Mercurial > hg > nginx
annotate src/event/ngx_event_openssl_stapling.c @ 6205:dcae651b2a0c
OCSP stapling: fixed ssl_stapling_file (ticket #769).
Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response
validity checks. As stapling file is expected to be returned unconditionally,
fix is to set its validity to the maximum supported time.
Reported by Faidon Liambotis.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 07 Jul 2015 16:38:49 +0300 |
| parents | 6893a1007a7c |
| children | 595b179e429f |
| rev | line source |
|---|---|
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
2 /* |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
3 * Copyright (C) Maxim Dounin |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
4 * Copyright (C) Nginx, Inc. |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
5 */ |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
6 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
7 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
10 #include <ngx_event.h> |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
11 #include <ngx_event_connect.h> |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
12 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
13 |
|
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5683
diff
changeset
|
14 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB) |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
15 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
16 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
17 typedef struct { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
18 ngx_str_t staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
19 ngx_msec_t timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
20 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
21 ngx_resolver_t *resolver; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
22 ngx_msec_t resolver_timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
23 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
24 ngx_addr_t *addrs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
25 ngx_str_t host; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
26 ngx_str_t uri; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
27 in_port_t port; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
28 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
29 SSL_CTX *ssl_ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
30 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
31 X509 *cert; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
32 X509 *issuer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
33 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
34 time_t valid; |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
35 time_t refresh; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
36 |
|
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
37 unsigned verify:1; |
|
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
38 unsigned loading:1; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
39 } ngx_ssl_stapling_t; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
40 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
41 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
42 typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
43 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
44 struct ngx_ssl_ocsp_ctx_s { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
45 X509 *cert; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
46 X509 *issuer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
47 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
48 ngx_uint_t naddrs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
49 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
50 ngx_addr_t *addrs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
51 ngx_str_t host; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
52 ngx_str_t uri; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
53 in_port_t port; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
54 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
55 ngx_resolver_t *resolver; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
56 ngx_msec_t resolver_timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
57 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
58 ngx_msec_t timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
59 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
60 void (*handler)(ngx_ssl_ocsp_ctx_t *r); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
61 void *data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
62 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
63 ngx_buf_t *request; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
64 ngx_buf_t *response; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
65 ngx_peer_connection_t peer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
66 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
67 ngx_int_t (*process)(ngx_ssl_ocsp_ctx_t *r); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
68 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
69 ngx_uint_t state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
70 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
71 ngx_uint_t code; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
72 ngx_uint_t count; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
73 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
74 ngx_uint_t done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
75 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
76 u_char *header_name_start; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
77 u_char *header_name_end; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
78 u_char *header_start; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
79 u_char *header_end; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
80 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
81 ngx_pool_t *pool; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
82 ngx_log_t *log; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
83 }; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
84 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
85 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
86 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
87 ngx_str_t *file); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
88 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
89 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
90 ngx_str_t *responder); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
91 |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
92 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
93 void *data); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
94 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
95 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
96 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
97 static time_t ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
98 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
99 static void ngx_ssl_stapling_cleanup(void *data); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
100 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
101 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
102 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
103 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
104 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
105 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
106 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
107 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
108 static void ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
109 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
110 static ngx_int_t ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
111 static ngx_int_t ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
112 static ngx_int_t ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
113 static ngx_int_t ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
114 static ngx_int_t ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
115 static ngx_int_t ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
116 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
117 static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
118 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
119 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
120 ngx_int_t |
|
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
121 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
|
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
122 ngx_str_t *responder, ngx_uint_t verify) |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
123 { |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
124 ngx_int_t rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
125 ngx_pool_cleanup_t *cln; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
126 ngx_ssl_stapling_t *staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
127 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
128 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
129 if (staple == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
130 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
131 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
132 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
133 cln = ngx_pool_cleanup_add(cf->pool, 0); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
134 if (cln == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
135 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
136 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
137 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
138 cln->handler = ngx_ssl_stapling_cleanup; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
139 cln->data = staple; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
140 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
141 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, staple) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
142 == 0) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
143 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
144 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
145 "SSL_CTX_set_ex_data() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
146 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
147 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
148 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
149 staple->ssl_ctx = ssl->ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
150 staple->timeout = 60000; |
|
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
151 staple->verify = verify; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
152 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
153 if (file->len) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
154 /* use OCSP response from the file */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
155 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
156 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
157 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
158 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
159 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
160 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
161 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
162 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
163 rc = ngx_ssl_stapling_issuer(cf, ssl); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
164 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
165 if (rc == NGX_DECLINED) { |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
166 return NGX_OK; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
167 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
168 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
169 if (rc != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
170 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
171 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
172 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
173 rc = ngx_ssl_stapling_responder(cf, ssl, responder); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
174 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
175 if (rc == NGX_DECLINED) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
176 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
177 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
178 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
179 if (rc != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
180 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
181 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
182 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
183 done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
184 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
185 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
186 SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
187 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
188 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
189 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
190 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
191 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
192 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
193 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
194 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
195 BIO *bio; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
196 int len; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
197 u_char *p, *buf; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
198 OCSP_RESPONSE *response; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
199 ngx_ssl_stapling_t *staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
200 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
201 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
202 |
|
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
203 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
204 return NGX_ERROR; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
205 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
206 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
207 bio = BIO_new_file((char *) file->data, "r"); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
208 if (bio == NULL) { |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
209 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
210 "BIO_new_file(\"%s\") failed", file->data); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
211 return NGX_ERROR; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
212 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
213 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
214 response = d2i_OCSP_RESPONSE_bio(bio, NULL); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
215 if (response == NULL) { |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
216 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
217 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
218 BIO_free(bio); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
219 return NGX_ERROR; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
220 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
221 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
222 len = i2d_OCSP_RESPONSE(response, NULL); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
223 if (len <= 0) { |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
224 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
225 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
226 goto failed; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
227 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
228 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
229 buf = ngx_alloc(len, ssl->log); |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
230 if (buf == NULL) { |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
231 goto failed; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
232 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
233 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
234 p = buf; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
235 len = i2d_OCSP_RESPONSE(response, &p); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
236 if (len <= 0) { |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
237 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
238 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
239 ngx_free(buf); |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
240 goto failed; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
241 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
242 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
243 OCSP_RESPONSE_free(response); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
244 BIO_free(bio); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
245 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
246 staple->staple.data = buf; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
247 staple->staple.len = len; |
|
6205
dcae651b2a0c
OCSP stapling: fixed ssl_stapling_file (ticket #769).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6181
diff
changeset
|
248 staple->valid = NGX_MAX_TIME_T_VALUE; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
249 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
250 return NGX_OK; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
251 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
252 failed: |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
253 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
254 OCSP_RESPONSE_free(response); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
255 BIO_free(bio); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
256 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
257 return NGX_ERROR; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
258 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
259 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
260 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
261 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
262 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
263 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
264 int i, n, rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
265 X509 *cert, *issuer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
266 X509_STORE *store; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
267 X509_STORE_CTX *store_ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
268 STACK_OF(X509) *chain; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
269 ngx_ssl_stapling_t *staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
270 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
271 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
272 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
273 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
274 #if OPENSSL_VERSION_NUMBER >= 0x10001000L |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
275 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
276 #else |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
277 chain = ssl->ctx->extra_certs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
278 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
279 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
280 n = sk_X509_num(chain); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
281 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
282 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
283 "SSL get issuer: %d extra certs", n); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
284 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
285 for (i = 0; i < n; i++) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
286 issuer = sk_X509_value(chain, i); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
287 if (X509_check_issued(issuer, cert) == X509_V_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
288 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
289 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
290 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
291 "SSL get issuer: found %p in extra certs", issuer); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
292 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
293 staple->cert = cert; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
294 staple->issuer = issuer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
295 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
296 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
297 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
298 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
299 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
300 store = SSL_CTX_get_cert_store(ssl->ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
301 if (store == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
302 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
303 "SSL_CTX_get_cert_store() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
304 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
305 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
306 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
307 store_ctx = X509_STORE_CTX_new(); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
308 if (store_ctx == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
309 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
310 "X509_STORE_CTX_new() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
311 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
312 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
313 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
314 if (X509_STORE_CTX_init(store_ctx, store, NULL, NULL) == 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
315 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
316 "X509_STORE_CTX_init() failed"); |
|
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
317 X509_STORE_CTX_free(store_ctx); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
318 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
319 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
320 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
321 rc = X509_STORE_CTX_get1_issuer(&issuer, store_ctx, cert); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
322 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
323 if (rc == -1) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
324 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
325 "X509_STORE_CTX_get1_issuer() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
326 X509_STORE_CTX_free(store_ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
327 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
328 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
329 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
330 if (rc == 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
331 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
332 "\"ssl_stapling\" ignored, issuer certificate not found"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
333 X509_STORE_CTX_free(store_ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
334 return NGX_DECLINED; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
335 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
336 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
337 X509_STORE_CTX_free(store_ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
338 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
339 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
340 "SSL get issuer: found %p in cert store", issuer); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
341 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
342 staple->cert = cert; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
343 staple->issuer = issuer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
344 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
345 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
346 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
347 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
348 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
349 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
350 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
351 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
352 ngx_url_t u; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
353 char *s; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
354 ngx_ssl_stapling_t *staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
355 STACK_OF(OPENSSL_STRING) *aia; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
356 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
357 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
358 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
359 if (responder->len == 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
360 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
361 /* extract OCSP responder URL from certificate */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
362 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
363 aia = X509_get1_ocsp(staple->cert); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
364 if (aia == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
365 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
366 "\"ssl_stapling\" ignored, " |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
367 "no OCSP responder URL in the certificate"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
368 return NGX_DECLINED; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
369 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
370 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
371 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
372 s = sk_OPENSSL_STRING_value(aia, 0); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
373 #else |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
374 s = sk_value(aia, 0); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
375 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
376 if (s == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
377 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
378 "\"ssl_stapling\" ignored, " |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
379 "no OCSP responder URL in the certificate"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
380 X509_email_free(aia); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
381 return NGX_DECLINED; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
382 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
383 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
384 responder->len = ngx_strlen(s); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
385 responder->data = ngx_palloc(cf->pool, responder->len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
386 if (responder->data == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
387 X509_email_free(aia); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
388 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
389 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
390 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
391 ngx_memcpy(responder->data, s, responder->len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
392 X509_email_free(aia); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
393 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
394 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
395 ngx_memzero(&u, sizeof(ngx_url_t)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
396 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
397 u.url = *responder; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
398 u.default_port = 80; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
399 u.uri_part = 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
400 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
401 if (u.url.len > 7 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
402 && ngx_strncasecmp(u.url.data, (u_char *) "http://", 7) == 0) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
403 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
404 u.url.len -= 7; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
405 u.url.data += 7; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
406 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
407 } else { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
408 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
409 "\"ssl_stapling\" ignored, " |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
410 "invalid URL prefix in OCSP responder \"%V\"", &u.url); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
411 return NGX_DECLINED; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
412 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
413 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
414 if (ngx_parse_url(cf->pool, &u) != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
415 if (u.err) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
416 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
417 "\"ssl_stapling\" ignored, " |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
418 "%s in OCSP responder \"%V\"", u.err, &u.url); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
419 return NGX_DECLINED; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
420 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
421 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
422 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
423 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
424 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
425 staple->addrs = u.addrs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
426 staple->host = u.host; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
427 staple->uri = u.uri; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
428 staple->port = u.port; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
429 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
430 if (staple->uri.len == 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
431 ngx_str_set(&staple->uri, "/"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
432 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
433 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
434 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
435 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
436 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
437 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
438 ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
439 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
440 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
441 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
442 ngx_ssl_stapling_t *staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
443 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
444 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
445 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
446 staple->resolver = resolver; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
447 staple->resolver_timeout = resolver_timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
448 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
449 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
450 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
451 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
452 |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
453 static int |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
454 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data) |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
455 { |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
456 int rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
457 u_char *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
458 ngx_connection_t *c; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
459 ngx_ssl_stapling_t *staple; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
460 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
461 c = ngx_ssl_get_connection(ssl_conn); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
462 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
463 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
464 "SSL certificate status callback"); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
465 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
466 staple = data; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
467 rc = SSL_TLSEXT_ERR_NOACK; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
468 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
469 if (staple->staple.len |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
470 && staple->valid >= ngx_time()) |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
471 { |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
472 /* we have to copy ocsp response as OpenSSL will free it by itself */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
473 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
474 p = OPENSSL_malloc(staple->staple.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
475 if (p == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
476 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
477 return SSL_TLSEXT_ERR_NOACK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
478 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
479 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
480 ngx_memcpy(p, staple->staple.data, staple->staple.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
481 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
482 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
483 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
484 rc = SSL_TLSEXT_ERR_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
485 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
486 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
487 ngx_ssl_stapling_update(staple); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
488 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
489 return rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
490 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
491 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
492 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
493 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
494 ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
495 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
496 ngx_ssl_ocsp_ctx_t *ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
497 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
498 if (staple->host.len == 0 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
499 || staple->loading || staple->refresh >= ngx_time()) |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
500 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
501 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
502 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
503 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
504 staple->loading = 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
505 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
506 ctx = ngx_ssl_ocsp_start(); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
507 if (ctx == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
508 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
509 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
510 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
511 ctx->cert = staple->cert; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
512 ctx->issuer = staple->issuer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
513 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
514 ctx->addrs = staple->addrs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
515 ctx->host = staple->host; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
516 ctx->uri = staple->uri; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
517 ctx->port = staple->port; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
518 ctx->timeout = staple->timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
519 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
520 ctx->resolver = staple->resolver; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
521 ctx->resolver_timeout = staple->resolver_timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
522 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
523 ctx->handler = ngx_ssl_stapling_ocsp_handler; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
524 ctx->data = staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
525 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
526 ngx_ssl_ocsp_request(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
527 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
528 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
529 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
530 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
531 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
532 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
533 ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
534 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
535 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
536 const |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
537 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
538 u_char *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
539 int n; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
540 size_t len; |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
541 time_t now, valid; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
542 ngx_str_t response; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
543 X509_STORE *store; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
544 STACK_OF(X509) *chain; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
545 OCSP_CERTID *id; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
546 OCSP_RESPONSE *ocsp; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
547 OCSP_BASICRESP *basic; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
548 ngx_ssl_stapling_t *staple; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
549 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
550 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
551 staple = ctx->data; |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
552 now = ngx_time(); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
553 ocsp = NULL; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
554 basic = NULL; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
555 id = NULL; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
556 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
557 if (ctx->code != 200) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
558 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
559 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
560 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
561 /* check the response */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
562 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
563 len = ctx->response->last - ctx->response->pos; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
564 p = ctx->response->pos; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
565 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
566 ocsp = d2i_OCSP_RESPONSE(NULL, &p, len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
567 if (ocsp == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
568 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
569 "d2i_OCSP_RESPONSE() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
570 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
571 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
572 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
573 n = OCSP_response_status(ocsp); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
574 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
575 if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
576 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
577 "OCSP response not successful (%d: %s)", |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
578 n, OCSP_response_status_str(n)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
579 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
580 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
581 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
582 basic = OCSP_response_get1_basic(ocsp); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
583 if (basic == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
584 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
585 "OCSP_response_get1_basic() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
586 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
587 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
588 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
589 store = SSL_CTX_get_cert_store(staple->ssl_ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
590 if (store == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
591 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
592 "SSL_CTX_get_cert_store() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
593 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
594 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
595 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
596 #if OPENSSL_VERSION_NUMBER >= 0x10001000L |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
597 SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
598 #else |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
599 chain = staple->ssl_ctx->extra_certs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
600 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
601 |
|
4879
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
602 if (OCSP_basic_verify(basic, chain, store, |
|
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
603 staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY) |
|
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
604 != 1) |
|
4a804fd04e6c
OCSP stapling: ssl_stapling_verify directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4878
diff
changeset
|
605 { |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
606 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
607 "OCSP_basic_verify() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
608 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
609 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
610 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
611 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
612 if (id == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
613 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
614 "OCSP_cert_to_id() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
615 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
616 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
617 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
618 if (OCSP_resp_find_status(basic, id, &n, NULL, NULL, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
619 &thisupdate, &nextupdate) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
620 != 1) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
621 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
622 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
5215
cfab1e7e4ac2
OCSP stapling: fix error logging of successful OCSP responses.
Piotr Sikora <piotr@cloudflare.com>
parents:
4880
diff
changeset
|
623 "certificate status not found in the OCSP response"); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
624 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
625 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
626 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
627 if (n != V_OCSP_CERTSTATUS_GOOD) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
628 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
629 "certificate status \"%s\" in the OCSP response", |
|
5215
cfab1e7e4ac2
OCSP stapling: fix error logging of successful OCSP responses.
Piotr Sikora <piotr@cloudflare.com>
parents:
4880
diff
changeset
|
630 OCSP_cert_status_str(n)); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
631 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
632 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
633 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
634 if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
635 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
636 "OCSP_check_validity() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
637 goto error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
638 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
639 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
640 valid = ngx_ssl_stapling_time(nextupdate); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
641 if (valid == (time_t) NGX_ERROR) { |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
642 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
643 "invalid nextUpdate time in certificate status"); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
644 goto error; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
645 } |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
646 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
647 OCSP_CERTID_free(id); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
648 OCSP_BASICRESP_free(basic); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
649 OCSP_RESPONSE_free(ocsp); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
650 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
651 id = NULL; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
652 basic = NULL; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
653 ocsp = NULL; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
654 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
655 /* copy the response to memory not in ctx->pool */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
656 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
657 response.len = len; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
658 response.data = ngx_alloc(response.len, ctx->log); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
659 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
660 if (response.data == NULL) { |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
661 goto error; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
662 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
663 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
664 ngx_memcpy(response.data, ctx->response->pos, response.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
665 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
666 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
667 "ssl ocsp response, %s, %uz", |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
668 OCSP_cert_status_str(n), response.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
669 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
670 if (staple->staple.data) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
671 ngx_free(staple->staple.data); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
672 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
673 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
674 staple->staple = response; |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
675 staple->valid = valid; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
676 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
677 /* |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
678 * refresh before the response expires, |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
679 * but not earlier than in 5 minutes, and at least in an hour |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
680 */ |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
681 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
682 staple->loading = 0; |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
683 staple->refresh = ngx_max(ngx_min(valid - 300, now + 3600), now + 300); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
684 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
685 ngx_ssl_ocsp_done(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
686 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
687 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
688 error: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
689 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
690 staple->loading = 0; |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
691 staple->refresh = now + 300; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
692 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
693 if (id) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
694 OCSP_CERTID_free(id); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
695 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
696 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
697 if (basic) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
698 OCSP_BASICRESP_free(basic); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
699 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
700 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
701 if (ocsp) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
702 OCSP_RESPONSE_free(ocsp); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
703 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
704 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
705 ngx_ssl_ocsp_done(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
706 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
707 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
708 |
|
6181
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
709 static time_t |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
710 ngx_ssl_stapling_time(ASN1_GENERALIZEDTIME *asn1time) |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
711 { |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
712 u_char *value; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
713 size_t len; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
714 time_t time; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
715 BIO *bio; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
716 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
717 /* |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
718 * OpenSSL doesn't provide a way to convert ASN1_GENERALIZEDTIME |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
719 * into time_t. To do this, we use ASN1_GENERALIZEDTIME_print(), |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
720 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
721 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
722 */ |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
723 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
724 bio = BIO_new(BIO_s_mem()); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
725 if (bio == NULL) { |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
726 return NGX_ERROR; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
727 } |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
728 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
729 /* fake weekday prepended to match C asctime() format */ |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
730 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
731 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
732 ASN1_GENERALIZEDTIME_print(bio, asn1time); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
733 len = BIO_get_mem_data(bio, &value); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
734 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
735 time = ngx_parse_http_time(value, len); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
736 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
737 BIO_free(bio); |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
738 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
739 return time; |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
740 } |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
741 |
|
6893a1007a7c
OCSP stapling: avoid sending expired responses (ticket #425).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6064
diff
changeset
|
742 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
743 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
744 ngx_ssl_stapling_cleanup(void *data) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
745 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
746 ngx_ssl_stapling_t *staple = data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
747 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
748 if (staple->issuer) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
749 X509_free(staple->issuer); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
750 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
751 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
752 if (staple->staple.data) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
753 ngx_free(staple->staple.data); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
754 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
755 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
756 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
757 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
758 static ngx_ssl_ocsp_ctx_t * |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
759 ngx_ssl_ocsp_start(void) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
760 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
761 ngx_log_t *log; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
762 ngx_pool_t *pool; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
763 ngx_ssl_ocsp_ctx_t *ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
764 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
765 pool = ngx_create_pool(2048, ngx_cycle->log); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
766 if (pool == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
767 return NULL; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
768 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
769 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
770 ctx = ngx_pcalloc(pool, sizeof(ngx_ssl_ocsp_ctx_t)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
771 if (ctx == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
772 ngx_destroy_pool(pool); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
773 return NULL; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
774 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
775 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
776 log = ngx_palloc(pool, sizeof(ngx_log_t)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
777 if (log == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
778 ngx_destroy_pool(pool); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
779 return NULL; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
780 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
781 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
782 ctx->pool = pool; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
783 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
784 *log = *ctx->pool->log; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
785 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
786 ctx->pool->log = log; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
787 ctx->log = log; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
788 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
789 log->handler = ngx_ssl_ocsp_log_error; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
790 log->data = ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
791 log->action = "requesting certificate status"; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
792 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
793 return ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
794 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
795 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
796 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
797 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
798 ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
799 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
800 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
801 "ssl ocsp done"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
802 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
803 if (ctx->peer.connection) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
804 ngx_close_connection(ctx->peer.connection); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
805 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
806 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
807 ngx_destroy_pool(ctx->pool); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
808 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
809 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
810 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
811 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
812 ngx_ssl_ocsp_error(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
813 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
814 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
815 "ssl ocsp error"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
816 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
817 ctx->code = 0; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
818 ctx->handler(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
819 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
820 |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
821 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
822 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
823 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
824 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
825 ngx_resolver_ctx_t *resolve, temp; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
826 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
827 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
828 "ssl ocsp request"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
829 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
830 if (ngx_ssl_ocsp_create_request(ctx) != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
831 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
832 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
833 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
834 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
835 if (ctx->resolver) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
836 /* resolve OCSP responder hostname */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
837 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
838 temp.name = ctx->host; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
839 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
840 resolve = ngx_resolve_start(ctx->resolver, &temp); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
841 if (resolve == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
842 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
843 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
844 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
845 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
846 if (resolve == NGX_NO_RESOLVER) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
847 ngx_log_error(NGX_LOG_WARN, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
848 "no resolver defined to resolve %V", &ctx->host); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
849 goto connect; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
850 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
851 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
852 resolve->name = ctx->host; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
853 resolve->handler = ngx_ssl_ocsp_resolve_handler; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
854 resolve->data = ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
855 resolve->timeout = ctx->resolver_timeout; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
856 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
857 if (ngx_resolve_name(resolve) != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
858 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
859 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
860 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
861 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
862 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
863 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
864 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
865 connect: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
866 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
867 ngx_ssl_ocsp_connect(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
868 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
869 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
870 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
871 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
872 ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
873 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
874 ngx_ssl_ocsp_ctx_t *ctx = resolve->data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
875 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
876 u_char *p; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
877 size_t len; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
878 in_port_t port; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
879 socklen_t socklen; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
880 ngx_uint_t i; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
881 struct sockaddr *sockaddr; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
882 |
|
5234
a855ae7e6377
OCSP stapling: fixed incorrect debug level.
Ruslan Ermilov <ru@nginx.com>
parents:
5215
diff
changeset
|
883 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
884 "ssl ocsp resolve handler"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
885 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
886 if (resolve->state) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
887 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
888 "%V could not be resolved (%i: %s)", |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
889 &resolve->name, resolve->state, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
890 ngx_resolver_strerror(resolve->state)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
891 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
892 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
893 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
894 #if (NGX_DEBUG) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
895 { |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
896 u_char text[NGX_SOCKADDR_STRLEN]; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
897 ngx_str_t addr; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
898 |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
899 addr.data = text; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
900 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
901 for (i = 0; i < resolve->naddrs; i++) { |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
902 addr.len = ngx_sock_ntop(resolve->addrs[i].sockaddr, |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
903 resolve->addrs[i].socklen, |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
904 text, NGX_SOCKADDR_STRLEN, 0); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
905 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
906 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
907 "name was resolved to %V", &addr); |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
908 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
909 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
910 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
911 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
912 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
913 ctx->naddrs = resolve->naddrs; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
914 ctx->addrs = ngx_pcalloc(ctx->pool, ctx->naddrs * sizeof(ngx_addr_t)); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
915 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
916 if (ctx->addrs == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
917 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
918 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
919 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
920 port = htons(ctx->port); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
921 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
922 for (i = 0; i < resolve->naddrs; i++) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
923 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
924 socklen = resolve->addrs[i].socklen; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
925 |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
926 sockaddr = ngx_palloc(ctx->pool, socklen); |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
927 if (sockaddr == NULL) { |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
928 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
929 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
930 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
931 ngx_memcpy(sockaddr, resolve->addrs[i].sockaddr, socklen); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
932 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
933 switch (sockaddr->sa_family) { |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
934 #if (NGX_HAVE_INET6) |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
935 case AF_INET6: |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
936 ((struct sockaddr_in6 *) sockaddr)->sin6_port = port; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
937 break; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
938 #endif |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
939 default: /* AF_INET */ |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
940 ((struct sockaddr_in *) sockaddr)->sin_port = port; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
941 } |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
942 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
943 ctx->addrs[i].sockaddr = sockaddr; |
|
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
944 ctx->addrs[i].socklen = socklen; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
945 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
946 p = ngx_pnalloc(ctx->pool, NGX_SOCKADDR_STRLEN); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
947 if (p == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
948 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
949 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
950 |
|
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
5330
diff
changeset
|
951 len = ngx_sock_ntop(sockaddr, socklen, p, NGX_SOCKADDR_STRLEN, 1); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
952 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
953 ctx->addrs[i].name.len = len; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
954 ctx->addrs[i].name.data = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
955 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
956 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
957 ngx_resolve_name_done(resolve); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
958 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
959 ngx_ssl_ocsp_connect(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
960 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
961 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
962 failed: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
963 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
964 ngx_resolve_name_done(resolve); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
965 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
966 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
967 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
968 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
969 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
970 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
971 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
972 ngx_int_t rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
973 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
974 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
975 "ssl ocsp connect"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
976 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
977 /* TODO: use all ip addresses */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
978 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
979 ctx->peer.sockaddr = ctx->addrs[0].sockaddr; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
980 ctx->peer.socklen = ctx->addrs[0].socklen; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
981 ctx->peer.name = &ctx->addrs[0].name; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
982 ctx->peer.get = ngx_event_get_peer; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
983 ctx->peer.log = ctx->log; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
984 ctx->peer.log_error = NGX_ERROR_ERR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
985 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
986 rc = ngx_event_connect_peer(&ctx->peer); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
987 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
988 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
989 "ssl ocsp connect peer done"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
990 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
991 if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
992 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
993 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
994 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
995 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
996 ctx->peer.connection->data = ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
997 ctx->peer.connection->pool = ctx->pool; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
998 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
999 ctx->peer.connection->read->handler = ngx_ssl_ocsp_read_handler; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1000 ctx->peer.connection->write->handler = ngx_ssl_ocsp_write_handler; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1001 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1002 ctx->process = ngx_ssl_ocsp_process_status_line; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1003 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1004 ngx_add_timer(ctx->peer.connection->read, ctx->timeout); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1005 ngx_add_timer(ctx->peer.connection->write, ctx->timeout); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1006 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1007 if (rc == NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1008 ngx_ssl_ocsp_write_handler(ctx->peer.connection->write); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1009 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1010 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1011 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1012 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1013 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1014 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1015 ngx_ssl_ocsp_write_handler(ngx_event_t *wev) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1016 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1017 ssize_t n, size; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1018 ngx_connection_t *c; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1019 ngx_ssl_ocsp_ctx_t *ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1020 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1021 c = wev->data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1022 ctx = c->data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1023 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1024 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, wev->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1025 "ssl ocsp write handler"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1026 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1027 if (wev->timedout) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1028 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1029 "OCSP responder timed out"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1030 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1031 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1032 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1033 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1034 size = ctx->request->last - ctx->request->pos; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1035 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1036 n = ngx_send(c, ctx->request->pos, size); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1037 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1038 if (n == NGX_ERROR) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1039 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1040 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1041 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1042 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1043 if (n > 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1044 ctx->request->pos += n; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1045 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1046 if (n == size) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1047 wev->handler = ngx_ssl_ocsp_dummy_handler; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1048 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1049 if (wev->timer_set) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1050 ngx_del_timer(wev); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1051 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1052 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1053 if (ngx_handle_write_event(wev, 0) != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1054 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1055 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1056 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1057 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1058 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1059 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1060 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1061 if (!wev->timer_set) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1062 ngx_add_timer(wev, ctx->timeout); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1063 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1064 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1065 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1066 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1067 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1068 ngx_ssl_ocsp_read_handler(ngx_event_t *rev) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1069 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1070 ssize_t n, size; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1071 ngx_int_t rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1072 ngx_ssl_ocsp_ctx_t *ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1073 ngx_connection_t *c; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1074 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1075 c = rev->data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1076 ctx = c->data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1077 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1078 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, rev->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1079 "ssl ocsp read handler"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1080 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1081 if (rev->timedout) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1082 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1083 "OCSP responder timed out"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1084 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1085 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1086 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1087 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1088 if (ctx->response == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1089 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1090 if (ctx->response == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1091 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1092 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1093 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1094 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1095 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1096 for ( ;; ) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1097 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1098 size = ctx->response->end - ctx->response->last; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1099 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1100 n = ngx_recv(c, ctx->response->last, size); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1101 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1102 if (n > 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1103 ctx->response->last += n; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1104 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1105 rc = ctx->process(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1106 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1107 if (rc == NGX_ERROR) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1108 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1109 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1110 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1111 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1112 continue; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1113 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1114 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1115 if (n == NGX_AGAIN) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1116 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1117 if (ngx_handle_read_event(rev, 0) != NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1118 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1119 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1120 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1121 return; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1122 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1123 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1124 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1125 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1126 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1127 ctx->done = 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1128 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1129 rc = ctx->process(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1130 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1131 if (rc == NGX_DONE) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1132 /* ctx->handler() was called */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1133 return; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1134 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1135 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1136 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1137 "OCSP responder prematurely closed connection"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1138 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1139 ngx_ssl_ocsp_error(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1140 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1141 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1142 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1143 static void |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1144 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1145 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1146 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1147 "ssl ocsp dummy handler"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1148 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1149 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1150 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1151 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1152 ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1153 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1154 int len; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1155 u_char *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1156 uintptr_t escape; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1157 ngx_str_t binary, base64; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1158 ngx_buf_t *b; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1159 OCSP_CERTID *id; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1160 OCSP_REQUEST *ocsp; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1161 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1162 ocsp = OCSP_REQUEST_new(); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1163 if (ocsp == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1164 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1165 "OCSP_REQUEST_new() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1166 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1167 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1168 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1169 id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1170 if (id == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1171 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1172 "OCSP_cert_to_id() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1173 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1174 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1175 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1176 if (OCSP_request_add0_id(ocsp, id) == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1177 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1178 "OCSP_request_add0_id() failed"); |
|
6064
ff957cd36860
OCSP stapling: missing free calls.
Filipe da Silva <fdasilva@ingima.com>
parents:
5777
diff
changeset
|
1179 OCSP_CERTID_free(id); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1180 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1181 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1182 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1183 len = i2d_OCSP_REQUEST(ocsp, NULL); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1184 if (len <= 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1185 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1186 "i2d_OCSP_REQUEST() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1187 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1188 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1189 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1190 binary.len = len; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1191 binary.data = ngx_palloc(ctx->pool, len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1192 if (binary.data == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1193 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1194 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1195 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1196 p = binary.data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1197 len = i2d_OCSP_REQUEST(ocsp, &p); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1198 if (len <= 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1199 ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1200 "i2d_OCSP_REQUEST() failed"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1201 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1202 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1203 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1204 base64.len = ngx_base64_encoded_length(binary.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1205 base64.data = ngx_palloc(ctx->pool, base64.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1206 if (base64.data == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1207 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1208 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1209 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1210 ngx_encode_base64(&base64, &binary); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1211 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1212 escape = ngx_escape_uri(NULL, base64.data, base64.len, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1213 NGX_ESCAPE_URI_COMPONENT); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1214 |
|
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1215 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1216 "ssl ocsp request length %z, escape %d", |
|
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1217 base64.len, escape); |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1218 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1219 len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1220 + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1221 + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1222 + sizeof(CRLF) - 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1223 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1224 b = ngx_create_temp_buf(ctx->pool, len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1225 if (b == NULL) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1226 goto failed; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1227 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1228 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1229 p = b->last; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1230 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1231 p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1232 p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1233 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1234 if (ctx->uri.data[ctx->uri.len - 1] != '/') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1235 *p++ = '/'; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1236 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1237 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1238 if (escape == 0) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1239 p = ngx_cpymem(p, base64.data, base64.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1240 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1241 } else { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1242 p = (u_char *) ngx_escape_uri(p, base64.data, base64.len, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1243 NGX_ESCAPE_URI_COMPONENT); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1244 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1245 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1246 p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1247 p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1248 p = ngx_cpymem(p, ctx->host.data, ctx->host.len); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1249 *p++ = CR; *p++ = LF; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1250 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1251 /* add "\r\n" at the header end */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1252 *p++ = CR; *p++ = LF; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1253 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1254 b->last = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1255 ctx->request = b; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1256 |
|
5683
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1257 OCSP_REQUEST_free(ocsp); |
|
48c97d83ab7f
OCSP stapling: missing OCSP request free call.
Filipe da Silva <fdasilvayy@gmail.com>
parents:
5477
diff
changeset
|
1258 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1259 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1260 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1261 failed: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1262 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1263 OCSP_REQUEST_free(ocsp); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1264 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1265 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1266 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1267 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1268 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1269 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1270 ngx_ssl_ocsp_process_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1271 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1272 ngx_int_t rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1273 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1274 rc = ngx_ssl_ocsp_parse_status_line(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1275 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1276 if (rc == NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1277 #if 0 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1278 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1279 "ssl ocsp status line \"%*s\"", |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1280 ctx->response->pos - ctx->response->start, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1281 ctx->response->start); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1282 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1283 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1284 ctx->process = ngx_ssl_ocsp_process_headers; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1285 return ctx->process(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1286 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1287 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1288 if (rc == NGX_AGAIN) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1289 return NGX_AGAIN; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1290 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1291 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1292 /* rc == NGX_ERROR */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1293 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1294 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1295 "OCSP responder sent invalid response"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1296 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1297 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1298 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1299 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1300 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1301 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1302 ngx_ssl_ocsp_parse_status_line(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1303 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1304 u_char ch; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1305 u_char *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1306 ngx_buf_t *b; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1307 enum { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1308 sw_start = 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1309 sw_H, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1310 sw_HT, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1311 sw_HTT, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1312 sw_HTTP, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1313 sw_first_major_digit, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1314 sw_major_digit, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1315 sw_first_minor_digit, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1316 sw_minor_digit, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1317 sw_status, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1318 sw_space_after_status, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1319 sw_status_text, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1320 sw_almost_done |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1321 } state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1322 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1323 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1324 "ssl ocsp process status line"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1325 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1326 state = ctx->state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1327 b = ctx->response; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1328 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1329 for (p = b->pos; p < b->last; p++) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1330 ch = *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1331 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1332 switch (state) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1333 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1334 /* "HTTP/" */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1335 case sw_start: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1336 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1337 case 'H': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1338 state = sw_H; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1339 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1340 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1341 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1342 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1343 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1344 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1345 case sw_H: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1346 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1347 case 'T': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1348 state = sw_HT; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1349 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1350 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1351 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1352 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1353 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1354 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1355 case sw_HT: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1356 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1357 case 'T': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1358 state = sw_HTT; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1359 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1360 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1361 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1362 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1363 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1364 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1365 case sw_HTT: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1366 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1367 case 'P': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1368 state = sw_HTTP; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1369 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1370 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1371 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1372 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1373 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1374 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1375 case sw_HTTP: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1376 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1377 case '/': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1378 state = sw_first_major_digit; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1379 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1380 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1381 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1382 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1383 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1384 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1385 /* the first digit of major HTTP version */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1386 case sw_first_major_digit: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1387 if (ch < '1' || ch > '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1388 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1389 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1390 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1391 state = sw_major_digit; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1392 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1393 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1394 /* the major HTTP version or dot */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1395 case sw_major_digit: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1396 if (ch == '.') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1397 state = sw_first_minor_digit; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1398 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1399 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1400 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1401 if (ch < '0' || ch > '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1402 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1403 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1404 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1405 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1406 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1407 /* the first digit of minor HTTP version */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1408 case sw_first_minor_digit: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1409 if (ch < '0' || ch > '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1410 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1411 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1412 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1413 state = sw_minor_digit; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1414 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1415 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1416 /* the minor HTTP version or the end of the request line */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1417 case sw_minor_digit: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1418 if (ch == ' ') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1419 state = sw_status; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1420 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1421 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1422 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1423 if (ch < '0' || ch > '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1424 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1425 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1426 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1427 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1428 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1429 /* HTTP status code */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1430 case sw_status: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1431 if (ch == ' ') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1432 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1433 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1434 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1435 if (ch < '0' || ch > '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1436 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1437 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1438 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1439 ctx->code = ctx->code * 10 + ch - '0'; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1440 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1441 if (++ctx->count == 3) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1442 state = sw_space_after_status; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1443 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1444 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1445 break; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1446 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1447 /* space or end of line */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1448 case sw_space_after_status: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1449 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1450 case ' ': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1451 state = sw_status_text; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1452 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1453 case '.': /* IIS may send 403.1, 403.2, etc */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1454 state = sw_status_text; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1455 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1456 case CR: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1457 state = sw_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1458 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1459 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1460 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1461 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1462 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1463 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1464 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1465 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1466 /* any text until end of line */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1467 case sw_status_text: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1468 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1469 case CR: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1470 state = sw_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1471 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1472 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1473 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1474 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1475 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1476 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1477 /* end of status line */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1478 case sw_almost_done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1479 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1480 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1481 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1482 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1483 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1484 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1485 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1486 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1487 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1488 b->pos = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1489 ctx->state = state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1490 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1491 return NGX_AGAIN; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1492 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1493 done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1494 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1495 b->pos = p + 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1496 ctx->state = sw_start; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1497 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1498 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1499 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1500 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1501 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1502 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1503 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1504 { |
|
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1505 size_t len; |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1506 ngx_int_t rc; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1507 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1508 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1509 "ssl ocsp process headers"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1510 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1511 for ( ;; ) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1512 rc = ngx_ssl_ocsp_parse_header_line(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1513 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1514 if (rc == NGX_OK) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1515 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1516 ngx_log_debug4(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1517 "ssl ocsp header \"%*s: %*s\"", |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1518 ctx->header_name_end - ctx->header_name_start, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1519 ctx->header_name_start, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1520 ctx->header_end - ctx->header_start, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1521 ctx->header_start); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1522 |
|
4876
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1523 len = ctx->header_name_end - ctx->header_name_start; |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1524 |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1525 if (len == sizeof("Content-Type") - 1 |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1526 && ngx_strncasecmp(ctx->header_name_start, |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1527 (u_char *) "Content-Type", |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1528 sizeof("Content-Type") - 1) |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1529 == 0) |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1530 { |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1531 len = ctx->header_end - ctx->header_start; |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1532 |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1533 if (len != sizeof("application/ocsp-response") - 1 |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1534 || ngx_strncasecmp(ctx->header_start, |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1535 (u_char *) "application/ocsp-response", |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1536 sizeof("application/ocsp-response") - 1) |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1537 != 0) |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1538 { |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1539 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1540 "OCSP responder sent invalid " |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1541 "\"Content-Type\" header: \"%*s\"", |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1542 ctx->header_end - ctx->header_start, |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1543 ctx->header_start); |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1544 return NGX_ERROR; |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1545 } |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1546 |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1547 continue; |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1548 } |
|
1a008f968f6d
OCSP stapling: check Content-Type.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
1549 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1550 /* TODO: honor Content-Length */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1551 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1552 continue; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1553 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1554 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1555 if (rc == NGX_DONE) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1556 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1557 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1558 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1559 if (rc == NGX_AGAIN) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1560 return NGX_AGAIN; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1561 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1562 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1563 /* rc == NGX_ERROR */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1564 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1565 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1566 "OCSP responder sent invalid response"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1567 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1568 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1569 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1570 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1571 ctx->process = ngx_ssl_ocsp_process_body; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1572 return ctx->process(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1573 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1574 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1575 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1576 ngx_ssl_ocsp_parse_header_line(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1577 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1578 u_char c, ch, *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1579 enum { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1580 sw_start = 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1581 sw_name, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1582 sw_space_before_value, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1583 sw_value, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1584 sw_space_after_value, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1585 sw_almost_done, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1586 sw_header_almost_done |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1587 } state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1588 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1589 state = ctx->state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1590 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1591 for (p = ctx->response->pos; p < ctx->response->last; p++) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1592 ch = *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1593 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1594 #if 0 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1595 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1596 "s:%d in:'%02Xd:%c'", state, ch, ch); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1597 #endif |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1598 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1599 switch (state) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1600 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1601 /* first char */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1602 case sw_start: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1603 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1604 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1605 case CR: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1606 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1607 state = sw_header_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1608 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1609 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1610 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1611 goto header_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1612 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1613 state = sw_name; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1614 ctx->header_name_start = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1615 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1616 c = (u_char) (ch | 0x20); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1617 if (c >= 'a' && c <= 'z') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1618 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1619 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1620 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1621 if (ch >= '0' && ch <= '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1622 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1623 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1624 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1625 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1626 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1627 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1628 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1629 /* header name */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1630 case sw_name: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1631 c = (u_char) (ch | 0x20); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1632 if (c >= 'a' && c <= 'z') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1633 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1634 } |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1635 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1636 if (ch == ':') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1637 ctx->header_name_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1638 state = sw_space_before_value; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1639 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1640 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1641 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1642 if (ch == '-') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1643 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1644 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1645 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1646 if (ch >= '0' && ch <= '9') { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1647 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1648 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1649 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1650 if (ch == CR) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1651 ctx->header_name_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1652 ctx->header_start = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1653 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1654 state = sw_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1655 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1656 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1657 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1658 if (ch == LF) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1659 ctx->header_name_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1660 ctx->header_start = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1661 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1662 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1663 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1664 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1665 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1666 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1667 /* space* before header value */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1668 case sw_space_before_value: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1669 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1670 case ' ': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1671 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1672 case CR: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1673 ctx->header_start = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1674 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1675 state = sw_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1676 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1677 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1678 ctx->header_start = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1679 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1680 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1681 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1682 ctx->header_start = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1683 state = sw_value; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1684 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1685 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1686 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1687 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1688 /* header value */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1689 case sw_value: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1690 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1691 case ' ': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1692 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1693 state = sw_space_after_value; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1694 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1695 case CR: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1696 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1697 state = sw_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1698 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1699 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1700 ctx->header_end = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1701 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1702 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1703 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1704 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1705 /* space* before end of header line */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1706 case sw_space_after_value: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1707 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1708 case ' ': |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1709 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1710 case CR: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1711 state = sw_almost_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1712 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1713 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1714 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1715 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1716 state = sw_value; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1717 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1718 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1719 break; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1720 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1721 /* end of header line */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1722 case sw_almost_done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1723 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1724 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1725 goto done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1726 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1727 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1728 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1729 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1730 /* end of header */ |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1731 case sw_header_almost_done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1732 switch (ch) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1733 case LF: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1734 goto header_done; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1735 default: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1736 return NGX_ERROR; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1737 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1738 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1739 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1740 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1741 ctx->response->pos = p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1742 ctx->state = state; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1743 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1744 return NGX_AGAIN; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1745 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1746 done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1747 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1748 ctx->response->pos = p + 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1749 ctx->state = sw_start; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1750 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1751 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1752 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1753 header_done: |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1754 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1755 ctx->response->pos = p + 1; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1756 ctx->state = sw_start; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1757 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1758 return NGX_DONE; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1759 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1760 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1761 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1762 static ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1763 ngx_ssl_ocsp_process_body(ngx_ssl_ocsp_ctx_t *ctx) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1764 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1765 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1766 "ssl ocsp process body"); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1767 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1768 if (ctx->done) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1769 ctx->handler(ctx); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1770 return NGX_DONE; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1771 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1772 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1773 return NGX_AGAIN; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1774 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1775 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1776 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1777 static u_char * |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1778 ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1779 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1780 u_char *p; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1781 ngx_ssl_ocsp_ctx_t *ctx; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1782 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1783 p = buf; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1784 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1785 if (log->action) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1786 p = ngx_snprintf(buf, len, " while %s", log->action); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1787 len -= p - buf; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1788 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1789 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1790 ctx = log->data; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1791 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1792 if (ctx) { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1793 p = ngx_snprintf(p, len, ", responder: %V", &ctx->host); |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1794 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1795 |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1796 return p; |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1797 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1798 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1799 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1800 #else |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1801 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1802 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1803 ngx_int_t |
|
4880
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1804 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
|
0254c1a43fe5
OCSP stapling: build fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4879
diff
changeset
|
1805 ngx_str_t *responder, ngx_uint_t verify) |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1806 { |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1807 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1808 "\"ssl_stapling\" ignored, not supported"); |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1809 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1810 return NGX_OK; |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1811 } |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1812 |
|
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1813 ngx_int_t |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1814 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1815 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1816 { |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1817 return NGX_OK; |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1818 } |
|
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4874
diff
changeset
|
1819 |
|
4874
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1820 |
|
d1a20423c425
OCSP stapling: the ngx_event_openssl_stapling.c file.
Maxim Dounin <mdounin@mdounin.ru>
parents:
diff
changeset
|
1821 #endif |