ocsp_conf_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	776 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	777 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	778 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	779
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	780 ocf->depth = depth;
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	781 ocf->shm_zone = shm_zone;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	782
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	783 if (responder->len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	784 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	785
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	786 u.url = *responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	787 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	788 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	789
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	790 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	791 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	792 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	793 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	794 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	795
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	796 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	797 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	798 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	799 "in \"ssl_ocsp_responder\"", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	800 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	801 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	802
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	803 if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	804 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	805 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	806 "%s in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	807 "in \"ssl_ocsp_responder\"", u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	808 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	809
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	810 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	811 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	812
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	813 ocf->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	814 ocf->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	815 ocf->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	816 ocf->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	817 ocf->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	818 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	819
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	820 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_ocsp_index, ocf) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	821 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	822 "SSL_CTX_set_ex_data() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	823 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	824 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	825
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	826 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	827 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	828
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	829
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	830 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	831 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	832 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	833 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	834 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	835
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	836 ocf = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	837 ocf->resolver = resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	838 ocf->resolver_timeout = resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	839
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	840 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	841 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	842
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	843
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	844 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	845 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	846 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	847 X509 *cert;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	848 SSL_CTX *ssl_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	849 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	850 X509_STORE *store;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	851 X509_STORE_CTX *store_ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	852 STACK_OF(X509) *chain;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	853 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	854 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	855
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	856 if (c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	857 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	858 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	859 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	860
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	861 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	862 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	863 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	864
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	865 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	866 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	867
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	868 ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	869
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	870 ocf = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_ocsp_index);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	871 if (ocf == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	872 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	873 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	874
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	875 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	876 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	877 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	878
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	879 cert = SSL_get_peer_certificate(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	880 if (cert == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	881 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	882 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	883
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	884 ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	885 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	886 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	887 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	888
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	889 c->ssl->ocsp = ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	890
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	891 ocsp->status = NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	892 ocsp->cert_status = V_OCSP_CERTSTATUS_GOOD;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	893 ocsp->conf = ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	894
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	895 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined LIBRESSL_VERSION_NUMBER)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	896
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	897 ocsp->certs = SSL_get0_verified_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	898
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	899 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	900 ocsp->certs = X509_chain_up_ref(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	901 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	902 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	903 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	904 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	905
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	906 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	907
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	908 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	909 store = SSL_CTX_get_cert_store(ssl_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	910 if (store == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	911 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	912 "SSL_CTX_get_cert_store() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	913 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	914 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	915
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	916 store_ctx = X509_STORE_CTX_new();
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	917 if (store_ctx == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	918 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	919 "X509_STORE_CTX_new() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	920 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	921 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	922
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	923 chain = SSL_get_peer_cert_chain(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	924
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	925 if (X509_STORE_CTX_init(store_ctx, store, cert, chain) == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	926 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	927 "X509_STORE_CTX_init() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	928 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	929 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	930 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	931
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	932 rc = X509_verify_cert(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	933 if (rc <= 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	934 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	935 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	936 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	937 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	938
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	939 ocsp->certs = X509_STORE_CTX_get1_chain(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	940 if (ocsp->certs == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	941 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	942 "X509_STORE_CTX_get1_chain() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	943 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	944 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	945 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	946
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	947 X509_STORE_CTX_free(store_ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	948 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	949
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	950 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
7655 bd4d1b9db0ee Fixed format specifiers. Sergey Kandaurov <pluknet@nginx.com> parents: 7654 diff changeset	951 "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs));
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	952
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	953 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	954
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	955 if (ocsp->status == NGX_AGAIN) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	956 c->ssl->in_ocsp = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	957 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	958 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	959
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	960 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	961 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	962
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	963
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	964 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	965 ngx_ssl_ocsp_validate_next(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	966 {
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	967 ngx_int_t rc;
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	968 ngx_uint_t n;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	969 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	970 ngx_ssl_ocsp_ctx_t *ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	971 ngx_ssl_ocsp_conf_t *ocf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	972
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	973 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	974 ocf = ocsp->conf;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	975
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	976 n = sk_X509_num(ocsp->certs);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	977
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	978 for ( ;; ) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	979
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	980 if (ocsp->ncert == n - 1 \|\| (ocf->depth == 2 && ocsp->ncert == 1)) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	981 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	982 "ssl ocsp validated, certs:%ui", ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	983 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	984 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	985
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	986 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	987 "ssl ocsp validate cert:%ui", ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	988
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	989 ctx = ngx_ssl_ocsp_start(c->log);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	990 if (ctx == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	991 goto failed;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	992 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	993
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	994 ocsp->ctx = ctx;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	995
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	996 ctx->ssl_ctx = SSL_get_SSL_CTX(c->ssl->connection);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	997 ctx->cert = sk_X509_value(ocsp->certs, ocsp->ncert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	998 ctx->issuer = sk_X509_value(ocsp->certs, ocsp->ncert + 1);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	999 ctx->chain = ocsp->certs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1000
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1001 ctx->resolver = ocf->resolver;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1002 ctx->resolver_timeout = ocf->resolver_timeout;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1003
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1004 ctx->handler = ngx_ssl_ocsp_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1005 ctx->data = c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1006
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1007 ctx->shm_zone = ocf->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1008
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1009 ctx->addrs = ocf->addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1010 ctx->naddrs = ocf->naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1011 ctx->host = ocf->host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1012 ctx->uri = ocf->uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1013 ctx->port = ocf->port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1014
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1015 if (ngx_ssl_ocsp_responder(c, ctx) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1016 goto failed;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1017 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1018
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1019 if (ctx->uri.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1020 ngx_str_set(&ctx->uri, "/");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1021 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1022
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1023 ocsp->ncert++;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1024
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1025 rc = ngx_ssl_ocsp_cache_lookup(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1026
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1027 if (rc == NGX_ERROR) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1028 goto failed;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1029 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1030
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1031 if (rc == NGX_DECLINED) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1032 break;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1033 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1034
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1035 /* rc == NGX_OK */
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1036
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1037 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1038 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1039 "ssl ocsp cached status \"%s\"",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1040 OCSP_cert_status_str(ctx->status));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1041 ocsp->cert_status = ctx->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1042 goto done;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1043 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1044
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1045 ocsp->ctx = NULL;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1046 ngx_ssl_ocsp_done(ctx);
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1047 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1048
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1049 ngx_ssl_ocsp_request(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1050 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1051
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1052 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1053
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1054 ocsp->status = NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1055 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1056
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1057 failed:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1058
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1059 ocsp->status = NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1060 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1061
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1062
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1063 static void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1064 ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1065 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1066 ngx_int_t rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1067 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1068 ngx_connection_t *c;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1069
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1070 c = ctx->data;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1071 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1072 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1073
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1074 rc = ngx_ssl_ocsp_verify(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1075 if (rc != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1076 ocsp->status = rc;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1077 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1078 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1079 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1080
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1081 rc = ngx_ssl_ocsp_cache_store(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1082 if (rc != NGX_OK) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1083 ocsp->status = rc;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1084 ngx_ssl_ocsp_done(ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1085 goto done;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1086 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	1087
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1088 if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1089 ocsp->cert_status = ctx->status;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1090 ocsp->status = NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1091 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1092 goto done;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1093 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1094
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1095 ngx_ssl_ocsp_done(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1096
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1097 ngx_ssl_ocsp_validate_next(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1098
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1099 done:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1100
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1101 if (ocsp->status == NGX_AGAIN \|\| !c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1102 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1103 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1104
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1105 c->ssl->handshaked = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1106
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1107 c->ssl->handler(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1108 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1109
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1110
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1111 static ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1112 ngx_ssl_ocsp_responder(ngx_connection_t c, ngx_ssl_ocsp_ctx_t ctx)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1113 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1114 char *s;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1115 ngx_str_t responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1116 ngx_url_t u;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1117 STACK_OF(OPENSSL_STRING) *aia;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1118
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1119 if (ctx->host.len) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1120 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1121 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1122
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1123 /* extract OCSP responder URL from certificate */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1124
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1125 aia = X509_get1_ocsp(ctx->cert);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1126 if (aia == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1127 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1128 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1129 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1130 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1131
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1132 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1133 s = sk_OPENSSL_STRING_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1134 #else
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1135 s = sk_value(aia, 0);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1136 #endif
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1137 if (s == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1138 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1139 "no OCSP responder URL in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1140 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1141 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1142 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1143
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1144 responder.len = ngx_strlen(s);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1145 responder.data = ngx_palloc(ctx->pool, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1146 if (responder.data == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1147 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1148 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1149 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1150
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1151 ngx_memcpy(responder.data, s, responder.len);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1152 X509_email_free(aia);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1153
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1154 ngx_memzero(&u, sizeof(ngx_url_t));
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1155
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1156 u.url = responder;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1157 u.default_port = 80;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1158 u.uri_part = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1159 u.no_resolve = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1160
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1161 if (u.url.len > 7
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1162 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1163 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1164 u.url.len -= 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1165 u.url.data += 7;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1166
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1167 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1168 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1169 "invalid URL prefix in OCSP responder \"%V\" "
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1170 "in certificate", &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1171 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1172 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1173
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1174 if (ngx_parse_url(ctx->pool, &u) != NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1175 if (u.err) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1176 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1177 "%s in OCSP responder \"%V\" in certificate",
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1178 u.err, &u.url);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1179 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1180
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1181 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1182 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1183
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1184 if (u.host.len == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1185 ngx_log_error(NGX_LOG_ERR, c->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1186 "empty host in OCSP responder in certificate");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1187 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1188 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1189
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1190 ctx->addrs = u.addrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1191 ctx->naddrs = u.naddrs;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1192 ctx->host = u.host;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1193 ctx->uri = u.uri;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1194 ctx->port = u.port;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1195
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1196 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1197 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1198
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1199
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1200 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1201 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1202 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1203 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1204
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1205 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1206 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1207 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1208 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1209
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1210 if (ocsp->status == NGX_ERROR) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1211 *s = "certificate status request failed";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1212 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1213 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1214
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1215 switch (ocsp->cert_status) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1216
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1217 case V_OCSP_CERTSTATUS_GOOD:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1218 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1219
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1220 case V_OCSP_CERTSTATUS_REVOKED:
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1221 *s = "certificate revoked";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1222 break;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1223
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1224 default: /* V_OCSP_CERTSTATUS_UNKNOWN */
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1225 *s = "certificate status unknown";
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1226 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1227
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1228 return NGX_DECLINED;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1229 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1230
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1231
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1232 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1233 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1234 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1235 ngx_ssl_ocsp_t *ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1236
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1237 ocsp = c->ssl->ocsp;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1238 if (ocsp == NULL) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1239 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1240 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1241
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1242 if (ocsp->ctx) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1243 ngx_ssl_ocsp_done(ocsp->ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1244 ocsp->ctx = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1245 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1246
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1247 if (ocsp->certs) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1248 sk_X509_pop_free(ocsp->certs, X509_free);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1249 ocsp->certs = NULL;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1250 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1251 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1252
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1253
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1254 static ngx_ssl_ocsp_ctx_t *
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1255 ngx_ssl_ocsp_start(ngx_log_t *log)
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1256 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1257 ngx_pool_t *pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1258 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1259
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1260 pool = ngx_create_pool(2048, log);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1261 if (pool == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1262 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1263 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1264
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1265 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1266 if (ctx == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1267 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1268 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1269 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1270
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1271 log = ngx_palloc(pool, sizeof(ngx_log_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1272 if (log == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1273 ngx_destroy_pool(pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1274 return NULL;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1275 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1276
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1277 ctx->pool = pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1278
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1279 log = ctx->pool->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1280
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1281 ctx->pool->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1282 ctx->log = log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1283
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1284 log->handler = ngx_ssl_ocsp_log_error;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1285 log->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1286 log->action = "requesting certificate status";
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1287
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1288 return ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1289 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1290
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1291
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1292 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1293 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1294 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1295 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1296 "ssl ocsp done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1297
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1298 if (ctx->peer.connection) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1299 ngx_close_connection(ctx->peer.connection);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1300 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1301
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1302 ngx_destroy_pool(ctx->pool);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1303 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1304
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1305
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1306 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1307 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1308 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1309 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1310 "ssl ocsp error");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1311
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1312 ctx->code = 0;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1313 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1314 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1315
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1316
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1317 static void
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1318 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx)
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1319 {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1320 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1321 "ssl ocsp next");
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1322
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1323 if (++ctx->naddr >= ctx->naddrs) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1324 ngx_ssl_ocsp_error(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1325 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1326 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1327
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1328 ctx->request->pos = ctx->request->start;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1329
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1330 if (ctx->response) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1331 ctx->response->last = ctx->response->pos;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1332 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1333
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1334 if (ctx->peer.connection) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1335 ngx_close_connection(ctx->peer.connection);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1336 ctx->peer.connection = NULL;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1337 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1338
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1339 ctx->state = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1340 ctx->count = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1341 ctx->done = 0;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1342
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1343 ngx_ssl_ocsp_connect(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1344 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1345
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1346
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1347 static void
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1348 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1349 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1350 ngx_resolver_ctx_t *resolve, temp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1351
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1352 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1353 "ssl ocsp request");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1354
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1355 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1356 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1357 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1358 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1359
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1360 if (ctx->resolver) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1361 /* resolve OCSP responder hostname */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1362
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1363 temp.name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1364
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1365 resolve = ngx_resolve_start(ctx->resolver, &temp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1366 if (resolve == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1367 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1368 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1369 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1370
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1371 if (resolve == NGX_NO_RESOLVER) {
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1372 if (ctx->naddrs == 0) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1373 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1374 "no resolver defined to resolve %V", &ctx->host);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1375
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1376 ngx_ssl_ocsp_error(ctx);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1377 return;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1378 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1379
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1380 ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1381 "no resolver defined to resolve %V", &ctx->host);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1382 goto connect;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1383 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1384
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1385 resolve->name = ctx->host;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1386 resolve->handler = ngx_ssl_ocsp_resolve_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1387 resolve->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1388 resolve->timeout = ctx->resolver_timeout;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1389
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1390 if (ngx_resolve_name(resolve) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1391 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1392 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1393 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1394
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1395 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1396 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1397
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1398 connect:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1399
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1400 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1401 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1402
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1403
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1404 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1405 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1406 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1407 ngx_ssl_ocsp_ctx_t *ctx = resolve->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1408
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1409 u_char *p;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1410 size_t len;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1411 socklen_t socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1412 ngx_uint_t i;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1413 struct sockaddr *sockaddr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1414
5234 a855ae7e6377 OCSP stapling: fixed incorrect debug level. Ruslan Ermilov <ru@nginx.com> parents: 5215 diff changeset	1415 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1416 "ssl ocsp resolve handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1417
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1418 if (resolve->state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1419 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1420 "%V could not be resolved (%i: %s)",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1421 &resolve->name, resolve->state,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1422 ngx_resolver_strerror(resolve->state));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1423 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1424 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1425
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1426 #if (NGX_DEBUG)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1427 {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1428 u_char text[NGX_SOCKADDR_STRLEN];
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1429 ngx_str_t addr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1430
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1431 addr.data = text;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1432
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1433 for (i = 0; i < resolve->naddrs; i++) {
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1434 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1435 resolve->addrs[i].socklen,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1436 text, NGX_SOCKADDR_STRLEN, 0);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1437
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1438 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1439 "name was resolved to %V", &addr);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1440
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1441 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1442 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1443 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1444
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1445 ctx->naddrs = resolve->naddrs;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1446 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t));
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1447
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1448 if (ctx->addrs == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1449 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1450 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1451
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1452 for (i = 0; i < resolve->naddrs; i++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1453
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1454 socklen = resolve->addrs[i].socklen;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1455
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1456 sockaddr = ngx_palloc(ctx->pool, socklen);
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1457 if (sockaddr == NULL) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1458 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1459 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1460
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1461 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen);
6593 b3b7e33083ac Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. Roman Arutyunyan <arut@nginx.com> parents: 6549 diff changeset	1462 ngx_inet_set_port(sockaddr, ctx->port);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1463
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1464 ctx->addrs[i].sockaddr = sockaddr;
07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1465 ctx->addrs[i].socklen = socklen;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1466
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1467 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1468 if (p == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1469 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1470 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1471
5475 07dd5bd222ac Changed resolver API to use ngx_addr_t. Ruslan Ermilov <ru@nginx.com> parents: 5330 diff changeset	1472 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1473
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1474 ctx->addrs[i].name.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1475 ctx->addrs[i].name.data = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1476 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1477
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1478 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1479
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1480 ngx_ssl_ocsp_connect(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1481 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1482
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1483 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1484
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1485 ngx_resolve_name_done(resolve);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1486 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1487 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1488
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1489
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1490 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1491 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1492 {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1493 ngx_int_t rc;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1494 ngx_addr_t *addr;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1495
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1496 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1497 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1498
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1499 addr = &ctx->addrs[ctx->naddr];
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1500
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1501 ctx->peer.sockaddr = addr->sockaddr;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1502 ctx->peer.socklen = addr->socklen;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1503 ctx->peer.name = &addr->name;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1504 ctx->peer.get = ngx_event_get_peer;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1505 ctx->peer.log = ctx->log;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1506 ctx->peer.log_error = NGX_ERROR_ERR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1507
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1508 rc = ngx_event_connect_peer(&ctx->peer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1509
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1510 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1511 "ssl ocsp connect peer done");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1512
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1513 if (rc == NGX_ERROR) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1514 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1515 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1516 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1517
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1518 if (rc == NGX_BUSY \|\| rc == NGX_DECLINED) {
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1519 ngx_ssl_ocsp_next(ctx);
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1520 return;
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1521 }
7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1522
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1523 ctx->peer.connection->data = ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1524 ctx->peer.connection->pool = ctx->pool;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1525
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1526 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1527 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1528
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1529 ctx->process = ngx_ssl_ocsp_process_status_line;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1530
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1531 if (ctx->timeout) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1532 ngx_add_timer(ctx->peer.connection->read, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1533 ngx_add_timer(ctx->peer.connection->write, ctx->timeout);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1534 }
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1535
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1536 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1537 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1538 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1539 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1540 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1541
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1542
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1543 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1544 ngx_ssl_ocsp_write_handler(ngx_event_t *wev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1545 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1546 ssize_t n, size;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1547 ngx_connection_t *c;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1548 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1549
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1550 c = wev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1551 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1552
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1553 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1554 "ssl ocsp write handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1555
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1556 if (wev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1557 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1558 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1559 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1560 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1561 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1562
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1563 size = ctx->request->last - ctx->request->pos;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1564
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1565 n = ngx_send(c, ctx->request->pos, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1566
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1567 if (n == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1568 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1569 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1570 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1571
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1572 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1573 ctx->request->pos += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1574
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1575 if (n == size) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1576 wev->handler = ngx_ssl_ocsp_dummy_handler;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1577
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1578 if (wev->timer_set) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1579 ngx_del_timer(wev);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1580 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1581
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1582 if (ngx_handle_write_event(wev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1583 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1584 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1585
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1586 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1587 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1588 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1589
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	1590 if (!wev->timer_set && ctx->timeout) {
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1591 ngx_add_timer(wev, ctx->timeout);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1592 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1593 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1594
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1595
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1596 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1597 ngx_ssl_ocsp_read_handler(ngx_event_t *rev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1598 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1599 ssize_t n, size;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1600 ngx_int_t rc;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1601 ngx_connection_t *c;
64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	1602 ngx_ssl_ocsp_ctx_t *ctx;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1603
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1604 c = rev->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1605 ctx = c->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1606
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1607 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1608 "ssl ocsp read handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1609
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1610 if (rev->timedout) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1611 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1612 "OCSP responder timed out");
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1613 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1614 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1615 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1616
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1617 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1618 ctx->response = ngx_create_temp_buf(ctx->pool, 16384);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1619 if (ctx->response == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1620 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1621 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1622 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1623 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1624
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1625 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1626
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1627 size = ctx->response->end - ctx->response->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1628
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1629 n = ngx_recv(c, ctx->response->last, size);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1630
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1631 if (n > 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1632 ctx->response->last += n;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1633
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1634 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1635
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1636 if (rc == NGX_ERROR) {
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1637 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1638 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1639 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1640
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1641 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1642 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1643
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1644 if (n == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1645
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1646 if (ngx_handle_read_event(rev, 0) != NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1647 ngx_ssl_ocsp_error(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1648 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1649
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1650 return;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1651 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1652
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1653 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1654 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1655
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1656 ctx->done = 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1657
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1658 rc = ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1659
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1660 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1661 /* ctx->handler() was called */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1662 return;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1663 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1664
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1665 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1666 "OCSP responder prematurely closed connection");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1667
7652 7cffd81015e7 OCSP stapling: iterate over all responder addresses. Roman Arutyunyan <arut@nginx.com> parents: 7651 diff changeset	1668 ngx_ssl_ocsp_next(ctx);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1669 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1670
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1671
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1672 static void
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1673 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1674 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1675 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1676 "ssl ocsp dummy handler");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1677 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1678
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1679
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1680 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1681 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1682 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1683 int len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1684 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1685 uintptr_t escape;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1686 ngx_str_t binary, base64;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1687 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1688 OCSP_CERTID *id;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1689 OCSP_REQUEST *ocsp;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1690
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1691 ocsp = OCSP_REQUEST_new();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1692 if (ocsp == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1693 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1694 "OCSP_REQUEST_new() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1695 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1696 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1697
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1698 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1699 if (id == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1700 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1701 "OCSP_cert_to_id() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1702 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1703 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1704
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1705 if (OCSP_request_add0_id(ocsp, id) == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1706 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1707 "OCSP_request_add0_id() failed");
6064 ff957cd36860 OCSP stapling: missing free calls. Filipe da Silva <fdasilva@ingima.com> parents: 5777 diff changeset	1708 OCSP_CERTID_free(id);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1709 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1710 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1711
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1712 len = i2d_OCSP_REQUEST(ocsp, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1713 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1714 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1715 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1716 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1717 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1718
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1719 binary.len = len;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1720 binary.data = ngx_palloc(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1721 if (binary.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1722 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1723 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1724
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1725 p = binary.data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1726 len = i2d_OCSP_REQUEST(ocsp, &p);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1727 if (len <= 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1728 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1729 "i2d_OCSP_REQUEST() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1730 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1731 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1732
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1733 base64.len = ngx_base64_encoded_length(binary.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1734 base64.data = ngx_palloc(ctx->pool, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1735 if (base64.data == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1736 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1737 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1738
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1739 ngx_encode_base64(&base64, &binary);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1740
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1741 escape = ngx_escape_uri(NULL, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1742 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1743
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1744 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	1745 "ssl ocsp request length %z, escape %d",
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6206 diff changeset	1746 base64.len, (int) escape);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1747
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1748 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1749 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1750 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1751 + sizeof(CRLF) - 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1752
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1753 b = ngx_create_temp_buf(ctx->pool, len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1754 if (b == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1755 goto failed;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1756 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1757
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1758 p = b->last;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1759
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1760 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1761 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1762
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1763 if (ctx->uri.data[ctx->uri.len - 1] != '/') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1764 *p++ = '/';
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1765 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1766
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1767 if (escape == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1768 p = ngx_cpymem(p, base64.data, base64.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1769
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1770 } else {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1771 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1772 NGX_ESCAPE_URI_COMPONENT);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1773 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1774
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1775 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1776 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1777 p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1778 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1779
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1780 /* add "\r\n" at the header end */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1781 p++ = CR; p++ = LF;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1782
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1783 b->last = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1784 ctx->request = b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1785
5683 48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1786 OCSP_REQUEST_free(ocsp);
48c97d83ab7f OCSP stapling: missing OCSP request free call. Filipe da Silva <fdasilvayy@gmail.com> parents: 5477 diff changeset	1787
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1788 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1789
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1790 failed:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1791
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1792 OCSP_REQUEST_free(ocsp);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1793
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1794 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1795 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1796
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1797
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1798 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1799 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1800 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1801 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1802
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1803 rc = ngx_ssl_ocsp_parse_status_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1804
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1805 if (rc == NGX_OK) {
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1806 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1807 "ssl ocsp status %ui \"%*s\"",
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1808 ctx->code,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1809 ctx->header_end - ctx->header_start,
5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1810 ctx->header_start);
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1811
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1812 ctx->process = ngx_ssl_ocsp_process_headers;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1813 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1814 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1815
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1816 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1817 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1818 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1819
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1820 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1821
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1822 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1823 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1824
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1825 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1826 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1827
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1828
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1829 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1830 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1831 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1832 u_char ch;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1833 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1834 ngx_buf_t *b;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1835 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1836 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1837 sw_H,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1838 sw_HT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1839 sw_HTT,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1840 sw_HTTP,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1841 sw_first_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1842 sw_major_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1843 sw_first_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1844 sw_minor_digit,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1845 sw_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1846 sw_space_after_status,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1847 sw_status_text,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1848 sw_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1849 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1850
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1851 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1852 "ssl ocsp process status line");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1853
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1854 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1855 b = ctx->response;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1856
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1857 for (p = b->pos; p < b->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1858 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1859
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1860 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1861
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1862 /* "HTTP/" */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1863 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1864 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1865 case 'H':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1866 state = sw_H;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1867 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1868 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1869 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1870 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1871 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1872
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1873 case sw_H:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1874 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1875 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1876 state = sw_HT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1877 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1878 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1879 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1880 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1881 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1882
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1883 case sw_HT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1884 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1885 case 'T':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1886 state = sw_HTT;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1887 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1888 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1889 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1890 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1891 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1892
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1893 case sw_HTT:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1894 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1895 case 'P':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1896 state = sw_HTTP;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1897 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1898 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1899 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1900 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1901 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1902
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1903 case sw_HTTP:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1904 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1905 case '/':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1906 state = sw_first_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1907 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1908 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1909 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1910 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1911 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1912
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1913 /* the first digit of major HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1914 case sw_first_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1915 if (ch < '1' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1916 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1917 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1918
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1919 state = sw_major_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1920 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1921
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1922 /* the major HTTP version or dot */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1923 case sw_major_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1924 if (ch == '.') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1925 state = sw_first_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1926 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1927 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1928
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1929 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1930 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1931 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1932
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1933 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1934
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1935 /* the first digit of minor HTTP version */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1936 case sw_first_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1937 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1938 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1939 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1940
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1941 state = sw_minor_digit;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1942 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1943
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1944 /* the minor HTTP version or the end of the request line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1945 case sw_minor_digit:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1946 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1947 state = sw_status;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1948 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1949 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1950
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1951 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1952 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1953 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1954
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1955 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1956
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1957 /* HTTP status code */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1958 case sw_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1959 if (ch == ' ') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1960 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1961 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1962
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1963 if (ch < '0' \|\| ch > '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1964 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1965 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1966
7067 e3723f2a11b7 Parenthesized ASCII-related calculations. Valentin Bartenev <vbart@nginx.com> parents: 6842 diff changeset	1967 ctx->code = ctx->code * 10 + (ch - '0');
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1968
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1969 if (++ctx->count == 3) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1970 state = sw_space_after_status;
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1971 ctx->header_start = p - 2;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1972 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1973
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1974 break;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	1975
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1976 /* space or end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1977 case sw_space_after_status:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1978 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1979 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1980 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1981 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1982 case '.': /* IIS may send 403.1, 403.2, etc */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1983 state = sw_status_text;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1984 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1985 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1986 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1987 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1988 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	1989 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1990 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1991 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1992 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1993 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1994 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1995
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1996 /* any text until end of line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1997 case sw_status_text:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1998 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	1999 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2000 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2001 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2002 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	2003 ctx->header_end = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2004 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2005 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2006 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2007
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2008 /* end of status line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2009 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2010 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2011 case LF:
6811 5eb3309d0b9e OCSP stapling: added http response status logging. Maxim Dounin <mdounin@mdounin.ru> parents: 6810 diff changeset	2012 ctx->header_end = p - 1;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2013 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2014 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2015 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2016 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2017 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2018 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2019
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2020 b->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2021 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2022
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2023 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2024
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2025 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2026
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2027 b->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2028 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2029
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2030 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2031 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2032
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2033
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2034 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2035 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2036 {
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2037 size_t len;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2038 ngx_int_t rc;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2039
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2040 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2041 "ssl ocsp process headers");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2042
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2043 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2044 rc = ngx_ssl_ocsp_parse_header_line(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2045
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2046 if (rc == NGX_OK) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2047
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2048 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2049 "ssl ocsp header \"%s: %s\"",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2050 ctx->header_name_end - ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2051 ctx->header_name_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2052 ctx->header_end - ctx->header_start,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2053 ctx->header_start);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2054
4876 1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2055 len = ctx->header_name_end - ctx->header_name_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2056
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2057 if (len == sizeof("Content-Type") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2058 && ngx_strncasecmp(ctx->header_name_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2059 (u_char *) "Content-Type",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2060 sizeof("Content-Type") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2061 == 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2062 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2063 len = ctx->header_end - ctx->header_start;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2064
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2065 if (len != sizeof("application/ocsp-response") - 1
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2066 \|\| ngx_strncasecmp(ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2067 (u_char *) "application/ocsp-response",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2068 sizeof("application/ocsp-response") - 1)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2069 != 0)
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2070 {
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2071 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2072 "OCSP responder sent invalid "
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2073 "\"Content-Type\" header: \"%*s\"",
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2074 ctx->header_end - ctx->header_start,
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2075 ctx->header_start);
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2076 return NGX_ERROR;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2077 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2078
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2079 continue;
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2080 }
1a008f968f6d OCSP stapling: check Content-Type. Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2081
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2082 /* TODO: honor Content-Length */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2083
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2084 continue;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2085 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2086
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2087 if (rc == NGX_DONE) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2088 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2089 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2090
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2091 if (rc == NGX_AGAIN) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2092 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2093 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2094
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2095 /* rc == NGX_ERROR */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2096
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2097 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2098 "OCSP responder sent invalid response");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2099
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2100 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2101 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2102
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2103 ctx->process = ngx_ssl_ocsp_process_body;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2104 return ctx->process(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2105 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2106
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2107
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2108 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2109 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2110 {
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2111 u_char c, ch, *p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2112 enum {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2113 sw_start = 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2114 sw_name,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2115 sw_space_before_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2116 sw_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2117 sw_space_after_value,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2118 sw_almost_done,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2119 sw_header_almost_done
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2120 } state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2121
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2122 state = ctx->state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2123
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2124 for (p = ctx->response->pos; p < ctx->response->last; p++) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2125 ch = *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2126
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2127 #if 0
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2128 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2129 "s:%d in:'%02Xd:%c'", state, ch, ch);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2130 #endif
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2131
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2132 switch (state) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2133
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2134 /* first char */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2135 case sw_start:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2136
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2137 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2138 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2139 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2140 state = sw_header_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2141 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2142 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2143 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2144 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2145 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2146 state = sw_name;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2147 ctx->header_name_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2148
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2149 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2150 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2151 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2152 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2153
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2154 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2155 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2156 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2157
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2158 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2159 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2160 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2161
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2162 /* header name */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2163 case sw_name:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2164 c = (u_char) (ch \| 0x20);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2165 if (c >= 'a' && c <= 'z') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2166 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2167 }
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2168
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2169 if (ch == ':') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2170 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2171 state = sw_space_before_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2172 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2173 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2174
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2175 if (ch == '-') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2176 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2177 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2178
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2179 if (ch >= '0' && ch <= '9') {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2180 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2181 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2182
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2183 if (ch == CR) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2184 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2185 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2186 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2187 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2188 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2189 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2190
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2191 if (ch == LF) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2192 ctx->header_name_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2193 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2194 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2195 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2196 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2197
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2198 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2199
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2200 /* space* before header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2201 case sw_space_before_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2202 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2203 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2204 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2205 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2206 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2207 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2208 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2209 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2210 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2211 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2212 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2213 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2214 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2215 ctx->header_start = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2216 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2217 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2218 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2219 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2220
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2221 /* header value */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2222 case sw_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2223 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2224 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2225 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2226 state = sw_space_after_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2227 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2228 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2229 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2230 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2231 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2232 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2233 ctx->header_end = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2234 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2235 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2236 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2237
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2238 /* space* before end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2239 case sw_space_after_value:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2240 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2241 case ' ':
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2242 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2243 case CR:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2244 state = sw_almost_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2245 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2246 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2247 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2248 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2249 state = sw_value;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2250 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2251 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2252 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2253
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2254 /* end of header line */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2255 case sw_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2256 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2257 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2258 goto done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2259 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2260 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2261 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2262
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2263 /* end of header */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2264 case sw_header_almost_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2265 switch (ch) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2266 case LF:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2267 goto header_done;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2268 default:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2269 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2270 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2271 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2272 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2273
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2274 ctx->response->pos = p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2275 ctx->state = state;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2276
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2277 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2278
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2279 done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2280
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2281 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2282 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2283
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2284 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2285
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2286 header_done:
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2287
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2288 ctx->response->pos = p + 1;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2289 ctx->state = sw_start;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2290
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2291 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2292 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2293
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2294
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2295 static ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2296 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2297 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2298 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2299 "ssl ocsp process body");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2300
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2301 if (ctx->done) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2302 ctx->handler(ctx);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2303 return NGX_DONE;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2304 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2305
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2306 return NGX_AGAIN;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2307 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2308
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2309
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2310 static ngx_int_t
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2311 ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2312 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2313 int n;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2314 size_t len;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2315 X509_STORE *store;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2316 const u_char *p;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2317 OCSP_CERTID *id;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2318 OCSP_RESPONSE *ocsp;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2319 OCSP_BASICRESP *basic;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2320 ASN1_GENERALIZEDTIME thisupdate, nextupdate;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2321
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2322 ocsp = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2323 basic = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2324 id = NULL;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2325
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2326 if (ctx->code != 200) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2327 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2328 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2329
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2330 /* check the response */
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2331
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2332 len = ctx->response->last - ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2333 p = ctx->response->pos;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2334
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2335 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2336 if (ocsp == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2337 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2338 "d2i_OCSP_RESPONSE() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2339 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2340 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2341
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2342 n = OCSP_response_status(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2343
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2344 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2345 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2346 "OCSP response not successful (%d: %s)",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2347 n, OCSP_response_status_str(n));
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2348 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2349 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2350
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2351 basic = OCSP_response_get1_basic(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2352 if (basic == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2353 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2354 "OCSP_response_get1_basic() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2355 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2356 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2357
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2358 store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2359 if (store == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2360 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2361 "SSL_CTX_get_cert_store() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2362 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2363 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2364
7651 6ca8e15caf1f OCSP stapling: keep extra chain in the staple object. Roman Arutyunyan <arut@nginx.com> parents: 7650 diff changeset	2365 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
7650 abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2366 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2367 "OCSP_basic_verify() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2368 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2369 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2370
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2371 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2372 if (id == NULL) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2373 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2374 "OCSP_cert_to_id() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2375 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2376 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2377
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2378 if (OCSP_resp_find_status(basic, id, &ctx->status, NULL, NULL,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2379 &thisupdate, &nextupdate)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2380 != 1)
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2381 {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2382 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2383 "certificate status not found in the OCSP response");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2384 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2385 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2386
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2387 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2388 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2389 "OCSP_check_validity() failed");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2390 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2391 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2392
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2393 if (nextupdate) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2394 ctx->valid = ngx_ssl_stapling_time(nextupdate);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2395 if (ctx->valid == (time_t) NGX_ERROR) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2396 ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2397 "invalid nextUpdate time in certificate status");
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2398 goto error;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2399 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2400
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2401 } else {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2402 ctx->valid = NGX_MAX_TIME_T_VALUE;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2403 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2404
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2405 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2406 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2407 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2408
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2409 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2410 "ssl ocsp response, %s, %uz",
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2411 OCSP_cert_status_str(ctx->status), len);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2412
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2413 return NGX_OK;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2414
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2415 error:
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2416
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2417 if (id) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2418 OCSP_CERTID_free(id);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2419 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2420
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2421 if (basic) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2422 OCSP_BASICRESP_free(basic);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2423 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2424
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2425 if (ocsp) {
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2426 OCSP_RESPONSE_free(ocsp);
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2427 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2428
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2429 return NGX_ERROR;
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2430 }
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2431
abb6cc8f1dd8 OCSP stapling: moved response verification to a separate function. Roman Arutyunyan <arut@nginx.com> parents: 7509 diff changeset	2432
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2433 ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2434 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t shm_zone, void data)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2435 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2436 size_t len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2437 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2438 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2439
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2440 if (data) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2441 shm_zone->data = data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2442 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2443 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2444
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2445 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2446
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2447 if (shm_zone->shm.exists) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2448 shm_zone->data = shpool->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2449 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2450 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2451
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2452 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_ocsp_cache_t));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2453 if (cache == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2454 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2455 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2456
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2457 shpool->data = cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2458 shm_zone->data = cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2459
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2460 ngx_rbtree_init(&cache->rbtree, &cache->sentinel,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2461 ngx_str_rbtree_insert_value);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2462
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2463 ngx_queue_init(&cache->expire_queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2464
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2465 len = sizeof(" in OCSP cache \"\"") + shm_zone->shm.name.len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2466
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2467 shpool->log_ctx = ngx_slab_alloc(shpool, len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2468 if (shpool->log_ctx == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2469 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2470 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2471
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2472 ngx_sprintf(shpool->log_ctx, " in OCSP cache \"%V\"%Z",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2473 &shm_zone->shm.name);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2474
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2475 shpool->log_nomem = 0;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2476
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2477 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2478 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2479
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2480
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2481 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2482 ngx_ssl_ocsp_cache_lookup(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2483 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2484 uint32_t hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2485 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2486 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2487 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2488 ngx_ssl_ocsp_cache_node_t *node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2489
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2490 shm_zone = ctx->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2491
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2492 if (shm_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2493 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2494 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2495
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2496 if (ngx_ssl_ocsp_create_key(ctx) != NGX_OK) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2497 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2498 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2499
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2500 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache lookup");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2501
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2502 cache = shm_zone->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2503 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2504 hash = ngx_hash_key(ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2505
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2506 ngx_shmtx_lock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2507
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2508 node = (ngx_ssl_ocsp_cache_node_t *)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2509 ngx_str_rbtree_lookup(&cache->rbtree, &ctx->key, hash);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2510
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2511 if (node) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2512 if (node->valid > ngx_time()) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2513 ctx->status = node->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2514 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2515
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2516 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2517 "ssl ocsp cache hit, %s",
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2518 OCSP_cert_status_str(ctx->status));
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2519
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2520 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2521 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2522
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2523 ngx_queue_remove(&node->queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2524 ngx_rbtree_delete(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2525 ngx_slab_free_locked(shpool, node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2526
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2527 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2528
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2529 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2530 "ssl ocsp cache expired");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2531
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2532 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2533 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2534
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2535 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2536
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2537 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp cache miss");
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2538
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2539 return NGX_DECLINED;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2540 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2541
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2542
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2543 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2544 ngx_ssl_ocsp_cache_store(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2545 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2546 time_t now, valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2547 uint32_t hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2548 ngx_queue_t *q;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2549 ngx_shm_zone_t *shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2550 ngx_slab_pool_t *shpool;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2551 ngx_ssl_ocsp_cache_t *cache;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2552 ngx_ssl_ocsp_cache_node_t *node;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2553
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2554 shm_zone = ctx->shm_zone;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2555
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2556 if (shm_zone == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2557 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2558 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2559
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2560 valid = ctx->valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2561
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2562 now = ngx_time();
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2563
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2564 if (valid < now) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2565 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2566 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2567
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2568 if (valid == NGX_MAX_TIME_T_VALUE) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2569 valid = now + 3600;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2570 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2571
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2572 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2573 "ssl ocsp cache store, valid:%T", valid - now);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2574
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2575 cache = shm_zone->data;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2576 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2577 hash = ngx_hash_key(ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2578
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2579 ngx_shmtx_lock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2580
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2581 node = ngx_slab_calloc_locked(shpool,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2582 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2583 if (node == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2584
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2585 if (!ngx_queue_empty(&cache->expire_queue)) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2586 q = ngx_queue_last(&cache->expire_queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2587 node = ngx_queue_data(q, ngx_ssl_ocsp_cache_node_t, queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2588
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2589 ngx_rbtree_delete(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2590 ngx_queue_remove(q);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2591 ngx_slab_free_locked(shpool, node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2592
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2593 node = ngx_slab_alloc_locked(shpool,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2594 sizeof(ngx_ssl_ocsp_cache_node_t) + ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2595 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2596
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2597 if (node == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2598 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2599 ngx_log_error(NGX_LOG_ALERT, ctx->log, 0,
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2600 "could not allocate new entry%s", shpool->log_ctx);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2601 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2602 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2603 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2604
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2605 node->node.str.len = ctx->key.len;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2606 node->node.str.data = (u_char *) node + sizeof(ngx_ssl_ocsp_cache_node_t);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2607 ngx_memcpy(node->node.str.data, ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2608 node->node.node.key = hash;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2609 node->status = ctx->status;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2610 node->valid = valid;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2611
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2612 ngx_rbtree_insert(&cache->rbtree, &node->node.node);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2613 ngx_queue_insert_head(&cache->expire_queue, &node->queue);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2614
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2615 ngx_shmtx_unlock(&shpool->mutex);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2616
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2617 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2618 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2619
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2620
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2621 static ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2622 ngx_ssl_ocsp_create_key(ngx_ssl_ocsp_ctx_t *ctx)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2623 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2624 u_char *p;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2625 X509_NAME *name;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2626 ASN1_INTEGER *serial;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2627
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2628 p = ngx_pnalloc(ctx->pool, 60);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2629 if (p == NULL) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2630 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2631 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2632
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2633 ctx->key.data = p;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2634 ctx->key.len = 60;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2635
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2636 name = X509_get_subject_name(ctx->issuer);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2637 if (X509_NAME_digest(name, EVP_sha1(), p, NULL) == 0) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2638 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2639 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2640
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2641 p += 20;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2642
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2643 if (X509_pubkey_digest(ctx->issuer, EVP_sha1(), p, NULL) == 0) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2644 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2645 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2646
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2647 p += 20;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2648
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2649 serial = X509_get_serialNumber(ctx->cert);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2650 if (serial->length > 20) {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2651 return NGX_ERROR;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2652 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2653
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2654 p = ngx_cpymem(p, serial->data, serial->length);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2655 ngx_memzero(p, 20 - serial->length);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2656
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2657 #if (NGX_DEBUG)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2658 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2659 u_char buf[120];
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2660
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2661 ngx_hex_dump(buf, ctx->key.data, ctx->key.len);
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2662
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2663 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
7655 bd4d1b9db0ee Fixed format specifiers. Sergey Kandaurov <pluknet@nginx.com> parents: 7654 diff changeset	2664 "ssl ocsp key %*s", sizeof(buf), buf);
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2665 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2666 #endif
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2667
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2668 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2669 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2670
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2671
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2672 static u_char *
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2673 ngx_ssl_ocsp_log_error(ngx_log_t log, u_char buf, size_t len)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2674 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2675 u_char *p;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2676 ngx_ssl_ocsp_ctx_t *ctx;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2677
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2678 p = buf;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2679
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2680 if (log->action) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2681 p = ngx_snprintf(buf, len, " while %s", log->action);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2682 len -= p - buf;
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2683 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2684 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2685
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2686 ctx = log->data;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2687
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2688 if (ctx) {
6813 94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2689 p = ngx_snprintf(buf, len, ", responder: %V", &ctx->host);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2690 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2691 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2692 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2693
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2694 if (ctx && ctx->peer.name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2695 p = ngx_snprintf(buf, len, ", peer: %V", ctx->peer.name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2696 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2697 buf = p;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2698 }
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2699
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2700 if (ctx && ctx->name) {
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2701 p = ngx_snprintf(buf, len, ", certificate: \"%s\"", ctx->name);
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2702 len -= p - buf;
94586180fb41 OCSP stapling: improved error logging context. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	2703 buf = p;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2704 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2705
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2706 return p;
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2707 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2708
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2709
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2710 #else
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2711
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2712
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2713 ngx_int_t
4880 0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2714 ngx_ssl_stapling(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file,
0254c1a43fe5 OCSP stapling: build fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4879 diff changeset	2715 ngx_str_t *responder, ngx_uint_t verify)
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2716 {
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2717 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2718 "\"ssl_stapling\" ignored, not supported");
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2719
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2720 return NGX_OK;
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2721 }
d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2722
6810 64f5bfba5d96 OCSP stapling: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6688 diff changeset	2723
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2724 ngx_int_t
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2725 ngx_ssl_stapling_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2726 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2727 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2728 return NGX_OK;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2729 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4874 diff changeset	2730
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2731
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2732 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2733 ngx_ssl_ocsp(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *responder,
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2734 ngx_uint_t depth, ngx_shm_zone_t *shm_zone)
7653 8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2735 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2736 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2737 "\"ssl_ocsp\" is not supported on this platform");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2738
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2739 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2740 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2741
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2742
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2743 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2744 ngx_ssl_ocsp_resolver(ngx_conf_t cf, ngx_ssl_t ssl,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2745 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2746 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2747 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2748 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2749
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2750
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2751 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2752 ngx_ssl_ocsp_validate(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2753 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2754 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2755 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2756
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2757
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2758 ngx_int_t
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2759 ngx_ssl_ocsp_get_status(ngx_connection_t c, const char *s)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2760 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2761 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2762 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2763
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2764
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2765 void
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2766 ngx_ssl_ocsp_cleanup(ngx_connection_t *c)
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2767 {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2768 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2769
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534). Roman Arutyunyan <arut@nginx.com> parents: 7652 diff changeset	2770
7654 b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2771 ngx_int_t
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2772 ngx_ssl_ocsp_cache_init(ngx_shm_zone_t shm_zone, void data)
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2773 {
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2774 return NGX_OK;
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2775 }
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2776
b56f725dd4bb OCSP: certificate status cache. Roman Arutyunyan <arut@nginx.com> parents: 7653 diff changeset	2777
4874 d1a20423c425 OCSP stapling: the ngx_event_openssl_stapling.c file. Maxim Dounin <mdounin@mdounin.ru> parents: diff changeset	2778 #endif

Mercurial > hg > nginx

annotate src/event/ngx_event_openssl_stapling.c @ 7660:d33e17499088