Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 7652:7cffd81015e7
OCSP stapling: iterate over all responder addresses.
Previously only the first responder address was used per each stapling update.
Now, in case of a network or parsing error, next address is used.
This also fixes the issue with unsupported responder address families
(ticket #1330).
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Fri, 22 May 2020 20:35:05 +0300 |
| parents | 6ca8e15caf1f |
| children | 8409f9df6219 |
comparison
equal
deleted
inserted
replaced
| 7651:6ca8e15caf1f | 7652:7cffd81015e7 |
|---|---|
| 20 | 20 |
| 21 ngx_resolver_t *resolver; | 21 ngx_resolver_t *resolver; |
| 22 ngx_msec_t resolver_timeout; | 22 ngx_msec_t resolver_timeout; |
| 23 | 23 |
| 24 ngx_addr_t *addrs; | 24 ngx_addr_t *addrs; |
| 25 ngx_uint_t naddrs; | |
| 25 ngx_str_t host; | 26 ngx_str_t host; |
| 26 ngx_str_t uri; | 27 ngx_str_t uri; |
| 27 in_port_t port; | 28 in_port_t port; |
| 28 | 29 |
| 29 SSL_CTX *ssl_ctx; | 30 SSL_CTX *ssl_ctx; |
| 55 time_t valid; | 56 time_t valid; |
| 56 | 57 |
| 57 u_char *name; | 58 u_char *name; |
| 58 | 59 |
| 59 ngx_uint_t naddrs; | 60 ngx_uint_t naddrs; |
| 61 ngx_uint_t naddr; | |
| 60 | 62 |
| 61 ngx_addr_t *addrs; | 63 ngx_addr_t *addrs; |
| 62 ngx_str_t host; | 64 ngx_str_t host; |
| 63 ngx_str_t uri; | 65 ngx_str_t uri; |
| 64 in_port_t port; | 66 in_port_t port; |
| 112 | 114 |
| 113 static void ngx_ssl_stapling_cleanup(void *data); | 115 static void ngx_ssl_stapling_cleanup(void *data); |
| 114 | 116 |
| 115 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void); | 117 static ngx_ssl_ocsp_ctx_t *ngx_ssl_ocsp_start(void); |
| 116 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); | 118 static void ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ctx); |
| 119 static void ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx); | |
| 117 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); | 120 static void ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx); |
| 118 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); | 121 static void ngx_ssl_ocsp_resolve_handler(ngx_resolver_ctx_t *resolve); |
| 119 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); | 122 static void ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx); |
| 120 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); | 123 static void ngx_ssl_ocsp_write_handler(ngx_event_t *wev); |
| 121 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); | 124 static void ngx_ssl_ocsp_read_handler(ngx_event_t *rev); |
| 467 | 470 |
| 468 return NGX_ERROR; | 471 return NGX_ERROR; |
| 469 } | 472 } |
| 470 | 473 |
| 471 staple->addrs = u.addrs; | 474 staple->addrs = u.addrs; |
| 475 staple->naddrs = u.naddrs; | |
| 472 staple->host = u.host; | 476 staple->host = u.host; |
| 473 staple->uri = u.uri; | 477 staple->uri = u.uri; |
| 474 staple->port = u.port; | 478 staple->port = u.port; |
| 475 | 479 |
| 476 if (staple->uri.len == 0) { | 480 if (staple->uri.len == 0) { |
| 577 ctx->chain = staple->chain; | 581 ctx->chain = staple->chain; |
| 578 ctx->name = staple->name; | 582 ctx->name = staple->name; |
| 579 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); | 583 ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); |
| 580 | 584 |
| 581 ctx->addrs = staple->addrs; | 585 ctx->addrs = staple->addrs; |
| 586 ctx->naddrs = staple->naddrs; | |
| 582 ctx->host = staple->host; | 587 ctx->host = staple->host; |
| 583 ctx->uri = staple->uri; | 588 ctx->uri = staple->uri; |
| 584 ctx->port = staple->port; | 589 ctx->port = staple->port; |
| 585 ctx->timeout = staple->timeout; | 590 ctx->timeout = staple->timeout; |
| 586 | 591 |
| 767 ctx->handler(ctx); | 772 ctx->handler(ctx); |
| 768 } | 773 } |
| 769 | 774 |
| 770 | 775 |
| 771 static void | 776 static void |
| 777 ngx_ssl_ocsp_next(ngx_ssl_ocsp_ctx_t *ctx) | |
| 778 { | |
| 779 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | |
| 780 "ssl ocsp next"); | |
| 781 | |
| 782 if (++ctx->naddr >= ctx->naddrs) { | |
| 783 ngx_ssl_ocsp_error(ctx); | |
| 784 return; | |
| 785 } | |
| 786 | |
| 787 ctx->request->pos = ctx->request->start; | |
| 788 | |
| 789 if (ctx->response) { | |
| 790 ctx->response->last = ctx->response->pos; | |
| 791 } | |
| 792 | |
| 793 if (ctx->peer.connection) { | |
| 794 ngx_close_connection(ctx->peer.connection); | |
| 795 ctx->peer.connection = NULL; | |
| 796 } | |
| 797 | |
| 798 ctx->state = 0; | |
| 799 ctx->count = 0; | |
| 800 ctx->done = 0; | |
| 801 | |
| 802 ngx_ssl_ocsp_connect(ctx); | |
| 803 } | |
| 804 | |
| 805 | |
| 806 static void | |
| 772 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) | 807 ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t *ctx) |
| 773 { | 808 { |
| 774 ngx_resolver_ctx_t *resolve, temp; | 809 ngx_resolver_ctx_t *resolve, temp; |
| 775 | 810 |
| 776 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 811 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
| 904 | 939 |
| 905 | 940 |
| 906 static void | 941 static void |
| 907 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) | 942 ngx_ssl_ocsp_connect(ngx_ssl_ocsp_ctx_t *ctx) |
| 908 { | 943 { |
| 909 ngx_int_t rc; | 944 ngx_int_t rc; |
| 910 | 945 ngx_addr_t *addr; |
| 911 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 946 |
| 912 "ssl ocsp connect"); | 947 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
| 913 | 948 "ssl ocsp connect %ui/%ui", ctx->naddr, ctx->naddrs); |
| 914 /* TODO: use all ip addresses */ | 949 |
| 915 | 950 addr = &ctx->addrs[ctx->naddr]; |
| 916 ctx->peer.sockaddr = ctx->addrs[0].sockaddr; | 951 |
| 917 ctx->peer.socklen = ctx->addrs[0].socklen; | 952 ctx->peer.sockaddr = addr->sockaddr; |
| 918 ctx->peer.name = &ctx->addrs[0].name; | 953 ctx->peer.socklen = addr->socklen; |
| 954 ctx->peer.name = &addr->name; | |
| 919 ctx->peer.get = ngx_event_get_peer; | 955 ctx->peer.get = ngx_event_get_peer; |
| 920 ctx->peer.log = ctx->log; | 956 ctx->peer.log = ctx->log; |
| 921 ctx->peer.log_error = NGX_ERROR_ERR; | 957 ctx->peer.log_error = NGX_ERROR_ERR; |
| 922 | 958 |
| 923 rc = ngx_event_connect_peer(&ctx->peer); | 959 rc = ngx_event_connect_peer(&ctx->peer); |
| 924 | 960 |
| 925 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, | 961 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, |
| 926 "ssl ocsp connect peer done"); | 962 "ssl ocsp connect peer done"); |
| 927 | 963 |
| 928 if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { | 964 if (rc == NGX_ERROR) { |
| 929 ngx_ssl_ocsp_error(ctx); | 965 ngx_ssl_ocsp_error(ctx); |
| 966 return; | |
| 967 } | |
| 968 | |
| 969 if (rc == NGX_BUSY || rc == NGX_DECLINED) { | |
| 970 ngx_ssl_ocsp_next(ctx); | |
| 930 return; | 971 return; |
| 931 } | 972 } |
| 932 | 973 |
| 933 ctx->peer.connection->data = ctx; | 974 ctx->peer.connection->data = ctx; |
| 934 ctx->peer.connection->pool = ctx->pool; | 975 ctx->peer.connection->pool = ctx->pool; |
| 962 "ssl ocsp write handler"); | 1003 "ssl ocsp write handler"); |
| 963 | 1004 |
| 964 if (wev->timedout) { | 1005 if (wev->timedout) { |
| 965 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, | 1006 ngx_log_error(NGX_LOG_ERR, wev->log, NGX_ETIMEDOUT, |
| 966 "OCSP responder timed out"); | 1007 "OCSP responder timed out"); |
| 967 ngx_ssl_ocsp_error(ctx); | 1008 ngx_ssl_ocsp_next(ctx); |
| 968 return; | 1009 return; |
| 969 } | 1010 } |
| 970 | 1011 |
| 971 size = ctx->request->last - ctx->request->pos; | 1012 size = ctx->request->last - ctx->request->pos; |
| 972 | 1013 |
| 973 n = ngx_send(c, ctx->request->pos, size); | 1014 n = ngx_send(c, ctx->request->pos, size); |
| 974 | 1015 |
| 975 if (n == NGX_ERROR) { | 1016 if (n == NGX_ERROR) { |
| 976 ngx_ssl_ocsp_error(ctx); | 1017 ngx_ssl_ocsp_next(ctx); |
| 977 return; | 1018 return; |
| 978 } | 1019 } |
| 979 | 1020 |
| 980 if (n > 0) { | 1021 if (n > 0) { |
| 981 ctx->request->pos += n; | 1022 ctx->request->pos += n; |
| 1016 "ssl ocsp read handler"); | 1057 "ssl ocsp read handler"); |
| 1017 | 1058 |
| 1018 if (rev->timedout) { | 1059 if (rev->timedout) { |
| 1019 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, | 1060 ngx_log_error(NGX_LOG_ERR, rev->log, NGX_ETIMEDOUT, |
| 1020 "OCSP responder timed out"); | 1061 "OCSP responder timed out"); |
| 1021 ngx_ssl_ocsp_error(ctx); | 1062 ngx_ssl_ocsp_next(ctx); |
| 1022 return; | 1063 return; |
| 1023 } | 1064 } |
| 1024 | 1065 |
| 1025 if (ctx->response == NULL) { | 1066 if (ctx->response == NULL) { |
| 1026 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); | 1067 ctx->response = ngx_create_temp_buf(ctx->pool, 16384); |
| 1040 ctx->response->last += n; | 1081 ctx->response->last += n; |
| 1041 | 1082 |
| 1042 rc = ctx->process(ctx); | 1083 rc = ctx->process(ctx); |
| 1043 | 1084 |
| 1044 if (rc == NGX_ERROR) { | 1085 if (rc == NGX_ERROR) { |
| 1045 ngx_ssl_ocsp_error(ctx); | 1086 ngx_ssl_ocsp_next(ctx); |
| 1046 return; | 1087 return; |
| 1047 } | 1088 } |
| 1048 | 1089 |
| 1049 continue; | 1090 continue; |
| 1050 } | 1091 } |
| 1071 } | 1112 } |
| 1072 | 1113 |
| 1073 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, | 1114 ngx_log_error(NGX_LOG_ERR, ctx->log, 0, |
| 1074 "OCSP responder prematurely closed connection"); | 1115 "OCSP responder prematurely closed connection"); |
| 1075 | 1116 |
| 1076 ngx_ssl_ocsp_error(ctx); | 1117 ngx_ssl_ocsp_next(ctx); |
| 1077 } | 1118 } |
| 1078 | 1119 |
| 1079 | 1120 |
| 1080 static void | 1121 static void |
| 1081 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) | 1122 ngx_ssl_ocsp_dummy_handler(ngx_event_t *ev) |