Mercurial > hg > nginx

comparison src/event/ngx_event_openssl_stapling.c @ 6547:e222a97d46c1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
OCSP stapling: additional function to configure stapling on a cert.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 19 May 2016 14:46:32 +0300
parents a2d5d45f1525
children 8a34e92d8ab5
comparison
equal deleted inserted replaced
6546:a2d5d45f1525 6547:e222a97d46c1
81 ngx_pool_t *pool; 81 ngx_pool_t *pool;
82 ngx_log_t *log; 82 ngx_log_t *log;
83 }; 83 };
84 84
85 85
86 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
87 X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
86 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, 88 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
87 ngx_ssl_stapling_t *staple, ngx_str_t *file); 89 ngx_ssl_stapling_t *staple, ngx_str_t *file);
88 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, 90 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
89 ngx_ssl_stapling_t *staple); 91 ngx_ssl_stapling_t *staple);
90 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, 92 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
120 122
121 ngx_int_t 123 ngx_int_t
122 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, 124 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
123 ngx_str_t *responder, ngx_uint_t verify) 125 ngx_str_t *responder, ngx_uint_t verify)
124 { 126 {
125 X509 *cert; 127 X509 *cert;
126 ngx_int_t rc; 128
127 ngx_pool_cleanup_t *cln; 129 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
128 ngx_ssl_stapling_t *staple; 130
131 if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
132 != NGX_OK)
133 {
134 return NGX_ERROR;
135 }
136
137 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
138
139 return NGX_OK;
140 }
141
142
143 static ngx_int_t
144 ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert,
145 ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify)
146 {
147 ngx_int_t rc;
148 ngx_pool_cleanup_t *cln;
149 ngx_ssl_stapling_t *staple;
129 150
130 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t)); 151 staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
131 if (staple == NULL) { 152 if (staple == NULL) {
132 return NGX_ERROR; 153 return NGX_ERROR;
133 } 154 }
137 return NGX_ERROR; 158 return NGX_ERROR;
138 } 159 }
139 160
140 cln->handler = ngx_ssl_stapling_cleanup; 161 cln->handler = ngx_ssl_stapling_cleanup;
141 cln->data = staple; 162 cln->data = staple;
142
143 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
144 163
145 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) { 164 if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
146 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); 165 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
147 return NGX_ERROR; 166 return NGX_ERROR;
148 } 167 }
157 176
158 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) { 177 if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
159 return NGX_ERROR; 178 return NGX_ERROR;
160 } 179 }
161 180
162 goto done; 181 return NGX_OK;
163 } 182 }
164 183
165 rc = ngx_ssl_stapling_issuer(cf, ssl, staple); 184 rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
166 185
167 if (rc == NGX_DECLINED) { 186 if (rc == NGX_DECLINED) {
179 } 198 }
180 199
181 if (rc != NGX_OK) { 200 if (rc != NGX_OK) {
182 return NGX_ERROR; 201 return NGX_ERROR;
183 } 202 }
184
185 done:
186
187 SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
188 203
189 return NGX_OK; 204 return NGX_OK;
190 } 205 }
191 206
192 207