Mercurial > hg > nginx

comparison src/event/ngx_event_openssl_stapling.c @ 4874:d1a20423c425

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: the ngx_event_openssl_stapling.c file. Missed in previous commit.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 01 Oct 2012 12:42:43 +0000
parents
children 386a06a22c40
comparison
equal deleted inserted replaced
4873:dd74fd35ceb5 4874:d1a20423c425
1
2 /*
3 * Copyright (C) Maxim Dounin
4 * Copyright (C) Nginx, Inc.
5 */
6
7
8 #include <ngx_config.h>
9 #include <ngx_core.h>
10 #include <ngx_event.h>
11
12
13 #ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
14
15
16 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
17 void *data);
18
19
20 ngx_int_t
21 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
22 {
23 BIO *bio;
24 int len;
25 u_char *p, *buf;
26 ngx_str_t *staple;
27 OCSP_RESPONSE *response;
28
29 if (file->len == 0) {
30 return NGX_OK;
31 }
32
33 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
34 return NGX_ERROR;
35 }
36
37 bio = BIO_new_file((char *) file->data, "r");
38 if (bio == NULL) {
39 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
40 "BIO_new_file(\"%s\") failed", file->data);
41 return NGX_ERROR;
42 }
43
44 response = d2i_OCSP_RESPONSE_bio(bio, NULL);
45 if (response == NULL) {
46 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
47 "d2i_OCSP_RESPONSE_bio(\"%s\") failed", file->data);
48 BIO_free(bio);
49 return NGX_ERROR;
50 }
51
52 len = i2d_OCSP_RESPONSE(response, NULL);
53 if (len <= 0) {
54 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
55 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
56 goto failed;
57 }
58
59 buf = ngx_pnalloc(cf->pool, len);
60 if (buf == NULL) {
61 goto failed;
62 }
63
64 p = buf;
65 len = i2d_OCSP_RESPONSE(response, &p);
66 if (len <= 0) {
67 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
68 "i2d_OCSP_RESPONSE(\"%s\") failed", file->data);
69 goto failed;
70 }
71
72 OCSP_RESPONSE_free(response);
73 BIO_free(bio);
74
75 staple = ngx_palloc(cf->pool, sizeof(ngx_str_t));
76 if (staple == NULL) {
77 return NGX_ERROR;
78 }
79
80 staple->data = buf;
81 staple->len = len;
82
83 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
84 SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);
85
86 return NGX_OK;
87
88 failed:
89
90 OCSP_RESPONSE_free(response);
91 BIO_free(bio);
92
93 return NGX_ERROR;
94 }
95
96
97 static int
98 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
99 {
100 u_char *p;
101 ngx_str_t *staple;
102 ngx_connection_t *c;
103
104 c = ngx_ssl_get_connection(ssl_conn);
105
106 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
107 "SSL certificate status callback");
108
109 staple = data;
110
111 /* we have to copy the staple as OpenSSL will free it by itself */
112
113 p = OPENSSL_malloc(staple->len);
114 if (p == NULL) {
115 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
116 return SSL_TLSEXT_ERR_ALERT_FATAL;
117 }
118
119 ngx_memcpy(p, staple->data, staple->len);
120
121 SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->len);
122
123 return SSL_TLSEXT_ERR_OK;
124 }
125
126
127 #else
128
129
130 ngx_int_t
131 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
132 {
133 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
134 "\"ssl_stapling\" ignored, not supported");
135
136 return NGX_OK;
137 }
138
139
140 #endif