Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6544:458e01ef46e6
OCSP stapling: staple provided in arguments.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 19 May 2016 14:46:32 +0300 |
| parents | 45f2385a47e6 |
| children | a873b4d9cd80 |
comparison
equal
deleted
inserted
replaced
| 6543:302ff40c9bc9 | 6544:458e01ef46e6 |
|---|---|
| 82 ngx_log_t *log; | 82 ngx_log_t *log; |
| 83 }; | 83 }; |
| 84 | 84 |
| 85 | 85 |
| 86 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, | 86 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 87 ngx_str_t *file); | 87 ngx_ssl_stapling_t *staple, ngx_str_t *file); |
| 88 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl); | 88 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 89 ngx_ssl_stapling_t *staple); | |
| 89 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, | 90 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 90 ngx_str_t *responder); | 91 ngx_ssl_stapling_t *staple, ngx_str_t *responder); |
| 91 | 92 |
| 92 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, | 93 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
| 93 void *data); | 94 void *data); |
| 94 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); | 95 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
| 95 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); | 96 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
| 151 staple->verify = verify; | 152 staple->verify = verify; |
| 152 | 153 |
| 153 if (file->len) { | 154 if (file->len) { |
| 154 /* use OCSP response from the file */ | 155 /* use OCSP response from the file */ |
| 155 | 156 |
| 156 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { | 157 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
| 157 return NGX_ERROR; | 158 return NGX_ERROR; |
| 158 } | 159 } |
| 159 | 160 |
| 160 goto done; | 161 goto done; |
| 161 } | 162 } |
| 162 | 163 |
| 163 rc = ngx_ssl_stapling_issuer(cf, ssl); | 164 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); |
| 164 | 165 |
| 165 if (rc == NGX_DECLINED) { | 166 if (rc == NGX_DECLINED) { |
| 166 return NGX_OK; | 167 return NGX_OK; |
| 167 } | 168 } |
| 168 | 169 |
| 169 if (rc != NGX_OK) { | 170 if (rc != NGX_OK) { |
| 170 return NGX_ERROR; | 171 return NGX_ERROR; |
| 171 } | 172 } |
| 172 | 173 |
| 173 rc = ngx_ssl_stapling_responder(cf, ssl, responder); | 174 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); |
| 174 | 175 |
| 175 if (rc == NGX_DECLINED) { | 176 if (rc == NGX_DECLINED) { |
| 176 return NGX_OK; | 177 return NGX_OK; |
| 177 } | 178 } |
| 178 | 179 |
| 188 return NGX_OK; | 189 return NGX_OK; |
| 189 } | 190 } |
| 190 | 191 |
| 191 | 192 |
| 192 static ngx_int_t | 193 static ngx_int_t |
| 193 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | 194 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 194 { | 195 ngx_ssl_stapling_t *staple, ngx_str_t *file) |
| 195 BIO *bio; | 196 { |
| 196 int len; | 197 BIO *bio; |
| 197 u_char *p, *buf; | 198 int len; |
| 198 OCSP_RESPONSE *response; | 199 u_char *p, *buf; |
| 199 ngx_ssl_stapling_t *staple; | 200 OCSP_RESPONSE *response; |
| 200 | |
| 201 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | |
| 202 | 201 |
| 203 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { | 202 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
| 204 return NGX_ERROR; | 203 return NGX_ERROR; |
| 205 } | 204 } |
| 206 | 205 |
| 257 return NGX_ERROR; | 256 return NGX_ERROR; |
| 258 } | 257 } |
| 259 | 258 |
| 260 | 259 |
| 261 static ngx_int_t | 260 static ngx_int_t |
| 262 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl) | 261 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 263 { | 262 ngx_ssl_stapling_t *staple) |
| 264 int i, n, rc; | 263 { |
| 265 X509 *cert, *issuer; | 264 int i, n, rc; |
| 266 X509_STORE *store; | 265 X509 *cert, *issuer; |
| 267 X509_STORE_CTX *store_ctx; | 266 X509_STORE *store; |
| 268 STACK_OF(X509) *chain; | 267 X509_STORE_CTX *store_ctx; |
| 269 ngx_ssl_stapling_t *staple; | 268 STACK_OF(X509) *chain; |
| 270 | 269 |
| 271 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | |
| 272 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 270 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
| 273 | 271 |
| 274 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 272 #if OPENSSL_VERSION_NUMBER >= 0x10001000L |
| 275 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | 273 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
| 276 #else | 274 #else |
| 349 return NGX_OK; | 347 return NGX_OK; |
| 350 } | 348 } |
| 351 | 349 |
| 352 | 350 |
| 353 static ngx_int_t | 351 static ngx_int_t |
| 354 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder) | 352 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
| 353 ngx_ssl_stapling_t *staple, ngx_str_t *responder) | |
| 355 { | 354 { |
| 356 ngx_url_t u; | 355 ngx_url_t u; |
| 357 char *s; | 356 char *s; |
| 358 ngx_ssl_stapling_t *staple; | |
| 359 STACK_OF(OPENSSL_STRING) *aia; | 357 STACK_OF(OPENSSL_STRING) *aia; |
| 360 | |
| 361 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | |
| 362 | 358 |
| 363 if (responder->len == 0) { | 359 if (responder->len == 0) { |
| 364 | 360 |
| 365 /* extract OCSP responder URL from certificate */ | 361 /* extract OCSP responder URL from certificate */ |
| 366 | 362 |