Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6544:458e01ef46e6
OCSP stapling: staple provided in arguments.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | 45f2385a47e6 |
children | a873b4d9cd80 |
comparison
equal
deleted
inserted
replaced
6543:302ff40c9bc9 | 6544:458e01ef46e6 |
---|---|
82 ngx_log_t *log; | 82 ngx_log_t *log; |
83 }; | 83 }; |
84 | 84 |
85 | 85 |
86 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, | 86 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
87 ngx_str_t *file); | 87 ngx_ssl_stapling_t *staple, ngx_str_t *file); |
88 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl); | 88 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
89 ngx_ssl_stapling_t *staple); | |
89 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, | 90 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
90 ngx_str_t *responder); | 91 ngx_ssl_stapling_t *staple, ngx_str_t *responder); |
91 | 92 |
92 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, | 93 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, |
93 void *data); | 94 void *data); |
94 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); | 95 static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple); |
95 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); | 96 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx); |
151 staple->verify = verify; | 152 staple->verify = verify; |
152 | 153 |
153 if (file->len) { | 154 if (file->len) { |
154 /* use OCSP response from the file */ | 155 /* use OCSP response from the file */ |
155 | 156 |
156 if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) { | 157 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
157 return NGX_ERROR; | 158 return NGX_ERROR; |
158 } | 159 } |
159 | 160 |
160 goto done; | 161 goto done; |
161 } | 162 } |
162 | 163 |
163 rc = ngx_ssl_stapling_issuer(cf, ssl); | 164 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); |
164 | 165 |
165 if (rc == NGX_DECLINED) { | 166 if (rc == NGX_DECLINED) { |
166 return NGX_OK; | 167 return NGX_OK; |
167 } | 168 } |
168 | 169 |
169 if (rc != NGX_OK) { | 170 if (rc != NGX_OK) { |
170 return NGX_ERROR; | 171 return NGX_ERROR; |
171 } | 172 } |
172 | 173 |
173 rc = ngx_ssl_stapling_responder(cf, ssl, responder); | 174 rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); |
174 | 175 |
175 if (rc == NGX_DECLINED) { | 176 if (rc == NGX_DECLINED) { |
176 return NGX_OK; | 177 return NGX_OK; |
177 } | 178 } |
178 | 179 |
188 return NGX_OK; | 189 return NGX_OK; |
189 } | 190 } |
190 | 191 |
191 | 192 |
192 static ngx_int_t | 193 static ngx_int_t |
193 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) | 194 ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, |
194 { | 195 ngx_ssl_stapling_t *staple, ngx_str_t *file) |
195 BIO *bio; | 196 { |
196 int len; | 197 BIO *bio; |
197 u_char *p, *buf; | 198 int len; |
198 OCSP_RESPONSE *response; | 199 u_char *p, *buf; |
199 ngx_ssl_stapling_t *staple; | 200 OCSP_RESPONSE *response; |
200 | |
201 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | |
202 | 201 |
203 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { | 202 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
204 return NGX_ERROR; | 203 return NGX_ERROR; |
205 } | 204 } |
206 | 205 |
257 return NGX_ERROR; | 256 return NGX_ERROR; |
258 } | 257 } |
259 | 258 |
260 | 259 |
261 static ngx_int_t | 260 static ngx_int_t |
262 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl) | 261 ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, |
263 { | 262 ngx_ssl_stapling_t *staple) |
264 int i, n, rc; | 263 { |
265 X509 *cert, *issuer; | 264 int i, n, rc; |
266 X509_STORE *store; | 265 X509 *cert, *issuer; |
267 X509_STORE_CTX *store_ctx; | 266 X509_STORE *store; |
268 STACK_OF(X509) *chain; | 267 X509_STORE_CTX *store_ctx; |
269 ngx_ssl_stapling_t *staple; | 268 STACK_OF(X509) *chain; |
270 | 269 |
271 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | |
272 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 270 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
273 | 271 |
274 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 272 #if OPENSSL_VERSION_NUMBER >= 0x10001000L |
275 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | 273 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
276 #else | 274 #else |
349 return NGX_OK; | 347 return NGX_OK; |
350 } | 348 } |
351 | 349 |
352 | 350 |
353 static ngx_int_t | 351 static ngx_int_t |
354 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *responder) | 352 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, |
353 ngx_ssl_stapling_t *staple, ngx_str_t *responder) | |
355 { | 354 { |
356 ngx_url_t u; | 355 ngx_url_t u; |
357 char *s; | 356 char *s; |
358 ngx_ssl_stapling_t *staple; | |
359 STACK_OF(OPENSSL_STRING) *aia; | 357 STACK_OF(OPENSSL_STRING) *aia; |
360 | |
361 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | |
362 | 358 |
363 if (responder->len == 0) { | 359 if (responder->len == 0) { |
364 | 360 |
365 /* extract OCSP responder URL from certificate */ | 361 /* extract OCSP responder URL from certificate */ |
366 | 362 |