[PATCH 3 of 6] Stapling SSL: ...

Filipe DA SILVA fdasilva at ingima.com
Thu Apr 16 10:10:26 UTC 2015


# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1429178261 -7200
#      Thu Apr 16 11:57:41 2015 +0200
# Node ID 4b0a7a9e22bd09044cdbc623da815bb14d0d7b4c
# Parent  85fb1b1e922fd95ef0df3c7f8bc9625af3054002
SSL Stapling: replace cert/issuer pair by certid.

diff -r 85fb1b1e922f -r 4b0a7a9e22bd src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c	Thu Apr 16 11:57:41 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c	Thu Apr 16 11:57:41 2015 +0200
@@ -13,6 +13,7 @@
 
 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
 
+typedef OCSP_CERTID ngx_ssl_certid_t;
 
 /* OCSP stapling configuration per server */
 typedef struct {
@@ -38,8 +39,7 @@ typedef struct {
 
     SSL_CTX                     *ssl_ctx;
 
-    X509                        *cert;
-    X509                        *issuer;
+    ngx_ssl_certid_t            *certid;
 
     time_t                       valid;
 
@@ -50,8 +50,7 @@ typedef struct {
 typedef struct ngx_ssl_ocsp_ctx_s  ngx_ssl_ocsp_ctx_t;
 
 struct ngx_ssl_ocsp_ctx_s {
-    X509                        *cert;
-    X509                        *issuer;
+    ngx_ssl_certid_t            *certid;
 
     ngx_uint_t                   naddrs;
 
@@ -304,13 +303,15 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, 
     for (i = 0; i < n; i++) {
         issuer = sk_X509_value(chain, i);
         if (X509_check_issued(issuer, cert) == X509_V_OK) {
-            CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
 
             ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
                            "SSL get issuer: found %p in extra certs", issuer);
 
-            staple->cert = cert;
-            staple->issuer = issuer;
+            staple->certid = OCSP_cert_to_id(NULL, cert, issuer);
+            if (!staple->certid)
+            {
+                return NGX_ERROR;
+            }
 
             return NGX_OK;
         }
@@ -353,14 +354,17 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, 
         return NGX_DECLINED;
     }
 
-    X509_STORE_CTX_free(store_ctx);
-
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
                    "SSL get issuer: found %p in cert store", issuer);
 
-    staple->cert = cert;
-    staple->issuer = issuer;
+    staple->certid = OCSP_cert_to_id(NULL, cert, issuer);
 
+    CRYPTO_add(&issuer->references, -1, CRYPTO_LOCK_X509);
+    X509_STORE_CTX_free(store_ctx);
+
+    if (!staple->certid) {
+        return NGX_ERROR;
+    }
     return NGX_OK;
 }
 
@@ -381,7 +385,7 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
 
         /* extract OCSP responder URL from certificate */
 
-        aia = X509_get1_ocsp(staple->cert);
+        aia = X509_get1_ocsp(cert);
         if (aia == NULL) {
             ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
                           "\"ssl_stapling\" ignored, "
@@ -540,8 +544,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling
         return;
     }
 
-    ctx->cert = staple->cert;
-    ctx->issuer = staple->issuer;
+    ctx->certid = staple->certid;
 
     ctx->addrs = staple->addrs;
     ctx->host = staple->host;
@@ -630,22 +633,19 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
 #endif
 
     if (OCSP_basic_verify(basic, chain, store,
-                          ctx->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
-        != 1)
+                          ctx->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+        /* ECDSA/SHA-2 signature verification not supported */
+                          | OCSP_NOSIGS
+#endif
+        ) != 1)
     {
         ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
                       "OCSP_basic_verify() failed");
         goto error;
     }
 
-    id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
-    if (id == NULL) {
-        ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
-                      "OCSP_cert_to_id() failed");
-        goto error;
-    }
-
-    if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+    if (OCSP_resp_find_status(basic, ctx->certid, &n, NULL, NULL,
                               &thisupdate, &nextupdate)
         != 1)
     {
@@ -667,7 +667,6 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
         goto error;
     }
 
-    OCSP_CERTID_free(id);
     OCSP_BASICRESP_free(basic);
     OCSP_RESPONSE_free(ocsp);
 
@@ -705,10 +704,6 @@ error:
     staple->loading = 0;
     staple->valid = ngx_time() + 300; /* ssl_stapling_err_valid */
 
-    if (id) {
-        OCSP_CERTID_free(id);
-    }
-
     if (basic) {
         OCSP_BASICRESP_free(basic);
     }
@@ -726,8 +721,8 @@ ngx_ssl_stapling_cleanup(void *data)
 {
     ngx_ssl_stapling_t  *staple = data;
 
-    if (staple->issuer) {
-        X509_free(staple->issuer);
+    if (staple->certid) {
+        OCSP_CERTID_free(staple->certid);
     }
 
     if (staple->staple.data) {
@@ -1147,10 +1142,10 @@ ngx_ssl_ocsp_create_request(ngx_ssl_ocsp
         return NGX_ERROR;
     }
 
-    id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
+    id = OCSP_CERTID_dup(ctx->certid);
     if (id == NULL) {
         ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
-                      "OCSP_cert_to_id() failed");
+                      "OCSP_CERTID_dup() failed");
         goto failed;
     }



More information about the nginx-devel mailing list