Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 6545:a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 19 May 2016 14:46:32 +0300 |
parents | 458e01ef46e6 |
children | a2d5d45f1525 |
comparison
equal
deleted
inserted
replaced
6544:458e01ef46e6 | 6545:a873b4d9cd80 |
---|---|
120 | 120 |
121 ngx_int_t | 121 ngx_int_t |
122 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, | 122 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, |
123 ngx_str_t *responder, ngx_uint_t verify) | 123 ngx_str_t *responder, ngx_uint_t verify) |
124 { | 124 { |
125 X509 *cert; | |
125 ngx_int_t rc; | 126 ngx_int_t rc; |
126 ngx_pool_cleanup_t *cln; | 127 ngx_pool_cleanup_t *cln; |
127 ngx_ssl_stapling_t *staple; | 128 ngx_ssl_stapling_t *staple; |
128 | 129 |
129 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); | 130 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); |
137 } | 138 } |
138 | 139 |
139 cln->handler = ngx_ssl_stapling_cleanup; | 140 cln->handler = ngx_ssl_stapling_cleanup; |
140 cln->data = staple; | 141 cln->data = staple; |
141 | 142 |
142 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, staple) | 143 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
143 == 0) | 144 |
144 { | 145 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { |
145 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | 146 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
146 "SSL_CTX_set_ex_data() failed"); | |
147 return NGX_ERROR; | 147 return NGX_ERROR; |
148 } | 148 } |
149 | 149 |
150 staple->ssl_ctx = ssl->ctx; | 150 staple->ssl_ctx = ssl->ctx; |
151 staple->timeout = 60000; | 151 staple->timeout = 60000; |
152 staple->verify = verify; | 152 staple->verify = verify; |
153 staple->cert = cert; | |
153 | 154 |
154 if (file->len) { | 155 if (file->len) { |
155 /* use OCSP response from the file */ | 156 /* use OCSP response from the file */ |
156 | 157 |
157 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { | 158 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { |
265 X509 *cert, *issuer; | 266 X509 *cert, *issuer; |
266 X509_STORE *store; | 267 X509_STORE *store; |
267 X509_STORE_CTX *store_ctx; | 268 X509_STORE_CTX *store_ctx; |
268 STACK_OF(X509) *chain; | 269 STACK_OF(X509) *chain; |
269 | 270 |
270 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); | 271 cert = staple->cert; |
271 | 272 |
272 #if OPENSSL_VERSION_NUMBER >= 0x10001000L | 273 #if OPENSSL_VERSION_NUMBER >= 0x10001000L |
273 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); | 274 SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain); |
274 #else | 275 #else |
275 chain = ssl->ctx->extra_certs; | 276 chain = ssl->ctx->extra_certs; |
290 #endif | 291 #endif |
291 | 292 |
292 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, | 293 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
293 "SSL get issuer: found %p in extra certs", issuer); | 294 "SSL get issuer: found %p in extra certs", issuer); |
294 | 295 |
295 staple->cert = cert; | |
296 staple->issuer = issuer; | 296 staple->issuer = issuer; |
297 | 297 |
298 return NGX_OK; | 298 return NGX_OK; |
299 } | 299 } |
300 } | 300 } |
339 X509_STORE_CTX_free(store_ctx); | 339 X509_STORE_CTX_free(store_ctx); |
340 | 340 |
341 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, | 341 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, |
342 "SSL get issuer: found %p in cert store", issuer); | 342 "SSL get issuer: found %p in cert store", issuer); |
343 | 343 |
344 staple->cert = cert; | |
345 staple->issuer = issuer; | 344 staple->issuer = issuer; |
346 | 345 |
347 return NGX_OK; | 346 return NGX_OK; |
348 } | 347 } |
349 | 348 |
437 | 436 |
438 ngx_int_t | 437 ngx_int_t |
439 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, | 438 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, |
440 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) | 439 ngx_resolver_t *resolver, ngx_msec_t resolver_timeout) |
441 { | 440 { |
441 X509 *cert; | |
442 ngx_ssl_stapling_t *staple; | 442 ngx_ssl_stapling_t *staple; |
443 | 443 |
444 staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index); | 444 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
445 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | |
445 | 446 |
446 staple->resolver = resolver; | 447 staple->resolver = resolver; |
447 staple->resolver_timeout = resolver_timeout; | 448 staple->resolver_timeout = resolver_timeout; |
448 | 449 |
449 return NGX_OK; | 450 return NGX_OK; |