OCSP stapling: check Content-Type.

This will result in better error message in case of incorrect response from OCSP responder: ... OCSP responder sent invalid "Content-Type" header: "text/plain" while requesting certificate status, responder: ... vs. ... d2i_OCSP_RESPONSE() failed (SSL: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error) while requesting certificate status, responder: ...
author: Maxim Dounin <mdounin@mdounin.ru> 2012-10-01 12:48:54 +0000
committer: Maxim Dounin <mdounin@mdounin.ru> 2012-10-01 12:48:54 +0000
commit: 872563a64d8d0952a3b9f058cd763440421427c7 (patch)
tree: adc08c30d6a74ba0835f96a0d46f661a04b497dc
parent: 74ad4494a66d7ea5201c37f6628707404df723fe (diff)
download: nginx-872563a64d8d0952a3b9f058cd763440421427c7.tar.gz
nginx-872563a64d8d0952a3b9f058cd763440421427c7.tar.bz2
1 files changed, 28 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index b9ab454c3..435a40fde 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -1425,6 +1425,7 @@ done:
 static ngx_int_t
 ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
 {
+    size_t     len;
     ngx_int_t  rc;
 
     ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
@@ -1442,6 +1443,33 @@ ngx_ssl_ocsp_process_headers(ngx_ssl_ocsp_ctx_t *ctx)
                            ctx->header_end - ctx->header_start,
                            ctx->header_start);
 
+            len = ctx->header_name_end - ctx->header_name_start;
+
+            if (len == sizeof("Content-Type") - 1
+                && ngx_strncasecmp(ctx->header_name_start,
+                                   (u_char *) "Content-Type",
+                                   sizeof("Content-Type") - 1)
+                   == 0)
+            {
+                len = ctx->header_end - ctx->header_start;
+
+                if (len != sizeof("application/ocsp-response") - 1
+                    || ngx_strncasecmp(ctx->header_start,
+                                       (u_char *) "application/ocsp-response",
+                                       sizeof("application/ocsp-response") - 1)
+                       != 0)
+                {
+                    ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
+                                  "OCSP responder sent invalid "
+                                  "\"Content-Type\" header: \"%*s\"",
+                                  ctx->header_end - ctx->header_start,
+                                  ctx->header_start);
+                    return NGX_ERROR;
+                }
+
+                continue;
+            }
+
             /* TODO: honor Content-Length */
 
             continue;
author	Maxim Dounin <mdounin@mdounin.ru>	2012-10-01 12:48:54 +0000
committer	Maxim Dounin <mdounin@mdounin.ru>	2012-10-01 12:48:54 +0000
commit	872563a64d8d0952a3b9f058cd763440421427c7 (patch)
tree	adc08c30d6a74ba0835f96a0d46f661a04b497dc
parent	74ad4494a66d7ea5201c37f6628707404df723fe (diff)
download	nginx-872563a64d8d0952a3b9f058cd763440421427c7.tar.gz nginx-872563a64d8d0952a3b9f058cd763440421427c7.tar.bz2