[PATCH 2 of 5] OCSP Stapling: attach one stapling_t context per server certificate.

Filipe DA SILVA fdasilva at ingima.com
Mon Apr 27 15:39:01 UTC 2015


# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1430147821 -7200
#      Mon Apr 27 17:17:01 2015 +0200
# Node ID caabe5c77b51274237d7c49fffb864a27ca0a25f
# Parent  0ac2a8668f852b604d46ff858199650bd3003fdb
OCSP Stapling: attach one stapling_t context per server certificate.

Prepare for multiple server certificate support.
Split common stapling settings from per-certificate settings.
Keep common stapling settings attached to initial SSL server
context, as before.

Know limit: the staple file must contain a response with as much CERTID as
server certificate. This means that one OCSP request must be made about
all the certificates at once.

Compatible with 'stable-1.8'

diff -r 0ac2a8668f85 -r caabe5c77b51 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Apr 27 17:17:01 2015 +0200
+++ b/src/event/ngx_event_openssl.c	Mon Apr 27 17:17:01 2015 +0200
@@ -103,6 +103,7 @@ int  ngx_ssl_session_cache_index;
 int  ngx_ssl_session_ticket_keys_index;
 int  ngx_ssl_certificate_index;
 int  ngx_ssl_stapling_index;
+int  ngx_ssl_cert_stapling_index;
 
 
 ngx_int_t
@@ -186,6 +187,14 @@ ngx_ssl_init(ngx_log_t *log)
                       "SSL_CTX_get_ex_new_index() failed");
         return NGX_ERROR;
     }
+
+    ngx_ssl_cert_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
+                                                        NULL);
+    if (ngx_ssl_cert_stapling_index == -1) {
+        ngx_ssl_error(NGX_LOG_ALERT, log, 0,
+                      "X509_get_ex_new_index() failed");
+        return NGX_ERROR;
+    }
 #endif
 
     return NGX_OK;
diff -r 0ac2a8668f85 -r caabe5c77b51 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Mon Apr 27 17:17:01 2015 +0200
+++ b/src/event/ngx_event_openssl.h	Mon Apr 27 17:17:01 2015 +0200
@@ -211,6 +211,7 @@ extern int  ngx_ssl_server_conf_index;
 extern int  ngx_ssl_session_cache_index;
 extern int  ngx_ssl_session_ticket_keys_index;
 extern int  ngx_ssl_stapling_index;
+extern int  ngx_ssl_cert_stapling_index;
 
 
 #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */
diff -r 0ac2a8668f85 -r caabe5c77b51 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c	Mon Apr 27 17:17:01 2015 +0200
+++ b/src/event/ngx_event_openssl_stapling.c	Mon Apr 27 17:17:01 2015 +0200
@@ -14,13 +14,22 @@
 #if (!defined OPENSSL_NO_OCSP && defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB)
 
 
+/* OCSP stapling configuration per server */
 typedef struct {
-    ngx_str_t                    staple;
+    ngx_str_t                    staple_file;
     ngx_msec_t                   timeout;
 
     ngx_resolver_t              *resolver;
     ngx_msec_t                   resolver_timeout;
 
+    unsigned                     verify:1;
+} ngx_ssl_staple_conf_t;
+
+
+/* OCSP stapling context per certificate */
+typedef struct {
+    ngx_str_t                    staple;    /* OCSP response from responder */
+
     ngx_addr_t                  *addrs;
     ngx_str_t                    host;
     ngx_str_t                    uri;
@@ -33,7 +42,6 @@ typedef struct {
 
     time_t                       valid;
 
-    unsigned                     verify:1;
     unsigned                     loading:1;
 } ngx_ssl_stapling_t;
 
@@ -53,6 +61,7 @@ struct ngx_ssl_ocsp_ctx_s {
 
     ngx_resolver_t              *resolver;
     ngx_msec_t                   resolver_timeout;
+    unsigned                     verify:1;
 
     ngx_msec_t                   timeout;
 
@@ -83,14 +92,15 @@ struct ngx_ssl_ocsp_ctx_s {
 
 
 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_str_t *file);
+    ngx_str_t *file, ngx_ssl_staple_conf_t *conf);
 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl);
 static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *responder);
 
 static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn,
     void *data);
-static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple);
+static void ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple,
+    ngx_ssl_staple_conf_t *conf);
 static void ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx);
 
 static void ngx_ssl_stapling_cleanup(void *data);
@@ -119,23 +129,14 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
     ngx_str_t *responder, ngx_uint_t verify)
 {
     ngx_int_t                  rc;
-    ngx_pool_cleanup_t        *cln;
-    ngx_ssl_stapling_t        *staple;
+    ngx_ssl_staple_conf_t     *conf;
 
-    staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
-    if (staple == NULL) {
+    conf = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_staple_conf_t));
+    if (conf == NULL) {
         return NGX_ERROR;
     }
 
-    cln = ngx_pool_cleanup_add(cf->pool, 0);
-    if (cln == NULL) {
-        return NGX_ERROR;
-    }
-
-    cln->handler = ngx_ssl_stapling_cleanup;
-    cln->data = staple;
-
-    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, staple)
+    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_stapling_index, conf)
         == 0)
     {
         ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@@ -143,14 +144,13 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
         return NGX_ERROR;
     }
 
-    staple->ssl_ctx = ssl->ctx;
-    staple->timeout = 60000;
-    staple->verify = verify;
+    conf->timeout = 60000;
+    conf->verify = verify;
 
     if (file->len) {
         /* use OCSP response from the file */
 
-        if (ngx_ssl_stapling_file(cf, ssl, file) != NGX_OK) {
+        if (ngx_ssl_stapling_file(cf, ssl, file, conf) != NGX_OK) {
             return NGX_ERROR;
         }
 
@@ -180,22 +180,20 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl
 done:
 
     SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
-    SSL_CTX_set_tlsext_status_arg(ssl->ctx, staple);
+    SSL_CTX_set_tlsext_status_arg(ssl->ctx, conf);
 
     return NGX_OK;
 }
 
 
 static ngx_int_t
-ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
+ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
+    ngx_ssl_staple_conf_t *conf)
 {
     BIO                 *bio;
     int                  len;
     u_char              *p, *buf;
     OCSP_RESPONSE       *response;
-    ngx_ssl_stapling_t  *staple;
-
-    staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
 
     if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
         return NGX_ERROR;
@@ -223,7 +221,8 @@ ngx_ssl_stapling_file(ngx_conf_t *cf, ng
         goto failed;
     }
 
-    buf = ngx_alloc(len, ssl->log);
+    /* File content buffer allocated from pool to avoid additional cleanup */
+    buf = ngx_palloc(cf->pool, len);
     if (buf == NULL) {
         goto failed;
     }
@@ -240,8 +239,8 @@ ngx_ssl_stapling_file(ngx_conf_t *cf, ng
     OCSP_RESPONSE_free(response);
     BIO_free(bio);
 
-    staple->staple.data = buf;
-    staple->staple.len = len;
+    conf->staple_file.data = buf;
+    conf->staple_file.len = len;
 
     return NGX_OK;
 
@@ -263,10 +262,33 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, 
     X509_STORE_CTX      *store_ctx;
     STACK_OF(X509)      *chain;
     ngx_ssl_stapling_t  *staple;
+    ngx_pool_cleanup_t  *cln;
 
-    staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
     cert = ngx_ssl_get_server_certificate(ssl->ctx);
 
+    staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
+    if (staple == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln = ngx_pool_cleanup_add(cf->pool, 0);
+    if (cln == NULL) {
+        return NGX_ERROR;
+    }
+
+    cln->handler = ngx_ssl_stapling_cleanup;
+    cln->data = staple;
+
+    if (X509_set_ex_data(cert, ngx_ssl_cert_stapling_index, staple)
+        == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "X509_set_ex_data() failed");
+        return NGX_ERROR;
+    }
+
+    staple->ssl_ctx = ssl->ctx;
+
 #ifdef SSL_CTX_get0_chain_certs
     SSL_CTX_get0_chain_certs(ssl->ctx, &chain);
 #elif OPENSSL_VERSION_NUMBER >= 0x10001000L
@@ -350,9 +372,11 @@ ngx_ssl_stapling_responder(ngx_conf_t *c
     ngx_url_t                  u;
     char                      *s;
     ngx_ssl_stapling_t        *staple;
+    X509                      *cert;
     STACK_OF(OPENSSL_STRING)  *aia;
 
-    staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
+    cert = ngx_ssl_get_server_certificate(ssl);
+    staple = X509_get_ex_data(cert, ngx_ssl_cert_stapling_index);
 
     if (responder->len == 0) {
 
@@ -437,7 +461,7 @@ ngx_int_t
 ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
 {
-    ngx_ssl_stapling_t  *staple;
+    ngx_ssl_staple_conf_t    *staple;
 
     staple = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_stapling_index);
 
@@ -451,43 +475,57 @@ ngx_ssl_stapling_resolver(ngx_conf_t *cf
 static int
 ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
 {
-    int                  rc;
-    u_char              *p;
-    ngx_connection_t    *c;
-    ngx_ssl_stapling_t  *staple;
+    int                     rc;
+    u_char                 *p;
+    ngx_str_t               resp;
+    ngx_connection_t       *c;
+    ngx_ssl_staple_conf_t  *conf;
+    ngx_ssl_stapling_t     *staple;
+    X509                   *cert;
 
     c = ngx_ssl_get_connection(ssl_conn);
+    cert = SSL_get_certificate(ssl_conn);
 
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "SSL certificate status callback");
 
-    staple = data;
+    staple = X509_get_ex_data(cert, ngx_ssl_cert_stapling_index);
+    conf = data;
     rc = SSL_TLSEXT_ERR_NOACK;
+    resp.len = 0;
 
-    if (staple->staple.len) {
-        /* we have to copy ocsp response as OpenSSL will free it by itself */
+    if (conf->staple_file.len) {
+        resp = conf->staple_file;
+    }
+    else if (staple && staple->staple.len) {
+        resp = staple->staple;
+    }
 
-        p = OPENSSL_malloc(staple->staple.len);
+    if (resp.len) {
+        /* We have to copy ocsp response as OpenSSL will free it by itself */
+        p = OPENSSL_malloc(resp.len);
         if (p == NULL) {
             ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
             return SSL_TLSEXT_ERR_NOACK;
         }
 
-        ngx_memcpy(p, staple->staple.data, staple->staple.len);
+        ngx_memcpy(p, resp.data, resp.len);
 
-        SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
+        SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, resp.len);
 
         rc = SSL_TLSEXT_ERR_OK;
     }
 
-    ngx_ssl_stapling_update(staple);
+    if (staple) {
+        ngx_ssl_stapling_update(staple, conf);
+    }
 
     return rc;
 }
 
 
 static void
-ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
+ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple, ngx_ssl_staple_conf_t *conf)
 {
     ngx_ssl_ocsp_ctx_t  *ctx;
 
@@ -511,10 +549,10 @@ ngx_ssl_stapling_update(ngx_ssl_stapling
     ctx->host = staple->host;
     ctx->uri = staple->uri;
     ctx->port = staple->port;
-    ctx->timeout = staple->timeout;
+    ctx->timeout = conf->timeout;
 
-    ctx->resolver = staple->resolver;
-    ctx->resolver_timeout = staple->resolver_timeout;
+    ctx->resolver = conf->resolver;
+    ctx->resolver_timeout = conf->resolver_timeout;
 
     ctx->handler = ngx_ssl_stapling_ocsp_handler;
     ctx->data = staple;
@@ -596,7 +634,7 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
     chain = staple->ssl_ctx->extra_certs;
 #endif
 
-    flags = staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY;
+    flags = ctx->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY;
 
 #if OPENSSL_VERSION_NUMBER < 0x10000000L
     /*



More information about the nginx-devel mailing list