]> git.kaiwu.me - nginx.git/commitdiff
projects / nginx.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 74ad449)
OCSP stapling: check Content-Type.
authorMaxim Dounin <mdounin@mdounin.ru>
Mon, 1 Oct 2012 12:48:54 +0000 (12:48 +0000)
committerMaxim Dounin <mdounin@mdounin.ru>
Mon, 1 Oct 2012 12:48:54 +0000 (12:48 +0000)
This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...

src/event/ngx_event_openssl_stapling.c patch | blob | history

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index b9ab454c3e718e1327d1a01c4dbe3308b276b958..435a40fded582a58db1a581588a57bf924c5186c 100644 (file)
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -1425,6 +1425,7 @@ done:
 static ngx_int_t
 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
 {
+    size_t     len;
     ngx_int_t  rc;
 
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
@@ -1442,6 +1443,33 @@ ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
                            ctx->header_end - ctx->header_start,
                            ctx->header_start);
 
+            len = ctx->header_name_end - ctx->header_name_start;
+
+            if (len == sizeof("Content-Type") - 1
+                && ngx_strncasecmp(ctx->header_name_start,
+                                   (u_char *) "Content-Type",
+                                   sizeof("Content-Type") - 1)
+                   == 0)
+            {
+                len = ctx->header_end - ctx->header_start;
+
+                if (len != sizeof("application/ocsp-response") - 1
+                    || ngx_strncasecmp(ctx->header_start,
+                                       (u_char *) "application/ocsp-response",
+                                       sizeof("application/ocsp-response") - 1)
+                       != 0)
+                {
+                    ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
+                                  "OCSP responder sent invalid "
+                                  "\"Content-Type\" header: \"%*s\"",
+                                  ctx->header_end - ctx->header_start,
+                                  ctx->header_start);
+                    return NGX_ERROR;
+                }
+
+                continue;
+            }
+
             /* TODO: honor Content-Length */
 
             continue;
nginx upstream