[PATCH 3 of 6] Stapling SSL: ...
Filipe DA SILVA
fdasilva at ingima.com
Thu Apr 16 10:10:26 UTC 2015
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1429178261 -7200
# Thu Apr 16 11:57:41 2015 +0200
# Node ID 4b0a7a9e22bd09044cdbc623da815bb14d0d7b4c
# Parent 85fb1b1e922fd95ef0df3c7f8bc9625af3054002
SSL Stapling: replace cert/issuer pair by certid.
diff -r 85fb1b1e922f -r 4b0a7a9e22bd src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu Apr 16 11:57:41 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Thu Apr 16 11:57:41 2015 +0200
@@ -13,6 +13,7 @@
#if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
+typedef OCSP_CERTID ngx_ssl_certid_t;
/* OCSP stapling configuration per server */
typedef struct {
@@ -38,8 +39,7 @@ typedef struct {
SSL_CTX *ssl_ctx;
- X509 *cert;
- X509 *issuer;
+ ngx_ssl_certid_t *certid;
time_t valid;
@@ -50,8 +50,7 @@ typedef struct {
typedef struct ngx_ssl_ocsp_ctx_s ngx_ssl_ocsp_ctx_t;
struct ngx_ssl_ocsp_ctx_s {
- X509 *cert;
- X509 *issuer;
+ ngx_ssl_certid_t *certid;
ngx_uint_t naddrs;
@@ -304,13 +303,15 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,
for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
- CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: found %p in extra certs", issuer);
- staple->cert = cert;
- staple->issuer = issuer;
+ staple->certid = OCSP_cert_to_id(NULL, cert, issuer);
+ if (!staple->certid)
+ {
+ return NGX_ERROR;
+ }
return NGX_OK;
}
@@ -353,14 +354,17 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf,
return NGX_DECLINED;
}
- X509_STORE_CTX_free(store_ctx);
-
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: found %p in cert store", issuer);
- staple->cert = cert;
- staple->issuer = issuer;
+ staple->certid = OCSP_cert_to_id(NULL, cert, issuer);
+ CRYPTO_add(&issuer->references, -1, CRYPTO_LOCK_X509);
+ X509_STORE_CTX_free(store_ctx);
+
+ if (!staple->certid) {
+ return NGX_ERROR;
+ }
return NGX_OK;
}
@@ -381,7 +385,7 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
/* extract OCSP responder URL from certificate */
- aia = X509_get1_ocsp(staple->cert);
+ aia = X509_get1_ocsp(cert);
if (aia == NULL) {
ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
"\"ssl_stapling\" ignored, "
@@ -540,8 +544,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling
return;
}
- ctx->cert = staple->cert;
- ctx->issuer = staple->issuer;
+ ctx->certid = staple->certid;
ctx->addrs = staple->addrs;
ctx->host = staple->host;
@@ -630,22 +633,19 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
#endif
if (OCSP_basic_verify(basic, chain, store,
- ctx->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
- != 1)
+ ctx->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
+ /* ECDSA/SHA-2 signature verification not supported */
+ | OCSP_NOSIGS
+#endif
+ ) != 1)
{
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_basic_verify() failed");
goto error;
}
- id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
- if (id == NULL) {
- ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
- "OCSP_cert_to_id() failed");
- goto error;
- }
-
- if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+ if (OCSP_resp_find_status(basic, ctx->certid, &n, NULL, NULL,
&thisupdate, &nextupdate)
!= 1)
{
@@ -667,7 +667,6 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
goto error;
}
- OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);
@@ -705,10 +704,6 @@ error:
staple->loading = 0;
staple->valid = ngx_time() + 300; /* ssl_stapling_err_valid */
- if (id) {
- OCSP_CERTID_free(id);
- }
-
if (basic) {
OCSP_BASICRESP_free(basic);
}
@@ -726,8 +721,8 @@ ngx_ssl_stapling_cleanup(void *data)
{
ngx_ssl_stapling_t *staple = data;
- if (staple->issuer) {
- X509_free(staple->issuer);
+ if (staple->certid) {
+ OCSP_CERTID_free(staple->certid);
}
if (staple->staple.data) {
@@ -1147,10 +1142,10 @@ ngx_ssl_ocsp_create_request(ngx_ssl_ocsp
return NGX_ERROR;
}
- id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
+ id = OCSP_CERTID_dup(ctx->certid);
if (id == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
- "OCSP_cert_to_id() failed");
+ "OCSP_CERTID_dup() failed");
goto failed;
}
More information about the nginx-devel
mailing list