mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-12 05:11:37 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

OCSP stapling: keep extra chain in the staple object.

Browse Source
This commit is contained in:
Roman Arutyunyan 2020-05-17 14:24:35 +03:00
parent 3f2ac979eb
commit abdb9aebc6
1 changed files with 18 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
src/event/ngx_event_openssl_stapling.c
View File

@ -30,6 +30,7 @@ typedef struct {
X509 *cert; X509 *cert;
X509 *issuer; X509 *issuer;
STACK_OF(X509) *chain;
u_char *name; u_char *name;
@ -48,6 +49,7 @@ struct ngx_ssl_ocsp_ctx_s {
X509 *cert; X509 *cert;
X509 *issuer; X509 *issuer;
STACK_OF(X509) *chain;
int status; int status;
time_t valid; time_t valid;
@ -179,6 +181,18 @@ ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert,
return NGX_ERROR; return NGX_ERROR;
} }
#ifdef SSL_CTRL_SELECT_CURRENT_CERT
/* OpenSSL 1.0.2+ */
SSL_CTX_select_current_cert(ssl->ctx, cert);
#endif
#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
#else
staple->chain = ssl->ctx->extra_certs;
#endif
staple->ssl_ctx = ssl->ctx; staple->ssl_ctx = ssl->ctx;
staple->timeout = 60000; staple->timeout = 60000;
staple->verify = verify; staple->verify = verify;
@ -295,29 +309,16 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
X509 *cert, *issuer; X509 *cert, *issuer;
X509_STORE *store; X509_STORE *store;
X509_STORE_CTX *store_ctx; X509_STORE_CTX *store_ctx;
STACK_OF(X509) *chain;
cert = staple->cert; cert = staple->cert;
#ifdef SSL_CTRL_SELECT_CURRENT_CERT n = sk_X509_num(staple->chain);
/* OpenSSL 1.0.2+ */
SSL_CTX_select_current_cert(ssl->ctx, cert);
#endif
#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
#else
chain = ssl->ctx->extra_certs;
#endif
n = sk_X509_num(chain);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0, ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
"SSL get issuer: %d extra certs", n); "SSL get issuer: %d extra certs", n);
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
issuer = sk_X509_value(chain, i); issuer = sk_X509_value(staple->chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) { if (X509_check_issued(issuer, cert) == X509_V_OK) {
#if OPENSSL_VERSION_NUMBER >= 0x10100001L #if OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer); X509_up_ref(issuer);
@ -573,6 +574,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple)
ctx->ssl_ctx = staple->ssl_ctx; ctx->ssl_ctx = staple->ssl_ctx;
ctx->cert = staple->cert; ctx->cert = staple->cert;
ctx->issuer = staple->issuer; ctx->issuer = staple->issuer;
ctx->chain = staple->chain;
ctx->name = staple->name; ctx->name = staple->name;
ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY); ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
@ -1720,7 +1722,6 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx)
size_t len; size_t len;
X509_STORE *store; X509_STORE *store;
const u_char *p; const u_char *p;
STACK_OF(X509) *chain;
OCSP_CERTID *id; OCSP_CERTID *id;
OCSP_RESPONSE *ocsp; OCSP_RESPONSE *ocsp;
OCSP_BASICRESP *basic; OCSP_BASICRESP *basic;
@ -1769,19 +1770,7 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *ctx)
goto error; goto error;
} }
#ifdef SSL_CTRL_SELECT_CURRENT_CERT if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
/* OpenSSL 1.0.2+ */
SSL_CTX_select_current_cert(ctx->ssl_ctx, ctx->cert);
#endif
#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
/* OpenSSL 1.0.1+ */
SSL_CTX_get_extra_chain_certs(ctx->ssl_ctx, &chain);
#else
chain = ctx->ssl_ctx->extra_certs;
#endif
if (OCSP_basic_verify(basic, chain, store, ctx->flags) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0, ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_basic_verify() failed"); "OCSP_basic_verify() failed");
goto error; goto error;