ngx_int_t
ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout)
{
X509 *cert;
ngx_ssl_stapling_t *staple;
for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
cert;
cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
{
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
staple->resolver = resolver;
staple->resolver_timeout = resolver_timeout;
}
return NGX_OK;
}
static int
ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
{
int rc;
X509 *cert;
u_char *p;
ngx_connection_t *c;
ngx_ssl_stapling_t *staple;
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL certificate status callback");
rc = SSL_TLSEXT_ERR_NOACK;
cert = SSL_get_certificate(ssl_conn);
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
if (staple == NULL) {
return rc;
}
if (staple->staple.len
&& staple->valid >= ngx_time())
{
/* we have to copy ocsp response as OpenSSL will free it by itself */
p = OPENSSL_malloc(staple->staple.len);
if (p == NULL) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "OPENSSL_malloc() failed");
return SSL_TLSEXT_ERR_NOACK;
}
ngx_memcpy(p, staple->staple.data, staple->staple.len);
SSL_set_tlsext_status_ocsp_resp(ssl_conn, p, staple->staple.len);
rc = SSL_TLSEXT_ERR_OK;
}
ngx_ssl_stapling_update(staple);
return rc;
}
ngx_int_t
ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
ngx_str_t *responder, ngx_uint_t verify)
{
X509 *cert;
for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
cert;
cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
{
if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify)
!= NGX_OK)
{
return NGX_ERROR;
}
}
SSL_CTX_set_tlsext_status_cb(ssl->ctx, ngx_ssl_certificate_status_callback);
return NGX_OK;
}
static ngx_int_t
ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert,
ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify)
{
ngx_int_t rc;
ngx_pool_cleanup_t *cln;
ngx_ssl_stapling_t *staple;
staple = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_stapling_t));
if (staple == NULL) {
return NGX_ERROR;
}
cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
return NGX_ERROR;
}
cln->handler = ngx_ssl_stapling_cleanup;
cln->data = staple;
if (X509_set_ex_data(cert, ngx_ssl_stapling_index, staple) == 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
return NGX_ERROR;
}
staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000;
staple->verify = verify;
staple->cert = cert;
staple->name = X509_get_ex_data(staple->cert,
ngx_ssl_certificate_name_index);
if (file->len) {
/* use OCSP response from the file */
if (ngx_ssl_stapling_file(cf, ssl, staple, file) != NGX_OK) {
return NGX_ERROR;
}
return NGX_OK;
}
rc = ngx_ssl_stapling_issuer(cf, ssl, staple);
if (rc == NGX_DECLINED) {
return NGX_OK;
}
if (rc != NGX_OK) {
return NGX_ERROR;
}
rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder);
if (rc == NGX_DECLINED) {
return NGX_OK;
}
if (rc != NGX_OK) {
return NGX_ERROR;
}
return NGX_OK;
}