Mercurial > hg > nginx

comparison src/event/ngx_event_openssl_stapling.c @ 7651:6ca8e15caf1f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: keep extra chain in the staple object.
author Roman Arutyunyan <arut@nginx.com>
date Sun, 17 May 2020 14:24:35 +0300
parents abb6cc8f1dd8
children 7cffd81015e7
comparison
equal deleted inserted replaced
7650:abb6cc8f1dd8 7651:6ca8e15caf1f
28 28
29 SSL_CTX *ssl_ctx; 29 SSL_CTX *ssl_ctx;
30 30
31 X509 *cert; 31 X509 *cert;
32 X509 *issuer; 32 X509 *issuer;
33 STACK_OF(X509) *chain;
33 34
34 u_char *name; 35 u_char *name;
35 36
36 time_t valid; 37 time_t valid;
37 time_t refresh; 38 time_t refresh;
46 struct ngx_ssl_ocsp_ctx_s { 47 struct ngx_ssl_ocsp_ctx_s {
47 SSL_CTX *ssl_ctx; 48 SSL_CTX *ssl_ctx;
48 49
49 X509 *cert; 50 X509 *cert;
50 X509 *issuer; 51 X509 *issuer;
52 STACK_OF(X509) *chain;
51 53
52 int status; 54 int status;
53 time_t valid; 55 time_t valid;
54 56
55 u_char *name; 57 u_char *name;
177 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { 179 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
178 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); 180 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
179 return NGX_ERROR; 181 return NGX_ERROR;
180 } 182 }
181 183
184 #ifdef SSL_CTRL_SELECT_CURRENT_CERT
185 /* OpenSSL 1.0.2+ */
186 SSL_CTX_select_current_cert(ssl->ctx, cert);
187 #endif
188
189 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
190 /* OpenSSL 1.0.1+ */
191 SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
192 #else
193 staple->chain = ssl->ctx->extra_certs;
194 #endif
195
182 staple->ssl_ctx = ssl->ctx; 196 staple->ssl_ctx = ssl->ctx;
183 staple->timeout = 60000; 197 staple->timeout = 60000;
184 staple->verify = verify; 198 staple->verify = verify;
185 staple->cert = cert; 199 staple->cert = cert;
186 staple->name = X509_get_ex_data(staple->cert, 200 staple->name = X509_get_ex_data(staple->cert,
293 { 307 {
294 int i, n, rc; 308 int i, n, rc;
295 X509 *cert, *issuer; 309 X509 *cert, *issuer;
296 X509_STORE *store; 310 X509_STORE *store;
297 X509_STORE_CTX *store_ctx; 311 X509_STORE_CTX *store_ctx;
298 STACK_OF(X509) *chain;
299 312
300 cert = staple->cert; 313 cert = staple->cert;
301 314
302 #ifdef SSL_CTRL_SELECT_CURRENT_CERT 315 n = sk_X509_num(staple->chain);
303 /* OpenSSL 1.0.2+ */
304 SSL_CTX_select_current_cert(ssl->ctx, cert);
305 #endif
306
307 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
308 /* OpenSSL 1.0.1+ */
309 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
310 #else
311 chain = ssl->ctx->extra_certs;
312 #endif
313
314 n = sk_X509_num(chain);
315 316
316 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, 317 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
317 "SSL get issuer: %d extra certs", n); 318 "SSL get issuer: %d extra certs", n);
318 319
319 for (i = 0; i < n; i++) { 320 for (i = 0; i < n; i++) {
320 issuer = sk_X509_value(chain, i); 321 issuer = sk_X509_value(staple->chain, i);
321 if (X509_check_issued(issuer, cert) == X509_V_OK) { 322 if (X509_check_issued(issuer, cert) == X509_V_OK) {
322 #if OPENSSL_VERSION_NUMBER >= 0x10100001L 323 #if OPENSSL_VERSION_NUMBER >= 0x10100001L
323 X509_up_ref(issuer); 324 X509_up_ref(issuer);
324 #else 325 #else
325 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); 326 CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
571 } 572 }
572 573
573 ctx->ssl_ctx = staple->ssl_ctx; 574 ctx->ssl_ctx = staple->ssl_ctx;
574 ctx->cert = staple->cert; 575 ctx->cert = staple->cert;
575 ctx->issuer = staple->issuer; 576 ctx->issuer = staple->issuer;
577 ctx->chain = staple->chain;
576 ctx->name = staple->name; 578 ctx->name = staple->name;
577 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); 579 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
578 580
579 ctx->addrs = staple->addrs; 581 ctx->addrs = staple->addrs;
580 ctx->host = staple->host; 582 ctx->host = staple->host;
1718 { 1720 {
1719 int n; 1721 int n;
1720 size_t len; 1722 size_t len;
1721 X509_STORE *store; 1723 X509_STORE *store;
1722 const u_char *p; 1724 const u_char *p;
1723 STACK_OF(X509) *chain;
1724 OCSP_CERTID *id; 1725 OCSP_CERTID *id;
1725 OCSP_RESPONSE *ocsp; 1726 OCSP_RESPONSE *ocsp;
1726 OCSP_BASICRESP *basic; 1727 OCSP_BASICRESP *basic;
1727 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate; 1728 ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
1728 1729
1767 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0, 1768 ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
1768 "SSL_CTX_get_cert_store() failed"); 1769 "SSL_CTX_get_cert_store() failed");
1769 goto error; 1770 goto error;
1770 } 1771 }
1771 1772
1772 #ifdef SSL_CTRL_SELECT_CURRENT_CERT 1773 if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
1773 /* OpenSSL 1.0.2+ */
1774 SSL_CTX_select_current_cert(ctx->ssl_ctx, ctx->cert);
1775 #endif
1776
1777 #ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
1778 /* OpenSSL 1.0.1+ */
1779 SSL_CTX_get_extra_chain_certs(ctx->ssl_ctx, &chain);
1780 #else
1781 chain = ctx->ssl_ctx->extra_certs;
1782 #endif
1783
1784 if (OCSP_basic_verify(basic, chain, store, ctx->flags) != 1) {
1785 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, 1774 ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
1786 "OCSP_basic_verify() failed"); 1775 "OCSP_basic_verify() failed");
1787 goto error; 1776 goto error;
1788 } 1777 }
1789 1778