[PATCH 4 of 4] OCSP stapling: check Content-Type

Maxim Dounin mdounin at mdounin.ru
Wed Sep 5 11:14:44 UTC 2012 

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1346843260 -14400
# Node ID 8cb953fed894c231194519b404a382458621e16a
# Parent  73a3c526e072c5f5ed8f04a75e3498def5cd97e5
OCSP stapling: check Content-Type.

This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -1401,6 +1401,7 @@ done:
 static ngx_int_t
 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
 {
+    size_t     len;
     ngx_int_t  rc;
 
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
@@ -1418,6 +1419,33 @@ ngx_ssl_ocsp_process_headers(ngx_ssl_ocs
                            ctx->header_end - ctx->header_start,
                            ctx->header_start);
 
+            len = ctx->header_name_end - ctx->header_name_start;
+
+            if (len == sizeof("Content-Type") - 1
+                && ngx_strncasecmp(ctx->header_name_start,
+                                   (u_char *) "Content-Type",
+                                   sizeof("Content-Type") - 1)
+                   == 0)
+            {
+                len = ctx->header_end - ctx->header_start;
+
+                if (len != sizeof("application/ocsp-response") - 1
+                    || ngx_strncasecmp(ctx->header_start,
+                                       (u_char *) "application/ocsp-response",
+                                       sizeof("application/ocsp-response") - 1)
+                       != 0)
+                {
+                    ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
+                                  "OCSP responder sent invalid "
+                                  "\"Content-Type\" header: \"%*s\"",
+                                  ctx->header_end - ctx->header_start,
+                                  ctx->header_start);
+                    return NGX_ERROR;
+                }
+
+                continue;
+            }
+
             /* TODO: honor Content-Length */
 
             continue;

More information about the nginx-devel mailing list