Mercurial > hg > nginx

annotate src/event/ngx_event_openssl.c @ 8078:5244d3b165ff

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: single allocation in session cache on 32-bit platforms. Given the present typical SSL session sizes, on 32-bit platforms it is now beneficial to store all data in a single allocation, since rbtree node + session id + ASN1 representation of a session takes 256 bytes of shared memory (36 + 32 + 150 = about 218 bytes plus SNI server name). Storing all data in a single allocation is beneficial for SNI names up to about 40 characters long and makes it possible to store about 4000 sessions in one megabyte (instead of about 3000 sessions now). This also slightly simplifies the code.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 12 Oct 2022 20:14:40 +0300
parents ec1fa010c3a5
children f106f4a68faf
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
2 /*
444
42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents: 441
diff changeset
3 * Copyright (C) Igor Sysoev
4412
d620f497c50f Copyright updated.
Maxim Konovalov <maxim@nginx.com>
parents: 4400
diff changeset
4 * Copyright (C) Nginx, Inc.
441
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents: 399
diff changeset
6
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
7
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
8 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
9 #include <ngx_core.h>
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
10 #include <ngx_event.h>
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
11
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
12
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
14
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
15
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
16 typedef struct {
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
17 ngx_uint_t engine; /* unsigned engine:1; */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
18 } ngx_openssl_conf_t;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
19
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
20
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
21 static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
22 ngx_str_t *cert, STACK_OF(X509) **chain);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
23 static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
24 ngx_str_t *key, ngx_array_t *passwords);
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
25 static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
26 void *userdata);
5222
23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents: 5081
diff changeset
27 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
28 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
29 int ret);
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
30 static void ngx_ssl_passwords_cleanup(void *data);
7320
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
31 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn,
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
32 ngx_ssl_session_t *sess);
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
33 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
34 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
35 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
36 #if (NGX_DEBUG)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
37 static void ngx_ssl_handshake_log(ngx_connection_t *c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
38 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
39 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
40 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
41 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
42 size_t size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
43 #endif
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
44 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
45 static void ngx_ssl_write_handler(ngx_event_t *wev);
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
46 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
47 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
48 size_t size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
49 #endif
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
50 static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
51 size_t size);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
52 static void ngx_ssl_read_handler(ngx_event_t *rev);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
53 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
54 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
55 ngx_err_t err, char *text);
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
56 static void ngx_ssl_clear_error(ngx_log_t *log);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
57
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
58 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
59 ngx_str_t *sess_ctx, ngx_array_t *certificates);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
60 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
61 ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
62 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
63 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
64 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
65 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
66 u_char *id, int len, int *copy);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
67 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
68 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
69 ngx_slab_pool_t *shpool, ngx_uint_t n);
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
70 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
71 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
72
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
73 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
74 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
75 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
76 HMAC_CTX *hctx, int enc);
7453
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
77 static void ngx_ssl_session_ticket_keys_cleanup(void *data);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
78 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
79
6725
9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6699
diff changeset
80 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
81 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
82 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
83
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
84 static time_t ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
85 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
86 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
87 #endif
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
88 ASN1_TIME *asn1time, ngx_log_t *log);
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
89
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
90 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
91 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
92 static void ngx_openssl_exit(ngx_cycle_t *cycle);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
93
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
94
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
95 static ngx_command_t ngx_openssl_commands[] = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
96
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
97 { ngx_string("ssl_engine"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
98 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
99 ngx_openssl_engine,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
100 0,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
101 0,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
102 NULL },
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
103
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
104 ngx_null_command
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
105 };
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
106
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
107
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
108 static ngx_core_module_t ngx_openssl_module_ctx = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
109 ngx_string("openssl"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
110 ngx_openssl_create_conf,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
111 NULL
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
112 };
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
113
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
114
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
115 ngx_module_t ngx_openssl_module = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
116 NGX_MODULE_V1,
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
117 &ngx_openssl_module_ctx, /* module context */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
118 ngx_openssl_commands, /* module directives */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
119 NGX_CORE_MODULE, /* module type */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
120 NULL, /* init master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
121 NULL, /* init module */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
122 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
123 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
124 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
125 NULL, /* exit process */
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
126 ngx_openssl_exit, /* exit master */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
127 NGX_MODULE_V1_PADDING
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
128 };
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
129
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
130
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
131 int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
132 int ngx_ssl_server_conf_index;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
133 int ngx_ssl_session_cache_index;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
134 int ngx_ssl_session_ticket_keys_index;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
135 int ngx_ssl_ocsp_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
136 int ngx_ssl_certificate_index;
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
137 int ngx_ssl_next_certificate_index;
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
138 int ngx_ssl_certificate_name_index;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
139 int ngx_ssl_stapling_index;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
140
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
141
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
142 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
143 ngx_ssl_init(ngx_log_t *log)
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
144 {
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
145 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
146
6902
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
147 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
148 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
149 return NGX_ERROR;
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
150 }
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
151
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
152 /*
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
153 * OPENSSL_init_ssl() may leave errors in the error queue
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
154 * while returning success
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
155 */
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
156
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents: 6854
diff changeset
157 ERR_clear_error();
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
158
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
159 #else
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
160
968
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
161 OPENSSL_config(NULL);
1b60ecc8cdb7 OPENSSL_config()
Igor Sysoev <igor@sysoev.ru>
parents: 671
diff changeset
162
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
163 SSL_library_init();
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
164 SSL_load_error_strings();
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
165
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
166 OpenSSL_add_all_algorithms();
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
167
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
168 #endif
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
169
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
170 #ifndef SSL_OP_NO_COMPRESSION
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
171 {
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
172 /*
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
173 * Disable gzip compression in OpenSSL prior to 1.0.0 version,
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
174 * this saves about 522K per connection.
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
175 */
4867
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
176 int n;
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
177 STACK_OF(SSL_COMP) *ssl_comp_methods;
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
178
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
179 ssl_comp_methods = SSL_COMP_get_compression_methods();
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
180 n = sk_SSL_COMP_num(ssl_comp_methods);
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
181
4867
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
182 while (n--) {
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4696
diff changeset
183 (void) sk_SSL_COMP_pop(ssl_comp_methods);
4696
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
184 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
185 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
186 #endif
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents: 4651
diff changeset
187
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
188 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
189
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
190 if (ngx_ssl_connection_index == -1) {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
191 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
192 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
193 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
194
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
195 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
196 NULL);
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
197 if (ngx_ssl_server_conf_index == -1) {
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
198 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
199 "SSL_CTX_get_ex_new_index() failed");
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
200 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
201 }
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
202
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
203 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
204 NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
205 if (ngx_ssl_session_cache_index == -1) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
206 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
207 "SSL_CTX_get_ex_new_index() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
208 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
209 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
210
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
211 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
212 NULL, NULL);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
213 if (ngx_ssl_session_ticket_keys_index == -1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
214 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
215 "SSL_CTX_get_ex_new_index() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
216 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
217 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
218
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
219 ngx_ssl_ocsp_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
220 if (ngx_ssl_ocsp_index == -1) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
221 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
222 "SSL_CTX_get_ex_new_index() failed");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
223 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
224 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
225
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
226 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
227 NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
228 if (ngx_ssl_certificate_index == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
229 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
230 "SSL_CTX_get_ex_new_index() failed");
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
231 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
232 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
233
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
234 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
235 NULL);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
236 if (ngx_ssl_next_certificate_index == -1) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
237 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
238 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
239 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
240
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
241 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
242 NULL);
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
243
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
244 if (ngx_ssl_certificate_name_index == -1) {
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
245 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
246 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
247 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
248
6545
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6490
diff changeset
249 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6490
diff changeset
250
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
251 if (ngx_ssl_stapling_index == -1) {
6545
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6490
diff changeset
252 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
253 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
254 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
255
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
256 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
257 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
258
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
259
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
260 ngx_int_t
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
261 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
262 {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
263 ssl->ctx = SSL_CTX_new(SSLv23_method());
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
264
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
265 if (ssl->ctx == NULL) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
266 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
267 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
268 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
269
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
270 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
271 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
272 "SSL_CTX_set_ex_data() failed");
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
273 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
274 }
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
275
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
276 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
277 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
278 "SSL_CTX_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
279 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
280 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
281
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
282 ssl->buffer_size = NGX_SSL_BUFSIZE;
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
283
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
284 /* client side options */
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
285
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
286 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
287 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
288 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
289
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
290 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
291 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
292 #endif
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
293
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
294 /* server side options */
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
295
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
296 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
297 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
298 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
299
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
300 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
301 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
302 #endif
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
303
5778
45ed2f1f0a6a SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5777
diff changeset
304 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
305 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
5778
45ed2f1f0a6a SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5777
diff changeset
306 #endif
45ed2f1f0a6a SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5777
diff changeset
307
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
308 #ifdef SSL_OP_TLS_D5_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
309 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
310 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
311
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
312 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
313 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
314 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
315
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
316 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
317 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5823
275e35d54626 SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents: 5779
diff changeset
318 #endif
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
319
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
320 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
321
7318
3443fe40bdc7 SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7317
diff changeset
322 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL
6034
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
323 /* only in 0.9.8m+ */
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
324 SSL_CTX_clear_options(ssl->ctx,
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
325 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
326 #endif
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
327
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
328 if (!(protocols & NGX_SSL_SSLv2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
330 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
331 if (!(protocols & NGX_SSL_SSLv3)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
332 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
333 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
334 if (!(protocols & NGX_SSL_TLSv1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
335 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
336 }
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
337 #ifdef SSL_OP_NO_TLSv1_1
6034
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
338 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
339 if (!(protocols & NGX_SSL_TLSv1_1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
340 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
341 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
342 #endif
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
343 #ifdef SSL_OP_NO_TLSv1_2
6034
3e847964ab55 SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5986
diff changeset
344 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
4400
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
345 if (!(protocols & NGX_SSL_TLSv1_2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
346 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
347 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4236
diff changeset
348 #endif
6981
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6902
diff changeset
349 #ifdef SSL_OP_NO_TLSv1_3
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6902
diff changeset
350 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6902
diff changeset
351 if (!(protocols & NGX_SSL_TLSv1_3)) {
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6902
diff changeset
352 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6902
diff changeset
353 }
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6902
diff changeset
354 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
355
7372
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7365
diff changeset
356 #ifdef SSL_CTX_set_min_proto_version
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7365
diff changeset
357 SSL_CTX_set_min_proto_version(ssl->ctx, 0);
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7365
diff changeset
358 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7365
diff changeset
359 #endif
ed8738b1c7c4 SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7365
diff changeset
360
7332
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
361 #ifdef TLS1_3_VERSION
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
362 SSL_CTX_set_min_proto_version(ssl->ctx, 0);
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
363 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
364 #endif
7ad0f4ace359 SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7320
diff changeset
365
4185
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
366 #ifdef SSL_OP_NO_COMPRESSION
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
367 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
368 #endif
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents: 4064
diff changeset
369
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
370 #ifdef SSL_OP_NO_ANTI_REPLAY
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
371 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
372 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
373
7474
3f1db95d758a SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7472
diff changeset
374 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION
3f1db95d758a SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7472
diff changeset
375 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
3f1db95d758a SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7472
diff changeset
376 #endif
3f1db95d758a SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7472
diff changeset
377
7899
1a03af395f44 SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7897
diff changeset
378 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
1a03af395f44 SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7897
diff changeset
379 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
1a03af395f44 SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7897
diff changeset
380 #endif
1a03af395f44 SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7897
diff changeset
381
4186
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
382 #ifdef SSL_MODE_RELEASE_BUFFERS
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
383 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
384 #endif
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents: 4185
diff changeset
385
6036
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
386 #ifdef SSL_MODE_NO_AUTO_CHAIN
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
387 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
388 #endif
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6034
diff changeset
389
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
390 SSL_CTX_set_read_ahead(ssl->ctx, 1);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
391
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
392 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
393
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
394 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
395 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
396
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
397
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
398 ngx_int_t
6550
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
399 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
400 ngx_array_t *keys, ngx_array_t *passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
401 {
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
402 ngx_str_t *cert, *key;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
403 ngx_uint_t i;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
404
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
405 cert = certs->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
406 key = keys->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
407
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
408 for (i = 0; i < certs->nelts; i++) {
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
409
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
410 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
411 != NGX_OK)
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
412 {
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
413 return NGX_ERROR;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
414 }
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
415 }
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
416
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
417 return NGX_OK;
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
418 }
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
419
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
420
51e1f047d15d SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6549
diff changeset
421 ngx_int_t
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
422 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
423 ngx_str_t *key, ngx_array_t *passwords)
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
424 {
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
425 char *err;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
426 X509 *x509;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
427 EVP_PKEY *pkey;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
428 STACK_OF(X509) *chain;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
429
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
430 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
431 if (x509 == NULL) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
432 if (err != NULL) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
433 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
434 "cannot load certificate \"%s\": %s",
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
435 cert->data, err);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
436 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
437
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
438 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
439 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
440
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
441 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
442 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
443 "SSL_CTX_use_certificate(\"%s\") failed", cert->data);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
444 X509_free(x509);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
445 sk_X509_pop_free(chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
446 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
447 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
448
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
449 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data)
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
450 == 0)
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
451 {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
452 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
453 X509_free(x509);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
454 sk_X509_pop_free(chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
455 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
456 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
457
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
458 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
459 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index))
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
460 == 0)
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
461 {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
462 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
463 X509_free(x509);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
464 sk_X509_pop_free(chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
465 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
466 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
467
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
468 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
469 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
470 "SSL_CTX_set_ex_data() failed");
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
471 X509_free(x509);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
472 sk_X509_pop_free(chain, X509_free);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
473 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
474 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
475
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
476 /*
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
477 * Note that x509 is not freed here, but will be instead freed in
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
478 * ngx_ssl_cleanup_ctx(). This is because we need to preserve all
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
479 * certificates to be able to iterate all of them through exdata
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
480 * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index),
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
481 * while OpenSSL can free a certificate if it is replaced with another
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
482 * certificate of the same type.
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
483 */
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
484
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
485 #ifdef SSL_CTX_set0_chain
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
486
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
487 if (SSL_CTX_set0_chain(ssl->ctx, chain) == 0) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
489 "SSL_CTX_set0_chain(\"%s\") failed", cert->data);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
490 sk_X509_pop_free(chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
491 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
492 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
493
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
494 #else
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
495 {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
496 int n;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
497
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
498 /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
499
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
500 n = sk_X509_num(chain);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
501
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
502 while (n--) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
503 x509 = sk_X509_shift(chain);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
504
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
505 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
506 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
507 "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
508 cert->data);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
509 sk_X509_pop_free(chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
510 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
511 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
512 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
513
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
514 sk_X509_free(chain);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
515 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
516 #endif
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
517
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
518 pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
519 if (pkey == NULL) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
520 if (err != NULL) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
521 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
522 "cannot load certificate key \"%s\": %s",
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
523 key->data, err);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
524 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
525
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
526 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
527 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
528
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
529 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
530 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
531 "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
532 EVP_PKEY_free(pkey);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
533 return NGX_ERROR;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
534 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
535
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
536 EVP_PKEY_free(pkey);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
537
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
538 return NGX_OK;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
539 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
540
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
541
7461
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
542 ngx_int_t
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
543 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
544 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords)
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
545 {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
546 char *err;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
547 X509 *x509;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
548 EVP_PKEY *pkey;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
549 STACK_OF(X509) *chain;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
550
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
551 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
552 if (x509 == NULL) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
553 if (err != NULL) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
554 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
555 "cannot load certificate \"%s\": %s",
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
556 cert->data, err);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
557 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
558
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
559 return NGX_ERROR;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
560 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
561
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
562 if (SSL_use_certificate(c->ssl->connection, x509) == 0) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
563 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
564 "SSL_use_certificate(\"%s\") failed", cert->data);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
565 X509_free(x509);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
566 sk_X509_pop_free(chain, X509_free);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
567 return NGX_ERROR;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
568 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
569
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
570 X509_free(x509);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
571
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
572 #ifdef SSL_set0_chain
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
573
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
574 /*
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
575 * SSL_set0_chain() is only available in OpenSSL 1.0.2+,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
576 * but this function is only called via certificate callback,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
577 * which is only available in OpenSSL 1.0.2+ as well
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
578 */
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
579
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
580 if (SSL_set0_chain(c->ssl->connection, chain) == 0) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
581 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
582 "SSL_set0_chain(\"%s\") failed", cert->data);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
583 sk_X509_pop_free(chain, X509_free);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
584 return NGX_ERROR;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
585 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
586
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
587 #endif
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
588
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
589 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
590 if (pkey == NULL) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
591 if (err != NULL) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
592 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
593 "cannot load certificate key \"%s\": %s",
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
594 key->data, err);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
595 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
596
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
597 return NGX_ERROR;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
598 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
599
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
600 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) {
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
601 ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
602 "SSL_use_PrivateKey(\"%s\") failed", key->data);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
603 EVP_PKEY_free(pkey);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
604 return NGX_ERROR;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
605 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
606
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
607 EVP_PKEY_free(pkey);
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
608
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
609 return NGX_OK;
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
610 }
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
611
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
612
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
613 static X509 *
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
614 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
615 STACK_OF(X509) **chain)
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
616 {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
617 BIO *bio;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
618 X509 *x509, *temp;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
619 u_long n;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
620
7477
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
621 if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
622
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
623 bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
624 cert->len - (sizeof("data:") - 1));
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
625 if (bio == NULL) {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
626 *err = "BIO_new_mem_buf() failed";
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
627 return NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
628 }
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
629
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
630 } else {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
631
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
632 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert)
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
633 != NGX_OK)
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
634 {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
635 *err = NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
636 return NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
637 }
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
638
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
639 bio = BIO_new_file((char *) cert->data, "r");
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
640 if (bio == NULL) {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
641 *err = "BIO_new_file() failed";
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
642 return NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
643 }
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
644 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
645
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
646 /* certificate itself */
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
647
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
648 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
649 if (x509 == NULL) {
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
650 *err = "PEM_read_bio_X509_AUX() failed";
6812
a7ec59df0c4d OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6780
diff changeset
651 BIO_free(bio);
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
652 return NULL;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
653 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
654
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
655 /* rest of the chain */
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
656
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
657 *chain = sk_X509_new_null();
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
658 if (*chain == NULL) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
659 *err = "sk_X509_new_null() failed";
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
660 BIO_free(bio);
5384
cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents: 5378
diff changeset
661 X509_free(x509);
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
662 return NULL;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
663 }
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
664
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
665 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
666
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
667 temp = PEM_read_bio_X509(bio, NULL, NULL, NULL);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
668 if (temp == NULL) {
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
669 n = ERR_peek_last_error();
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
670
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
671 if (ERR_GET_LIB(n) == ERR_LIB_PEM
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
672 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE)
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
673 {
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
674 /* end of file */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
675 ERR_clear_error();
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
676 break;
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
677 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
678
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
679 /* some real error */
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
680
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
681 *err = "PEM_read_bio_X509() failed";
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
682 BIO_free(bio);
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
683 X509_free(x509);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
684 sk_X509_pop_free(*chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
685 return NULL;
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
686 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
687
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
688 if (sk_X509_push(*chain, temp) == 0) {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
689 *err = "sk_X509_push() failed";
6549
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
690 BIO_free(bio);
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
691 X509_free(x509);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
692 sk_X509_pop_free(*chain, X509_free);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
693 return NULL;
6549
d3302eb87a0c SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6548
diff changeset
694 }
4875
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
695 }
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
696
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
697 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4872
diff changeset
698
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
699 return x509;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
700 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
701
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
702
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
703 static EVP_PKEY *
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
704 ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err,
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
705 ngx_str_t *key, ngx_array_t *passwords)
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
706 {
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
707 BIO *bio;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
708 EVP_PKEY *pkey;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
709 ngx_str_t *pwd;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
710 ngx_uint_t tries;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
711 pem_password_cb *cb;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
712
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
713 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
714
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
715 #ifndef OPENSSL_NO_ENGINE
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
716
7476
b6dc8a12c07a SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7474
diff changeset
717 u_char *p, *last;
b6dc8a12c07a SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7474
diff changeset
718 ENGINE *engine;
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
719
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
720 p = key->data + sizeof("engine:") - 1;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
721 last = (u_char *) ngx_strchr(p, ':');
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
722
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
723 if (last == NULL) {
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
724 *err = "invalid syntax";
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
725 return NULL;
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
726 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
727
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
728 *last = '\0';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
729
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
730 engine = ENGINE_by_id((char *) p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
731
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
732 if (engine == NULL) {
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
733 *err = "ENGINE_by_id() failed";
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
734 return NULL;
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
735 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
736
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
737 *last++ = ':';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
738
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
739 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
740
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
741 if (pkey == NULL) {
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
742 *err = "ENGINE_load_private_key() failed";
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
743 ENGINE_free(engine);
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
744 return NULL;
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
745 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
746
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
747 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
748
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
749 return pkey;
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
750
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
751 #else
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
752
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
753 *err = "loading \"engine:...\" certificate keys is not supported";
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
754 return NULL;
5934
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
755
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
756 #endif
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
757 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents: 5902
diff changeset
758
7477
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
759 if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
760
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
761 bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1,
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
762 key->len - (sizeof("data:") - 1));
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
763 if (bio == NULL) {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
764 *err = "BIO_new_mem_buf() failed";
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
765 return NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
766 }
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
767
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
768 } else {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
769
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
770 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key)
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
771 != NGX_OK)
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
772 {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
773 *err = NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
774 return NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
775 }
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
776
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
777 bio = BIO_new_file((char *) key->data, "r");
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
778 if (bio == NULL) {
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
779 *err = "BIO_new_file() failed";
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
780 return NULL;
c74904a17021 SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7476
diff changeset
781 }
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
782 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
783
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
784 if (passwords) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
785 tries = passwords->nelts;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
786 pwd = passwords->elts;
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
787 cb = ngx_ssl_password_callback;
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
788
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
789 } else {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
790 tries = 1;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
791 pwd = NULL;
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
792 cb = NULL;
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
793 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
794
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
795 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
796
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
797 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
798 if (pkey != NULL) {
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
799 break;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
800 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
801
7463
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
802 if (tries-- > 1) {
5892
42520df85ebb SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 5882
diff changeset
803 ERR_clear_error();
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
804 (void) BIO_reset(bio);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
805 pwd++;
5892
42520df85ebb SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 5882
diff changeset
806 continue;
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
807 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
808
7460
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
809 *err = "PEM_read_bio_PrivateKey() failed";
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
810 BIO_free(bio);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
811 return NULL;
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
812 }
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
813
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
814 BIO_free(bio);
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
815
77436d9951a1 SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7459
diff changeset
816 return pkey;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
817 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
818
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
819
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
820 static int
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
821 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
822 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
823 ngx_str_t *pwd = userdata;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
824
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
825 if (rwflag) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
826 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
827 "ngx_ssl_password_callback() is called for encryption");
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
828 return 0;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
829 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
830
7463
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
831 if (pwd == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
832 return 0;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
833 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
834
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
835 if (pwd->len > (size_t) size) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
836 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
837 "password is truncated to %d bytes", size);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
838 } else {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
839 size = pwd->len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
840 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
841
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
842 ngx_memcpy(buf, pwd->data, size);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
843
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
844 return size;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
845 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
846
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
847
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
848 ngx_int_t
6591
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
849 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
850 ngx_uint_t prefer_server_ciphers)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
851 {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
852 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
853 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
854 "SSL_CTX_set_cipher_list(\"%V\") failed",
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
855 ciphers);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
856 return NGX_ERROR;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
857 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
858
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
859 if (prefer_server_ciphers) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
860 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
861 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
862
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
863 return NGX_OK;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
864 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
865
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
866
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents: 6554
diff changeset
867 ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
868 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
869 ngx_int_t depth)
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
870 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
871 STACK_OF(X509_NAME) *list;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
872
5222
23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents: 5081
diff changeset
873 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
874
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
875 SSL_CTX_set_verify_depth(ssl->ctx, depth);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
876
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
877 if (cert->len == 0) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
878 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
879 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
880
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
881 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
882 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
883 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
884
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
885 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
886 == 0)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
887 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
888 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
889 "SSL_CTX_load_verify_locations(\"%s\") failed",
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
890 cert->data);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
891 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
892 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
893
5365
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
894 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
895 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
896 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
897 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
898
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
899 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
900
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
901 list = SSL_load_client_CA_file((char *) cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
902
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
903 if (list == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
904 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
905 "SSL_load_client_CA_file(\"%s\") failed", cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
906 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
907 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
908
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
909 SSL_CTX_set_client_CA_list(ssl->ctx, list);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
910
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
911 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
912 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
913
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
914
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
915 ngx_int_t
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
916 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
917 ngx_int_t depth)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
918 {
7672
3dcb1aba894a SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7664
diff changeset
919 SSL_CTX_set_verify(ssl->ctx, SSL_CTX_get_verify_mode(ssl->ctx),
3dcb1aba894a SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7664
diff changeset
920 ngx_ssl_verify_callback);
7664
699f6e55bbb4 SSL: added verify callback to ngx_ssl_trusted_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7653
diff changeset
921
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
922 SSL_CTX_set_verify_depth(ssl->ctx, depth);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
923
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
924 if (cert->len == 0) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
925 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
926 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
927
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
928 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
929 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
930 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
931
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
932 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
933 == 0)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
934 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
935 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
936 "SSL_CTX_load_verify_locations(\"%s\") failed",
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
937 cert->data);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
938 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
939 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
940
5365
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
941 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
942 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
943 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
944 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
945
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
946 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5330
diff changeset
947
4872
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
948 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
949 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
950
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
951
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4868
diff changeset
952 ngx_int_t
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
953 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
954 {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
955 X509_STORE *store;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
956 X509_LOOKUP *lookup;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
957
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
958 if (crl->len == 0) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
959 return NGX_OK;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
960 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
961
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
962 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
2995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
963 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
964 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
965
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
966 store = SSL_CTX_get_cert_store(ssl->ctx);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
967
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
968 if (store == NULL) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
969 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
970 "SSL_CTX_get_cert_store() failed");
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
971 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
972 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
973
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
974 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
975
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
976 if (lookup == NULL) {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
977 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
978 "X509_STORE_add_lookup() failed");
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
979 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
980 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
981
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
982 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
983 == 0)
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
984 {
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
985 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
986 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
987 return NGX_ERROR;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
988 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
989
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
990 X509_STORE_set_flags(store,
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
991 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
992
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
993 return NGX_OK;
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
994 }
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
995
cc07d164f0dc ssl_crl
Igor Sysoev <igor@sysoev.ru>
parents: 2994
diff changeset
996
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
997 static int
5222
23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents: 5081
diff changeset
998 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
999 {
1977
40c9cb8576bb get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents: 1976
diff changeset
1000 #if (NGX_DEBUG)
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1001 char *subject, *issuer;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1002 int err, depth;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1003 X509 *cert;
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1004 X509_NAME *sname, *iname;
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1005 ngx_connection_t *c;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1006 ngx_ssl_conn_t *ssl_conn;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1007
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1008 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1009 SSL_get_ex_data_X509_STORE_CTX_idx());
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1010
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1011 c = ngx_ssl_get_connection(ssl_conn);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1012
7781
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
1013 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) {
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
1014 return 1;
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
1015 }
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
1016
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1017 cert = X509_STORE_CTX_get_current_cert(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1018 err = X509_STORE_CTX_get_error(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1019 depth = X509_STORE_CTX_get_error_depth(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1020
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1021 sname = X509_get_subject_name(cert);
7779
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1022
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1023 if (sname) {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1024 subject = X509_NAME_oneline(sname, NULL, 0);
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1025 if (subject == NULL) {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1026 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1027 "X509_NAME_oneline() failed");
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1028 }
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1029
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1030 } else {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1031 subject = NULL;
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1032 }
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1033
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1034 iname = X509_get_issuer_name(cert);
7779
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1035
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1036 if (iname) {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1037 issuer = X509_NAME_oneline(iname, NULL, 0);
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1038 if (issuer == NULL) {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1039 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1040 "X509_NAME_oneline() failed");
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1041 }
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1042
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1043 } else {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1044 issuer = NULL;
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1045 }
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1046
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
1047 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1048 "verify:%d, error:%d, depth:%d, "
5775
294d020bbcfe SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5767
diff changeset
1049 "subject:\"%s\", issuer:\"%s\"",
7779
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1050 ok, err, depth,
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1051 subject ? subject : "(none)",
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1052 issuer ? issuer : "(none)");
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1053
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1054 if (subject) {
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1055 OPENSSL_free(subject);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1056 }
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1057
7779
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
1058 if (issuer) {
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1059 OPENSSL_free(issuer);
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1060 }
1977
40c9cb8576bb get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents: 1976
diff changeset
1061 #endif
1976
c4d8867f0162 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1974
diff changeset
1062
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1063 return 1;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1064 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1065
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1066
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1067 static void
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1068 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1069 {
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1070 BIO *rbio, *wbio;
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1071 ngx_connection_t *c;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1072
7356
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
1073 #ifndef SSL_OP_NO_RENEGOTIATION
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
1074
6982
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
1075 if ((where & SSL_CB_HANDSHAKE_START)
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
1076 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
ac9b1df5b246 SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6981
diff changeset
1077 {
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1078 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1079
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1080 if (c->ssl->handshaked) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1081 c->ssl->renegotiation = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1082 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1083 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1084 }
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1085
7356
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
1086 #endif
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
1087
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1088 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1089 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1090
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1091 if (!c->ssl->handshake_buffer_set) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1092 /*
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1093 * By default OpenSSL uses 4k buffer during a handshake,
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1094 * which is too low for long certificate chains and might
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1095 * result in extra round-trips.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1096 *
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1097 * To adjust a buffer size we detect that buffering was added
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1098 * to write side of the connection by comparing rbio and wbio.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1099 * If they are different, we assume that it's due to buffering
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1100 * added to wbio, and set buffer size.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1101 */
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1102
7509
b99cbafd51da SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7484
diff changeset
1103 rbio = SSL_get_rbio(ssl_conn);
b99cbafd51da SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7484
diff changeset
1104 wbio = SSL_get_wbio(ssl_conn);
5395
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1105
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1106 if (rbio != wbio) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1107 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1108 c->ssl->handshake_buffer_set = 1;
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1109 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1110 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5384
diff changeset
1111 }
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1112 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1113
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1114
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1115 ngx_array_t *
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1116 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1117 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1118 u_char *p, *last, *end;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1119 size_t len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1120 ssize_t n;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1121 ngx_fd_t fd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1122 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1123 ngx_array_t *passwords;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1124 ngx_pool_cleanup_t *cln;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1125 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE];
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1126
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1127 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1128 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1129 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1130
7454
e72c8a8a8b10 SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7453
diff changeset
1131 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t));
e72c8a8a8b10 SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7453
diff changeset
1132 if (passwords == NULL) {
e72c8a8a8b10 SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7453
diff changeset
1133 return NULL;
e72c8a8a8b10 SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7453
diff changeset
1134 }
e72c8a8a8b10 SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7453
diff changeset
1135
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1136 cln = ngx_pool_cleanup_add(cf->temp_pool, 0);
7454
e72c8a8a8b10 SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7453
diff changeset
1137 if (cln == NULL) {
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1138 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1139 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1140
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1141 cln->handler = ngx_ssl_passwords_cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1142 cln->data = passwords;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1143
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1144 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
7086
Sergey Kandaurov <pluknet@nginx.com>
parents: 7074
diff changeset
1145
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1146 if (fd == NGX_INVALID_FILE) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1147 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1148 ngx_open_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1149 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1150 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1151
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1152 len = 0;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1153 last = buf;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1154
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1155 do {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1156 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1157
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1158 if (n == -1) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1159 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1160 ngx_read_fd_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1161 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1162 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1163 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1164
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1165 end = last + n;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1166
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1167 if (len && n == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1168 *end++ = LF;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1169 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1170
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1171 p = buf;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1172
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1173 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1174 last = ngx_strlchr(last, end, LF);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1175
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1176 if (last == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1177 break;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1178 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1179
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1180 len = last++ - p;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1181
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1182 if (len && p[len - 1] == CR) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1183 len--;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1184 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1185
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1186 if (len) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1187 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1188 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1189 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1190 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1191 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1192
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1193 pwd->len = len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1194 pwd->data = ngx_pnalloc(cf->temp_pool, len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1195
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1196 if (pwd->data == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1197 passwords->nelts--;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1198 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1199 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1200 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1201
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1202 ngx_memcpy(pwd->data, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1203 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1204
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1205 p = last;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1206 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1207
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1208 len = end - p;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1209
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1210 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1211 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1212 "too long line in \"%s\"", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1213 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1214 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1215 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1216
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1217 ngx_memmove(buf, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1218 last = buf + len;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1219
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1220 } while (n != 0);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1221
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1222 if (passwords->nelts == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1223 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1224 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1225 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1226 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1227 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1228
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1229 ngx_memzero(pwd, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1230 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1231
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1232 cleanup:
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1233
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1234 if (ngx_close_file(fd) == NGX_FILE_ERROR) {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1235 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1236 ngx_close_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1237 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1238
7395
9ca82f273967 Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7372
diff changeset
1239 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1240
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1241 return passwords;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1242 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1243
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1244
7463
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1245 ngx_array_t *
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1246 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords)
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1247 {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1248 ngx_str_t *opwd, *pwd;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1249 ngx_uint_t i;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1250 ngx_array_t *pwds;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1251 ngx_pool_cleanup_t *cln;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1252 static ngx_array_t empty_passwords;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1253
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1254 if (passwords == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1255
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1256 /*
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1257 * If there are no passwords, an empty array is used
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1258 * to make sure OpenSSL's default password callback
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1259 * won't block on reading from stdin.
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1260 */
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1261
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1262 return &empty_passwords;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1263 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1264
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1265 /*
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1266 * Passwords are normally allocated from the temporary pool
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1267 * and cleared after parsing configuration. To be used at
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1268 * runtime they have to be copied to the configuration pool.
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1269 */
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1270
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1271 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t));
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1272 if (pwds == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1273 return NULL;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1274 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1275
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1276 cln = ngx_pool_cleanup_add(cf->pool, 0);
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1277 if (cln == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1278 return NULL;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1279 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1280
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1281 cln->handler = ngx_ssl_passwords_cleanup;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1282 cln->data = pwds;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1283
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1284 opwd = passwords->elts;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1285
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1286 for (i = 0; i < passwords->nelts; i++) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1287
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1288 pwd = ngx_array_push(pwds);
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1289 if (pwd == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1290 return NULL;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1291 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1292
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1293 pwd->len = opwd[i].len;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1294 pwd->data = ngx_pnalloc(cf->pool, pwd->len);
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1295
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1296 if (pwd->data == NULL) {
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1297 pwds->nelts--;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1298 return NULL;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1299 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1300
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1301 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len);
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1302 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1303
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1304 return pwds;
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1305 }
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1306
180df83473a4 SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7461
diff changeset
1307
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1308 static void
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1309 ngx_ssl_passwords_cleanup(void *data)
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1310 {
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1311 ngx_array_t *passwords = data;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1312
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1313 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1314 ngx_uint_t i;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1315
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1316 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1317
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1318 for (i = 0; i < passwords->nelts; i++) {
7395
9ca82f273967 Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7372
diff changeset
1319 ngx_explicit_memzero(pwd[i].data, pwd[i].len);
5744
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1320 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1321 }
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1322
42114bf12da0 SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents: 5700
diff changeset
1323
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1324 ngx_int_t
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1325 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1326 {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1327 BIO *bio;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1328
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1329 if (file->len == 0) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1330 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1331 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1332
5330
314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5317
diff changeset
1333 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1334 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1335 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1336
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1337 bio = BIO_new_file((char *) file->data, "r");
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1338 if (bio == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1340 "BIO_new_file(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1341 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1342 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1343
7896
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1344 #ifdef SSL_CTX_set_tmp_dh
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1345 {
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1346 DH *dh;
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1347
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1348 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1349 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1350 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1351 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1352 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1353 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1354 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1355
7892
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1356 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) {
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1357 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1358 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data);
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1359 DH_free(dh);
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1360 BIO_free(bio);
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1361 return NGX_ERROR;
34a3a1a2d197 SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7891
diff changeset
1362 }
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1363
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1364 DH_free(dh);
7896
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1365 }
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1366 #else
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1367 {
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1368 EVP_PKEY *dh;
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1369
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1370 /*
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1371 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh()
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1372 * are deprecated in OpenSSL 3.0
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1373 */
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1374
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1375 dh = PEM_read_bio_Parameters(bio, NULL);
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1376 if (dh == NULL) {
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1377 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1378 "PEM_read_bio_Parameters(\"%s\") failed", file->data);
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1379 BIO_free(bio);
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1380 return NGX_ERROR;
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1381 }
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1382
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1383 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) {
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1384 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1385 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data);
7994
aeab41dfd260 SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7987
diff changeset
1386 #if (OPENSSL_VERSION_NUMBER >= 0x3000001fL)
aeab41dfd260 SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7987
diff changeset
1387 EVP_PKEY_free(dh);
aeab41dfd260 SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7987
diff changeset
1388 #endif
7896
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1389 BIO_free(bio);
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1390 return NGX_ERROR;
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1391 }
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1392 }
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1393 #endif
1e0fabbe01c7 SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7894
diff changeset
1394
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1395 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1396
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1397 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1398 }
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1399
4522
14411ee4d89f Whitespace fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4499
diff changeset
1400
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1401 ngx_int_t
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1402 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1403 {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1404 #ifndef OPENSSL_NO_ECDH
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1405
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1406 /*
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1407 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
4572
67653855682e Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents: 4522
diff changeset
1408 * from RFC 4492 section 5.1.1, or explicitly described curves over
6552
addd98357629 SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6551
diff changeset
1409 * binary fields. OpenSSL only supports the "named curves", which provide
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1410 * maximum interoperability.
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1411 */
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1412
6983
3518287d995e SSL: compatibility with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6982
diff changeset
1413 #if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1414
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1415 /*
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1416 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1417 * curve previously supported. By default an internal list is used,
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1418 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1419 * and X25519 in OpenSSL 1.1.0+.
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1420 *
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1421 * By default a curve preferred by the client will be used for
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1422 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1423 * be used to prefer server curves instead, similar to what it
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1424 * does for ciphers.
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1425 */
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1426
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1427 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1428
8065
0ce2d7a520be SSL: fixed incorrect usage of #if instead of #ifdef.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8063
diff changeset
1429 #ifdef SSL_CTRL_SET_ECDH_AUTO
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1430 /* not needed in OpenSSL 1.1.0+ */
8070
ba5cf8f73a2d SSL: silenced GCC warnings when building with BoringSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 8068
diff changeset
1431 (void) SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1432 #endif
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1433
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1434 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1435 return NGX_OK;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1436 }
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1437
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1438 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1439 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1440 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data);
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1441 return NGX_ERROR;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1442 }
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1443
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1444 #else
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1445
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1446 int nid;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1447 char *curve;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1448 EC_KEY *ecdh;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1449
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1450 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1451 curve = "prime256v1";
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1452
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1453 } else {
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1454 curve = (char *) name->data;
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1455 }
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1456
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1457 nid = OBJ_sn2nid(curve);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1458 if (nid == 0) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1459 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1460 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1461 return NGX_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1462 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1463
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1464 ecdh = EC_KEY_new_by_curve_name(nid);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1465 if (ecdh == NULL) {
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1466 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553
2014ed60f17f SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6552
diff changeset
1467 "EC_KEY_new_by_curve_name(\"%s\") failed", curve);
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1468 return NGX_ERROR;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1469 }
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1470
5003
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4877
diff changeset
1471 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4877
diff changeset
1472
3960
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1473 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1474
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1475 EC_KEY_free(ecdh);
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1476 #endif
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1477 #endif
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1478
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1479 return NGX_OK;
0832a6997227 ECDHE support
Igor Sysoev <igor@sysoev.ru>
parents: 3959
diff changeset
1480 }
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1481
4522
14411ee4d89f Whitespace fixes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4499
diff changeset
1482
2044
f45cec1cd270 DH parameters, ssl_dhparam
Igor Sysoev <igor@sysoev.ru>
parents: 2032
diff changeset
1483 ngx_int_t
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1484 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1485 {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1486 if (!enable) {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1487 return NGX_OK;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1488 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1489
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1490 #ifdef SSL_ERROR_EARLY_DATA_REJECTED
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1491
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1492 /* BoringSSL */
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1493
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1494 SSL_CTX_set_early_data_enabled(ssl->ctx, 1);
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1495
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1496 #elif defined SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1497
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1498 /* OpenSSL */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1499
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1500 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1501
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1502 #else
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1503 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1504 "\"ssl_early_data\" is not supported on this platform, "
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1505 "ignored");
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1506 #endif
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1507
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1508 return NGX_OK;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1509 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1510
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1511
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
1512 ngx_int_t
7729
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1513 ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands)
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1514 {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1515 if (commands == NULL) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1516 return NGX_OK;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1517 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1518
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1519 #ifdef SSL_CONF_FLAG_FILE
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1520 {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1521 int type;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1522 u_char *key, *value;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1523 ngx_uint_t i;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1524 ngx_keyval_t *cmd;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1525 SSL_CONF_CTX *cctx;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1526
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1527 cctx = SSL_CONF_CTX_new();
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1528 if (cctx == NULL) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1529 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1530 "SSL_CONF_CTX_new() failed");
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1531 return NGX_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1532 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1533
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1534 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1535 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1536 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1537 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1538 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1539
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1540 SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1541
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1542 cmd = commands->elts;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1543 for (i = 0; i < commands->nelts; i++) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1544
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1545 key = cmd[i].key.data;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1546 type = SSL_CONF_cmd_value_type(cctx, (char *) key);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1547
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1548 if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1549 if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1550 SSL_CONF_CTX_free(cctx);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1551 return NGX_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1552 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1553 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1554
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1555 value = cmd[i].value.data;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1556
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1557 if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1558 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1559 "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1560 SSL_CONF_CTX_free(cctx);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1561 return NGX_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1562 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1563 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1564
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1565 if (SSL_CONF_CTX_finish(cctx) != 1) {
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1566 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1567 "SSL_CONF_finish() failed");
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1568 SSL_CONF_CTX_free(cctx);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1569 return NGX_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1570 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1571
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1572 SSL_CONF_CTX_free(cctx);
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1573
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1574 return NGX_OK;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1575 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1576 #else
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1577 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1578 "SSL_CONF_cmd() is not available on this platform");
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1579 return NGX_ERROR;
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1580 #endif
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1581 }
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1582
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1583
3bff3f397c05 SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7709
diff changeset
1584 ngx_int_t
7320
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1585 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1586 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1587 if (!enable) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1588 return NGX_OK;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1589 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1590
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1591 SSL_CTX_set_session_cache_mode(ssl->ctx,
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1592 SSL_SESS_CACHE_CLIENT
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1593 |SSL_SESS_CACHE_NO_INTERNAL);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1594
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1595 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1596
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1597 return NGX_OK;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1598 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1599
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1600
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1601 static int
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1602 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1603 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1604 ngx_connection_t *c;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1605
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1606 c = ngx_ssl_get_connection(ssl_conn);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1607
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1608 if (c->ssl->save_session) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1609 c->ssl->session = sess;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1610
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1611 c->ssl->save_session(c);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1612
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1613 c->ssl->session = NULL;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1614 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1615
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1616 return 0;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1617 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1618
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1619
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1620 ngx_int_t
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1621 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1622 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1623 ngx_ssl_connection_t *sc;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1624
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1625 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1626 if (sc == NULL) {
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1627 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1628 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1629
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
1630 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
1631 sc->buffer_size = ssl->buffer_size;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
1632
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
1633 sc->session_ctx = ssl->ctx;
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
1634
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1635 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1636 if (SSL_CTX_get_max_early_data(ssl->ctx)) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1637 sc->try_early_data = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1638 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1639 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1640
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1641 sc->connection = SSL_new(ssl->ctx);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1642
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1643 if (sc->connection == NULL) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1644 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1645 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1646 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1647
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1648 if (SSL_set_fd(sc->connection, c->fd) == 0) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1649 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1650 return NGX_ERROR;
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1651 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
1652
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1653 if (flags & NGX_SSL_CLIENT) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1654 SSL_set_connect_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1655
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1656 } else {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1657 SSL_set_accept_state(sc->connection);
7319
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7318
diff changeset
1658
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7318
diff changeset
1659 #ifdef SSL_OP_NO_RENEGOTIATION
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7318
diff changeset
1660 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
dcab86115261 SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7318
diff changeset
1661 #endif
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1662 }
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1663
969
065b39794fff ngx_ssl_get_server_conf()
Igor Sysoev <igor@sysoev.ru>
parents: 968
diff changeset
1664 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1665 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1666 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1667 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
1668
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1669 c->ssl = sc;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1670
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1671 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1672 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1673
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
1674
7320
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1675 ngx_ssl_session_t *
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1676 ngx_ssl_get_session(ngx_connection_t *c)
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1677 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1678 #ifdef TLS1_3_VERSION
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1679 if (c->ssl->session) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1680 SSL_SESSION_up_ref(c->ssl->session);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1681 return c->ssl->session;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1682 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1683 #endif
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1684
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1685 return SSL_get1_session(c->ssl->connection);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1686 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1687
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1688
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1689 ngx_ssl_session_t *
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1690 ngx_ssl_get0_session(ngx_connection_t *c)
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1691 {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1692 if (c->ssl->session) {
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1693 return c->ssl->session;
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1694 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1695
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1696 return SSL_get0_session(c->ssl->connection);
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1697 }
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1698
696df3ac27ac SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7319
diff changeset
1699
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1700 ngx_int_t
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1701 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1702 {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1703 if (session) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1704 if (SSL_set_session(c->ssl->connection, session) == 0) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1705 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed");
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1706 return NGX_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1707 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1708 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1709
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1710 return NGX_OK;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1711 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1712
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1713
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1714 ngx_int_t
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1715 ngx_ssl_handshake(ngx_connection_t *c)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1716 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1717 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1718 ngx_err_t err;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1719 ngx_int_t rc;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1720
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1721 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1722 if (c->ssl->try_early_data) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1723 return ngx_ssl_try_early_data(c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1724 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1725 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1726
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1727 if (c->ssl->in_ocsp) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1728 return ngx_ssl_ocsp_validate(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1729 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1730
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1731 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
1732
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1733 n = SSL_do_handshake(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1734
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1735 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1736
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1737 if (n == 1) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1738
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1739 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1740 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1741 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1742
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1743 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1744 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1745 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1746
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1747 #if (NGX_DEBUG)
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1748 ngx_ssl_handshake_log(c);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1749 #endif
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1750
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1751 c->recv = ngx_ssl_recv;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1752 c->send = ngx_ssl_write;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1753 c->recv_chain = ngx_ssl_recv_chain;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
1754 c->send_chain = ngx_ssl_send_chain;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1755
7891
573bd30e46b4 SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7871
diff changeset
1756 c->read->ready = 1;
573bd30e46b4 SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7871
diff changeset
1757 c->write->ready = 1;
573bd30e46b4 SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7871
diff changeset
1758
7356
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
1759 #ifndef SSL_OP_NO_RENEGOTIATION
6255
b40af2fd1c16 SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6036
diff changeset
1760 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5946
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1761 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1762
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1763 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
6995
eb5d119323d8 SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6983
diff changeset
1764 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1765 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1766 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
1767
5946
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1768 #endif
6255
b40af2fd1c16 SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6036
diff changeset
1769 #endif
7356
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
1770 #endif
5946
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents: 5934
diff changeset
1771
8068
0546ab9351c8 Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8065
diff changeset
1772 #if (defined BIO_get_ktls_send && !NGX_WIN32)
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1773
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1774 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1775 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1776 "BIO_get_ktls_send(): 1");
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1777 c->ssl->sendfile = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1778 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1779
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1780 #endif
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1781
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1782 rc = ngx_ssl_ocsp_validate(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1783
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1784 if (rc == NGX_ERROR) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1785 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1786 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1787
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1788 if (rc == NGX_AGAIN) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1789 c->read->handler = ngx_ssl_handshake_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1790 c->write->handler = ngx_ssl_handshake_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1791 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1792 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1793
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1794 c->ssl->handshaked = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1795
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1796 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1797 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1798
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1799 sslerr = SSL_get_error(c->ssl->connection, n);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1800
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1801 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1802
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1803 if (sslerr == SSL_ERROR_WANT_READ) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1804 c->read->ready = 0;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1805 c->read->handler = ngx_ssl_handshake_handler;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1806 c->write->handler = ngx_ssl_handshake_handler;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1807
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1808 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1809 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1810 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1811
5024
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1812 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1813 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1814 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1815
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1816 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1817 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1818
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1819 if (sslerr == SSL_ERROR_WANT_WRITE) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1820 c->write->ready = 0;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1821 c->read->handler = ngx_ssl_handshake_handler;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1822 c->write->handler = ngx_ssl_handshake_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1823
5024
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1824 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1825 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1826 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5023
diff changeset
1827
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
1828 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1829 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1830 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1831
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1832 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1833 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1834
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1835 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1836
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1837 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1838 c->ssl->no_send_shutdown = 1;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1839 c->read->eof = 1;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1840
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1841 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
5747
57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents: 5744
diff changeset
1842 ngx_connection_error(c, err,
57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents: 5744
diff changeset
1843 "peer closed connection in SSL handshake");
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1844
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1845 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1846 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1847
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1848 if (c->ssl->handshake_rejected) {
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1849 ngx_connection_error(c, err, "handshake rejected");
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1850 ERR_clear_error();
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1851
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1852 return NGX_ERROR;
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1853 }
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
1854
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1855 c->read->error = 1;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
1856
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1857 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1858
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1859 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1860 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1861
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
1862
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1863 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1864
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1865 static ngx_int_t
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1866 ngx_ssl_try_early_data(ngx_connection_t *c)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1867 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1868 int n, sslerr;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1869 u_char buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1870 size_t readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1871 ngx_err_t err;
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1872 ngx_int_t rc;
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1873
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1874 ngx_ssl_clear_error(c->log);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1875
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1876 readbytes = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1877
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1878 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1879
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1880 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1881 "SSL_read_early_data: %d, %uz", n, readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1882
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1883 if (n == SSL_READ_EARLY_DATA_FINISH) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1884 c->ssl->try_early_data = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1885 return ngx_ssl_handshake(c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1886 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1887
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1888 if (n == SSL_READ_EARLY_DATA_SUCCESS) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1889
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1890 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1891 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1892 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1893
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1894 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1895 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1896 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1897
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1898 #if (NGX_DEBUG)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1899 ngx_ssl_handshake_log(c);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1900 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1901
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1902 c->ssl->try_early_data = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1903
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1904 c->ssl->early_buf = buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1905 c->ssl->early_preread = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1906
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1907 c->ssl->in_early = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1908
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1909 c->recv = ngx_ssl_recv;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1910 c->send = ngx_ssl_write;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1911 c->recv_chain = ngx_ssl_recv_chain;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1912 c->send_chain = ngx_ssl_send_chain;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1913
7891
573bd30e46b4 SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7871
diff changeset
1914 c->read->ready = 1;
573bd30e46b4 SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7871
diff changeset
1915 c->write->ready = 1;
573bd30e46b4 SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7871
diff changeset
1916
8068
0546ab9351c8 Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8065
diff changeset
1917 #if (defined BIO_get_ktls_send && !NGX_WIN32)
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1918
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1919 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1920 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1921 "BIO_get_ktls_send(): 1");
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1922 c->ssl->sendfile = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1923 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1924
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1925 #endif
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
1926
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1927 rc = ngx_ssl_ocsp_validate(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1928
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1929 if (rc == NGX_ERROR) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1930 return NGX_ERROR;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1931 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1932
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1933 if (rc == NGX_AGAIN) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1934 c->read->handler = ngx_ssl_handshake_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1935 c->write->handler = ngx_ssl_handshake_handler;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1936 return NGX_AGAIN;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1937 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1938
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1939 c->ssl->handshaked = 1;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
1940
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1941 return NGX_OK;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1942 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1943
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1944 /* SSL_READ_EARLY_DATA_ERROR */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1945
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1946 sslerr = SSL_get_error(c->ssl->connection, n);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1947
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1948 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1949
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1950 if (sslerr == SSL_ERROR_WANT_READ) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1951 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1952 c->read->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1953 c->write->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1954
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1955 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1956 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1957 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1958
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1959 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1960 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1961 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1962
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1963 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1964 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1965
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1966 if (sslerr == SSL_ERROR_WANT_WRITE) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1967 c->write->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1968 c->read->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1969 c->write->handler = ngx_ssl_handshake_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1970
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1971 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1972 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1973 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1974
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1975 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1976 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1977 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1978
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1979 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1980 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1981
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1982 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1983
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1984 c->ssl->no_wait_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1985 c->ssl->no_send_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1986 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1987
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1988 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1989 ngx_connection_error(c, err,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1990 "peer closed connection in SSL handshake");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1991
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1992 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1993 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1994
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1995 c->read->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1996
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1997 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1998
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
1999 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2000 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2001
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2002 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2003
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2004
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2005 #if (NGX_DEBUG)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2006
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2007 static void
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2008 ngx_ssl_handshake_log(ngx_connection_t *c)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2009 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2010 char buf[129], *s, *d;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2011 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2012 const
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2013 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2014 SSL_CIPHER *cipher;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2015
7781
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
2016 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) {
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
2017 return;
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
2018 }
51e6a665523c SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7780
diff changeset
2019
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2020 cipher = SSL_get_current_cipher(c->ssl->connection);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2021
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2022 if (cipher) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2023 SSL_CIPHER_description(cipher, &buf[1], 128);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2024
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2025 for (s = &buf[1], d = buf; *s; s++) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2026 if (*s == ' ' && *d == ' ') {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2027 continue;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2028 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2029
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2030 if (*s == LF || *s == CR) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2031 continue;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2032 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2033
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2034 *++d = *s;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2035 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2036
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2037 if (*d != ' ') {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2038 d++;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2039 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2040
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2041 *d = '\0';
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2042
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2043 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2044 "SSL: %s, cipher: \"%s\"",
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2045 SSL_get_version(c->ssl->connection), &buf[1]);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2046
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2047 if (SSL_session_reused(c->ssl->connection)) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2048 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2049 "SSL reused session");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2050 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2051
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2052 } else {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2053 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2054 "SSL no shared ciphers");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2055 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2056 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2057
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2058 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2059
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2060
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2061 static void
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2062 ngx_ssl_handshake_handler(ngx_event_t *ev)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2063 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2064 ngx_connection_t *c;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2065
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2066 c = ev->data;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2067
549
e16a8d574da5 nginx-0.2.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 547
diff changeset
2068 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2069 "SSL handshake handler: %d", ev->write);
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2070
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
2071 if (ev->timedout) {
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
2072 c->ssl->handler(c);
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
2073 return;
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
2074 }
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
2075
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2076 if (ngx_ssl_handshake(c) == NGX_AGAIN) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2077 return;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2078 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2079
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2080 c->ssl->handler(c);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2081 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2082
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2083
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2084 ssize_t
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2085 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2086 {
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2087 u_char *last;
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2088 ssize_t n, bytes, size;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2089 ngx_buf_t *b;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2090
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2091 bytes = 0;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2092
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2093 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2094 last = b->last;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2095
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2096 for ( ;; ) {
5882
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2097 size = b->end - last;
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2098
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2099 if (limit) {
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2100 if (bytes >= limit) {
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2101 return bytes;
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2102 }
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2103
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2104 if (bytes + size > limit) {
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2105 size = (ssize_t) (limit - bytes);
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2106 }
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2107 }
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2108
ec81934727a1 Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents: 5834
diff changeset
2109 n = ngx_ssl_recv(c, last, size);
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2110
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2111 if (n > 0) {
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2112 last += n;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2113 bytes += n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2114
7582
70749256af79 SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7560
diff changeset
2115 if (!c->read->ready) {
70749256af79 SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7560
diff changeset
2116 return bytes;
70749256af79 SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7560
diff changeset
2117 }
70749256af79 SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7560
diff changeset
2118
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2119 if (last == b->end) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2120 cl = cl->next;
1154
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2121
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2122 if (cl == NULL) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2123 return bytes;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2124 }
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2125
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2126 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents: 1043
diff changeset
2127 last = b->last;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2128 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2129
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2130 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2131 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2132
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2133 if (bytes) {
2052
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
2134
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
2135 if (n == 0 || n == NGX_ERROR) {
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
2136 c->read->ready = 1;
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
2137 }
b4085596a7e6 fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents: 2049
diff changeset
2138
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2139 return bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2140 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2141
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2142 return n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2143 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2144 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2145
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2146
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2147 ssize_t
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2148 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2149 {
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2150 int n, bytes;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2151
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2152 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2153 if (c->ssl->in_early) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2154 return ngx_ssl_recv_early(c, buf, size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2155 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2156 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2157
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2158 if (c->ssl->last == NGX_ERROR) {
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2159 c->read->error = 1;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2160 return NGX_ERROR;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2161 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2162
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2163 if (c->ssl->last == NGX_DONE) {
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2164 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2165 c->read->eof = 1;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2166 return 0;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2167 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2168
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2169 bytes = 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2170
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2171 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2172
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2173 /*
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2174 * SSL_read() may return data in parts, so try to read
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2175 * until SSL_read() would return no data
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2176 */
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2177
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2178 for ( ;; ) {
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2179
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
2180 n = SSL_read(c->ssl->connection, buf, size);
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2181
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2182 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2183
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2184 if (n > 0) {
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2185 bytes += n;
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2186 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2187
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2188 c->ssl->last = ngx_ssl_handle_recv(c, n);
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2189
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2190 if (c->ssl->last == NGX_OK) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2191
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2192 size -= n;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2193
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2194 if (size == 0) {
5450
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
2195 c->read->ready = 1;
7584
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2196
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2197 if (c->read->available >= 0) {
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2198 c->read->available -= bytes;
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2199
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2200 /*
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2201 * there can be data buffered at SSL layer,
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2202 * so we post an event to continue reading on the next
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2203 * iteration of the event loop
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2204 */
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2205
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2206 if (c->read->available < 0) {
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2207 c->read->available = 0;
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2208 c->read->ready = 0;
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2209
7617
f1720934c45b SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7612
diff changeset
2210 if (c->read->posted) {
f1720934c45b SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7612
diff changeset
2211 ngx_delete_posted_event(c->read);
f1720934c45b SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7612
diff changeset
2212 }
f1720934c45b SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7612
diff changeset
2213
7584
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2214 ngx_post_event(c->read, &ngx_posted_next_events);
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2215 }
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2216
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2217 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2218 "SSL_read: avail:%d", c->read->available);
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2219
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2220 } else {
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2221
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2222 #if (NGX_HAVE_FIONREAD)
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2223
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2224 if (ngx_socket_nread(c->fd, &c->read->available) == -1) {
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2225 c->read->error = 1;
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2226 ngx_connection_error(c, ngx_socket_errno,
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2227 ngx_socket_nread_n " failed");
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2228 return NGX_ERROR;
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2229 }
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2230
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2231 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2232 "SSL_read: avail:%d", c->read->available);
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2233
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2234 #endif
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2235 }
9d2ad2fb4423 SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7582
diff changeset
2236
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2237 return bytes;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2238 }
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2239
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2240 buf += n;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2241
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2242 continue;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2243 }
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2244
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2245 if (bytes) {
5450
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
2246 if (c->ssl->last != NGX_AGAIN) {
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
2247 c->read->ready = 1;
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
2248 }
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents: 5425
diff changeset
2249
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2250 return bytes;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2251 }
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2252
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2253 switch (c->ssl->last) {
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2254
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2255 case NGX_DONE:
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2256 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2257 c->read->eof = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2258 return 0;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2259
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2260 case NGX_ERROR:
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2261 c->read->error = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2262
4499
778ef9c3fd2d Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents: 4497
diff changeset
2263 /* fall through */
1426
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2264
adbafd129d06 do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents: 1421
diff changeset
2265 case NGX_AGAIN:
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2266 return c->ssl->last;
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
2267 }
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2268 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2269 }
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2270
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2271
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2272 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2273
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2274 static ssize_t
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2275 ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2276 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2277 int n, bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2278 size_t readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2279
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2280 if (c->ssl->last == NGX_ERROR) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2281 c->read->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2282 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2283 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2284
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2285 if (c->ssl->last == NGX_DONE) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2286 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2287 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2288 return 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2289 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2290
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2291 bytes = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2292
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2293 ngx_ssl_clear_error(c->log);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2294
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2295 if (c->ssl->early_preread) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2296
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2297 if (size == 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2298 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2299 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2300 return 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2301 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2302
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2303 *buf = c->ssl->early_buf;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2304
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2305 c->ssl->early_preread = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2306
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2307 bytes = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2308 size -= 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2309 buf += 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2310 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2311
7431
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2312 if (c->ssl->write_blocked) {
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2313 return NGX_AGAIN;
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2314 }
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2315
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2316 /*
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2317 * SSL_read_early_data() may return data in parts, so try to read
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2318 * until SSL_read_early_data() would return no data
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2319 */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2320
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2321 for ( ;; ) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2322
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2323 readbytes = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2324
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2325 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2326
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2327 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2328 "SSL_read_early_data: %d, %uz", n, readbytes);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2329
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2330 if (n == SSL_READ_EARLY_DATA_SUCCESS) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2331
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2332 c->ssl->last = ngx_ssl_handle_recv(c, 1);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2333
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2334 bytes += readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2335 size -= readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2336
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2337 if (size == 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2338 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2339 return bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2340 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2341
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2342 buf += readbytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2343
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2344 continue;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2345 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2346
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2347 if (n == SSL_READ_EARLY_DATA_FINISH) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2348
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2349 c->ssl->last = ngx_ssl_handle_recv(c, 1);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2350 c->ssl->in_early = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2351
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2352 if (bytes) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2353 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2354 return bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2355 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2356
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2357 return ngx_ssl_recv(c, buf, size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2358 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2359
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2360 /* SSL_READ_EARLY_DATA_ERROR */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2361
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2362 c->ssl->last = ngx_ssl_handle_recv(c, 0);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2363
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2364 if (bytes) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2365 if (c->ssl->last != NGX_AGAIN) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2366 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2367 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2368
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2369 return bytes;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2370 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2371
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2372 switch (c->ssl->last) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2373
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2374 case NGX_DONE:
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2375 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2376 c->read->eof = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2377 return 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2378
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2379 case NGX_ERROR:
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2380 c->read->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2381
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2382 /* fall through */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2383
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2384 case NGX_AGAIN:
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2385 return c->ssl->last;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2386 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2387 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2388 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2389
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2390 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2391
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2392
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2393 static ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2394 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2395 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2396 int sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2397 ngx_err_t err;
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2398
7356
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
2399 #ifndef SSL_OP_NO_RENEGOTIATION
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
2400
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2401 if (c->ssl->renegotiation) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2402 /*
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2403 * disable renegotiation (CVE-2009-3555):
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2404 * OpenSSL (at least up to 0.9.8l) does not handle disabled
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2405 * renegotiation gracefully, so drop connection here
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2406 */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2407
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2408 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2409
4236
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2410 while (ERR_peek_error()) {
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2411 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2412 "ignoring stale global SSL error");
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2413 }
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2414
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2415 ERR_clear_error();
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents: 4228
diff changeset
2416
3300
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2417 c->ssl->no_wait_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2418 c->ssl->no_send_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2419
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2420 return NGX_ERROR;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2421 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents: 3283
diff changeset
2422
7356
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
2423 #endif
e3ba4026c02d SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7353
diff changeset
2424
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2425 if (n > 0) {
479
c52408583801 nginx-0.1.14-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 473
diff changeset
2426
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2427 if (c->ssl->saved_write_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2428
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2429 c->write->handler = c->ssl->saved_write_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2430 c->ssl->saved_write_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2431 c->write->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2432
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
2433 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2434 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2435 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2436
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
2437 ngx_post_event(c->write, &ngx_posted_events);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2438 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2439
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2440 return NGX_OK;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2441 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2442
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
2443 sslerr = SSL_get_error(c->ssl->connection, n);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2444
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
2445 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2446
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
2447 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2448
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2449 if (sslerr == SSL_ERROR_WANT_READ) {
7353
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2450
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2451 if (c->ssl->saved_write_handler) {
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2452
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2453 c->write->handler = c->ssl->saved_write_handler;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2454 c->ssl->saved_write_handler = NULL;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2455 c->write->ready = 1;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2456
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2457 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2458 return NGX_ERROR;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2459 }
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2460
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2461 ngx_post_event(c->write, &ngx_posted_events);
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2462 }
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2463
455
295d97d70c69 nginx-0.1.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 452
diff changeset
2464 c->read->ready = 0;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2465 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2466 }
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2467
445
f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
2468 if (sslerr == SSL_ERROR_WANT_WRITE) {
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
2469
7352
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
2470 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
2471 "SSL_read: want write");
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2472
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2473 c->write->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2474
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
2475 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2476 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2477 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2478
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2479 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2480 * we do not set the timer because there is already the read event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2481 */
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2482
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2483 if (c->ssl->saved_write_handler == NULL) {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2484 c->ssl->saved_write_handler = c->write->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2485 c->write->handler = ngx_ssl_write_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2486 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2487
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2488 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2489 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2490
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2491 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2492 c->ssl->no_send_shutdown = 1;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
2493
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2494 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2495 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2496 "peer shutdown SSL cleanly");
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2497 return NGX_DONE;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2498 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2499
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2500 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2501
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2502 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2503 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2504
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
2505
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2506 static void
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2507 ngx_ssl_write_handler(ngx_event_t *wev)
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2508 {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2509 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2510
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2511 c = wev->data;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2512
7352
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
2513 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler");
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
2514
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2515 c->read->handler(c->read);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2516 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2517
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2518
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2519 /*
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2520 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2521 * before the SSL_write() call to decrease a SSL overhead.
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2522 *
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2523 * Besides for protocols such as HTTP it is possible to always buffer
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2524 * the output to decrease a SSL overhead some more.
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2525 */
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2526
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2527 ngx_chain_t *
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2528 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2529 {
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2530 int n;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2531 ngx_uint_t flush;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2532 ssize_t send, size, file_size;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2533 ngx_buf_t *buf;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2534 ngx_chain_t *cl;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2535
2280
6453161bf53e always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents: 2165
diff changeset
2536 if (!c->ssl->buffer) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2537
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2538 while (in) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2539 if (ngx_buf_special(in->buf)) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2540 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2541 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2542 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2543
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2544 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2545
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2546 if (n == NGX_ERROR) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2547 return NGX_CHAIN_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2548 }
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2549
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2550 if (n == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2551 return in;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2552 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2553
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2554 in->buf->pos += n;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2555
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2556 if (in->buf->pos == in->buf->last) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2557 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2558 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2559 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2560
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2561 return in;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2562 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2563
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2564
3962
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
2565 /* the maximum limit size is the maximum int32_t value - the page size */
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
2566
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
2567 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents: 3961
diff changeset
2568 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2569 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2570
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2571 buf = c->ssl->buf;
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2572
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2573 if (buf == NULL) {
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
2574 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size);
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2575 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2576 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2577 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2578
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2579 c->ssl->buf = buf;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2580 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2581
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2582 if (buf->start == NULL) {
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
2583 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size);
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2584 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2585 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2586 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2587
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2588 buf->pos = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2589 buf->last = buf->start;
5487
a297b7ad6f94 SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5450
diff changeset
2590 buf->end = buf->start + c->ssl->buffer_size;
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2591 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
2592
5023
70a35b7b63ea SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents: 5022
diff changeset
2593 send = buf->last - buf->pos;
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
2594 flush = (in == NULL) ? 1 : buf->flush;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2595
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2596 for ( ;; ) {
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2597
3283
52b1624b93c2 fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents: 3159
diff changeset
2598 while (in && buf->last < buf->end && send < limit) {
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
2599 if (in->buf->last_buf || in->buf->flush) {
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2600 flush = 1;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2601 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2602
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2603 if (ngx_buf_special(in->buf)) {
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2604 in = in->next;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2605 continue;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2606 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2607
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2608 if (in->buf->in_file && c->ssl->sendfile) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2609 flush = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2610 break;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2611 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2612
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2613 size = in->buf->last - in->buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2614
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2615 if (size > buf->end - buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2616 size = buf->end - buf->last;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2617 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2618
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2619 if (send + size > limit) {
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2620 size = (ssize_t) (limit - send);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2621 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2622
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2623 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6480
f01ab2dbcfdc Fixed logging.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
2624 "SSL buf copy: %z", size);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2625
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2626 ngx_memcpy(buf->last, in->buf->pos, size);
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2627
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2628 buf->last += size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2629 in->buf->pos += size;
3283
52b1624b93c2 fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents: 3159
diff changeset
2630 send += size;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
2631
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2632 if (in->buf->pos == in->buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2633 in = in->next;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2634 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2635 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2636
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
2637 if (!flush && send < limit && buf->last < buf->end) {
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2638 break;
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2639 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2640
5021
674f8739e443 SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents: 5020
diff changeset
2641 size = buf->last - buf->pos;
674f8739e443 SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents: 5020
diff changeset
2642
5022
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
2643 if (size == 0) {
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2644
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2645 if (in && in->buf->in_file && send < limit) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2646
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2647 /* coalesce the neighbouring file bufs */
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2648
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2649 cl = in;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2650 file_size = (size_t) ngx_chain_coalesce_file(&cl, limit - send);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2651
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2652 n = ngx_ssl_sendfile(c, in->buf, file_size);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2653
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2654 if (n == NGX_ERROR) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2655 return NGX_CHAIN_ERROR;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2656 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2657
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2658 if (n == NGX_AGAIN) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2659 break;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2660 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2661
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2662 in = ngx_chain_update_sent(in, n);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2663
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2664 send += n;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2665 flush = 0;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2666
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2667 continue;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2668 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2669
5022
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
2670 buf->flush = 0;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
2671 c->buffered &= ~NGX_SSL_BUFFERED;
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2672
5022
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
2673 return in;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
2674 }
1d819608ad4a SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents: 5021
diff changeset
2675
398
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2676 n = ngx_ssl_write(c, buf->pos, size);
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2677
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2678 if (n == NGX_ERROR) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents: 397
diff changeset
2679 return NGX_CHAIN_ERROR;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2680 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2681
511
c12967aadd87 nginx-0.1.30-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 509
diff changeset
2682 if (n == NGX_AGAIN) {
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
2683 break;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2684 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2685
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2686 buf->pos += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2687
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2688 if (n < size) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2689 break;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2690 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2691
5019
69693a098655 SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents: 5018
diff changeset
2692 flush = 0;
69693a098655 SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents: 5018
diff changeset
2693
5018
0ea36741bb35 SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents: 5003
diff changeset
2694 buf->pos = buf->start;
0ea36741bb35 SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents: 5003
diff changeset
2695 buf->last = buf->start;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2696
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2697 if (in == NULL || send >= limit) {
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2698 break;
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2699 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2700 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2701
5020
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
2702 buf->flush = flush;
587dbe2edc5f SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents: 5019
diff changeset
2703
597
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
2704 if (buf->pos < buf->last) {
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
2705 c->buffered |= NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
2706
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
2707 } else {
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
2708 c->buffered &= ~NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 591
diff changeset
2709 }
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2710
399
4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents: 398
diff changeset
2711 return in;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2712 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2713
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2714
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
2715 ssize_t
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
2716 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2717 {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2718 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2719 ngx_err_t err;
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2720
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2721 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2722 if (c->ssl->in_early) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2723 return ngx_ssl_write_early(c, data, size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2724 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2725 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2726
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2727 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
2728
6480
f01ab2dbcfdc Fixed logging.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6474
diff changeset
2729 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2730
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
2731 n = SSL_write(c->ssl->connection, data, size);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2732
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2733 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2734
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2735 if (n > 0) {
539
371c1cee100d nginx-0.1.44-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 513
diff changeset
2736
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2737 if (c->ssl->saved_read_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2738
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2739 c->read->handler = c->ssl->saved_read_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2740 c->ssl->saved_read_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2741 c->read->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2742
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
2743 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2744 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2745 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2746
563
9c2f3ed7a247 nginx-0.3.3-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 559
diff changeset
2747 ngx_post_event(c->read, &ngx_posted_events);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2748 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2749
5986
c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents: 5946
diff changeset
2750 c->sent += n;
c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents: 5946
diff changeset
2751
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2752 return n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2753 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2754
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
2755 sslerr = SSL_get_error(c->ssl->connection, n);
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2756
7706
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2757 if (sslerr == SSL_ERROR_ZERO_RETURN) {
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2758
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2759 /*
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2760 * OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2761 * happens during SSL_write() after close_notify alert from the
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2762 * peer, and returns SSL_ERROR_ZERO_RETURN instead,
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2763 * https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2764 */
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2765
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2766 sslerr = SSL_ERROR_SYSCALL;
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2767 }
61011bfcdb49 SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7694
diff changeset
2768
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2769 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2770
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2771 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2772
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2773 if (sslerr == SSL_ERROR_WANT_WRITE) {
7353
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2774
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2775 if (c->ssl->saved_read_handler) {
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2776
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2777 c->read->handler = c->ssl->saved_read_handler;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2778 c->ssl->saved_read_handler = NULL;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2779 c->read->ready = 1;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2780
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2781 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2782 return NGX_ERROR;
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2783 }
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2784
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2785 ngx_post_event(c->read, &ngx_posted_events);
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2786 }
87d2ea860f38 SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7352
diff changeset
2787
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2788 c->write->ready = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2789 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2790 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2791
445
f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents: 444
diff changeset
2792 if (sslerr == SSL_ERROR_WANT_READ) {
452
23fb87bddda1 nginx-0.1.1-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 445
diff changeset
2793
7352
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
2794 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
2795 "SSL_write: want read");
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2796
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2797 c->read->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2798
2388
722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents: 2315
diff changeset
2799 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2800 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2801 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2802
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2803 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2804 * we do not set the timer because there is already
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2805 * the write event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2806 */
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2807
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2808 if (c->ssl->saved_read_handler == NULL) {
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2809 c->ssl->saved_read_handler = c->read->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
2810 c->read->handler = ngx_ssl_read_handler;
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2811 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
2812
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2813 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2814 }
395
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents: 394
diff changeset
2815
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2816 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2817 c->ssl->no_send_shutdown = 1;
591
8c0cdd81580e nginx-0.3.17-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 589
diff changeset
2818 c->write->error = 1;
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
2819
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
2820 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed");
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2821
397
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents: 396
diff changeset
2822 return NGX_ERROR;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2823 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2824
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
2825
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2826 #ifdef SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2827
7940
46a02ed7c966 Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7936
diff changeset
2828 static ssize_t
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2829 ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size)
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2830 {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2831 int n, sslerr;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2832 size_t written;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2833 ngx_err_t err;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2834
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2835 ngx_ssl_clear_error(c->log);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2836
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2837 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2838
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2839 written = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2840
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2841 n = SSL_write_early_data(c->ssl->connection, data, size, &written);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2842
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2843 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2844 "SSL_write_early_data: %d, %uz", n, written);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2845
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2846 if (n > 0) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2847
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2848 if (c->ssl->saved_read_handler) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2849
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2850 c->read->handler = c->ssl->saved_read_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2851 c->ssl->saved_read_handler = NULL;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2852 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2853
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2854 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2855 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2856 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2857
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2858 ngx_post_event(c->read, &ngx_posted_events);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2859 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2860
7431
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2861 if (c->ssl->write_blocked) {
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2862 c->ssl->write_blocked = 0;
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2863 ngx_post_event(c->read, &ngx_posted_events);
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2864 }
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2865
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2866 c->sent += written;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2867
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2868 return written;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2869 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2870
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2871 sslerr = SSL_get_error(c->ssl->connection, n);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2872
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2873 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2874
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2875 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2876
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2877 if (sslerr == SSL_ERROR_WANT_WRITE) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2878
7431
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2879 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2880 "SSL_write_early_data: want write");
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2881
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2882 if (c->ssl->saved_read_handler) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2883
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2884 c->read->handler = c->ssl->saved_read_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2885 c->ssl->saved_read_handler = NULL;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2886 c->read->ready = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2887
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2888 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2889 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2890 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2891
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2892 ngx_post_event(c->read, &ngx_posted_events);
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2893 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2894
7431
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2895 /*
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2896 * OpenSSL 1.1.1a fails to handle SSL_read_early_data()
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2897 * if an SSL_write_early_data() call blocked on writing,
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2898 * see https://github.com/openssl/openssl/issues/7757
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2899 */
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2900
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2901 c->ssl->write_blocked = 1;
294162223c7c SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents: 7395
diff changeset
2902
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2903 c->write->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2904 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2905 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2906
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2907 if (sslerr == SSL_ERROR_WANT_READ) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2908
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2909 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2910 "SSL_write_early_data: want read");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2911
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2912 c->read->ready = 0;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2913
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2914 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2915 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2916 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2917
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2918 /*
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2919 * we do not set the timer because there is already
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2920 * the write event timer
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2921 */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2922
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2923 if (c->ssl->saved_read_handler == NULL) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2924 c->ssl->saved_read_handler = c->read->handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2925 c->read->handler = ngx_ssl_read_handler;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2926 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2927
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2928 return NGX_AGAIN;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2929 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2930
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2931 c->ssl->no_wait_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2932 c->ssl->no_send_shutdown = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2933 c->write->error = 1;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2934
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2935 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2936
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2937 return NGX_ERROR;
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2938 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2939
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2940 #endif
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2941
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
2942
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2943 static ssize_t
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2944 ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, size_t size)
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2945 {
8068
0546ab9351c8 Win32: fixed build on Windows with OpenSSL 3.0.x (ticket #2379).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8065
diff changeset
2946 #if (defined BIO_get_ktls_send && !NGX_WIN32)
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2947
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2948 int sslerr, flags;
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2949 ssize_t n;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2950 ngx_err_t err;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2951
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2952 ngx_ssl_clear_error(c->log);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2953
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2954 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2955 "SSL to sendfile: @%O %uz",
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2956 file->file_pos, size);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2957
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2958 ngx_set_errno(0);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2959
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2960 #if (NGX_HAVE_SENDFILE_NODISKIO)
7987
b002ad258f1d Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7986
diff changeset
2961
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2962 flags = (c->busy_count <= 2) ? SF_NODISKIO : 0;
7987
b002ad258f1d Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7986
diff changeset
2963
b002ad258f1d Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7986
diff changeset
2964 if (file->file->directio) {
b002ad258f1d Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7986
diff changeset
2965 flags |= SF_NOCACHE;
b002ad258f1d Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7986
diff changeset
2966 }
b002ad258f1d Support for sendfile(SF_NOCACHE).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7986
diff changeset
2967
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2968 #else
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2969 flags = 0;
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2970 #endif
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2971
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2972 n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos,
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2973 size, flags);
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2974
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2975 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2976
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2977 if (n > 0) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2978
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2979 if (c->ssl->saved_read_handler) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2980
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2981 c->read->handler = c->ssl->saved_read_handler;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2982 c->ssl->saved_read_handler = NULL;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2983 c->read->ready = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2984
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2985 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2986 return NGX_ERROR;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2987 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2988
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2989 ngx_post_event(c->read, &ngx_posted_events);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2990 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2991
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2992 #if (NGX_HAVE_SENDFILE_NODISKIO)
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2993 c->busy_count = 0;
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2994 #endif
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
2995
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2996 c->sent += n;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2997
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2998 return n;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
2999 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3000
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3001 if (n == 0) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3002
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3003 /*
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3004 * if sendfile returns zero, then someone has truncated the file,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3005 * so the offset became beyond the end of the file
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3006 */
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3007
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3008 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3009 "SSL_sendfile() reported that \"%s\" was truncated at %O",
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3010 file->file->name.data, file->file_pos);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3011
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3012 return NGX_ERROR;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3013 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3014
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3015 sslerr = SSL_get_error(c->ssl->connection, n);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3016
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3017 if (sslerr == SSL_ERROR_ZERO_RETURN) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3018
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3019 /*
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3020 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3021 * happens during writing after close_notify alert from the
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3022 * peer, and returns SSL_ERROR_ZERO_RETURN instead
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3023 */
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3024
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3025 sslerr = SSL_ERROR_SYSCALL;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3026 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3027
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3028 if (sslerr == SSL_ERROR_SSL
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3029 && ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNINITIALIZED
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3030 && ngx_errno != 0)
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3031 {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3032 /*
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3033 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3034 * happens in sendfile(), and returns SSL_ERROR_SSL with
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3035 * SSL_R_UNINITIALIZED reason instead
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3036 */
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3037
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3038 sslerr = SSL_ERROR_SYSCALL;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3039 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3040
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3041 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3042
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3044
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3045 if (sslerr == SSL_ERROR_WANT_WRITE) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3046
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3047 if (c->ssl->saved_read_handler) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3048
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3049 c->read->handler = c->ssl->saved_read_handler;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3050 c->ssl->saved_read_handler = NULL;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3051 c->read->ready = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3052
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3053 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3054 return NGX_ERROR;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3055 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3056
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3057 ngx_post_event(c->read, &ngx_posted_events);
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3058 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3059
7986
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3060 #if (NGX_HAVE_SENDFILE_NODISKIO)
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3061
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3062 if (ngx_errno == EBUSY) {
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3063 c->busy_count++;
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3064
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3065 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3066 "SSL_sendfile() busy, count:%d", c->busy_count);
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3067
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3068 if (c->write->posted) {
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3069 ngx_delete_posted_event(c->write);
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3070 }
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3071
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3072 ngx_post_event(c->write, &ngx_posted_next_events);
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3073 }
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3074
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3075 #endif
f1fcb0fe6975 SSL: SSL_sendfile(SF_NODISKIO) support.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7973
diff changeset
3076
7941
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3077 c->write->ready = 0;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3078 return NGX_AGAIN;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3079 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3080
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3081 if (sslerr == SSL_ERROR_WANT_READ) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3082
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3083 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3084 "SSL_sendfile: want read");
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3085
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3086 c->read->ready = 0;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3087
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3088 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3089 return NGX_ERROR;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3090 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3091
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3092 /*
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3093 * we do not set the timer because there is already
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3094 * the write event timer
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3095 */
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3096
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3097 if (c->ssl->saved_read_handler == NULL) {
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3098 c->ssl->saved_read_handler = c->read->handler;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3099 c->read->handler = ngx_ssl_read_handler;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3100 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3101
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3102 return NGX_AGAIN;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3103 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3104
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3105 c->ssl->no_wait_shutdown = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3106 c->ssl->no_send_shutdown = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3107 c->write->error = 1;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3108
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3109 ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed");
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3110
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3111 #else
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3112 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3113 "SSL_sendfile() not available");
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3114 #endif
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3115
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3116 return NGX_ERROR;
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3117 }
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3118
65946a191197 SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7940
diff changeset
3119
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
3120 static void
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
3121 ngx_ssl_read_handler(ngx_event_t *rev)
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3122 {
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3123 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3124
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3125 c = rev->data;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3126
7352
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
3127 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler");
0de0b16a551c SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7333
diff changeset
3128
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3129 c->write->handler(c->write);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3130 }
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3131
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3132
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3133 void
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3134 ngx_ssl_free_buffer(ngx_connection_t *c)
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3135 {
1795
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
3136 if (c->ssl->buf && c->ssl->buf->start) {
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
3137 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) {
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
3138 c->ssl->buf->start = NULL;
3a0132e2be2c fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents: 1779
diff changeset
3139 }
1779
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3140 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3141 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3142
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents: 1778
diff changeset
3143
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
3144 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
3145 ngx_ssl_shutdown(ngx_connection_t *c)
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3146 {
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3147 int n, sslerr, mode;
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3148 ngx_int_t rc;
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3149 ngx_err_t err;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3150 ngx_uint_t tries;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3151
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3152 rc = NGX_OK;
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3153
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
3154 ngx_ssl_ocsp_cleanup(c);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
3155
6407
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3156 if (SSL_in_init(c->ssl->connection)) {
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3157 /*
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3158 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3159 * an SSL handshake, while previous versions always return 0.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3160 * Avoid calling SSL_shutdown() if handshake wasn't completed.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3161 */
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3162
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3163 goto done;
6407
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3164 }
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6406
diff changeset
3165
7709
052ecc68d350 SSL: disabled shutdown when there are buffered data.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7708
diff changeset
3166 if (c->timedout || c->error || c->buffered) {
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3167 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN;
4064
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
3168 SSL_set_quiet_shutdown(c->ssl->connection, 1);
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
3169
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3170 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3171 mode = SSL_get_shutdown(c->ssl->connection);
473
8e8f3af115b5 nginx-0.1.11-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 469
diff changeset
3172
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3173 if (c->ssl->no_wait_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3174 mode |= SSL_RECEIVED_SHUTDOWN;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
3175 }
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
3176
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3177 if (c->ssl->no_send_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3178 mode |= SSL_SENT_SHUTDOWN;
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
3179 }
4064
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
3180
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
3181 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) {
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
3182 SSL_set_quiet_shutdown(c->ssl->connection, 1);
5b776ad53c3c Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 3992
diff changeset
3183 }
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3184 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3185
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3186 SSL_set_shutdown(c->ssl->connection, mode);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3187
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3188 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3189
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3190 tries = 2;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3191
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3192 for ( ;; ) {
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3193
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3194 /*
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3195 * For bidirectional shutdown, SSL_shutdown() needs to be called
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3196 * twice: first call sends the "close notify" alert and returns 0,
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3197 * second call waits for the peer's "close notify" alert.
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3198 */
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3199
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3200 n = SSL_shutdown(c->ssl->connection);
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3201
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3202 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3203
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3204 if (n == 1) {
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3205 goto done;
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3206 }
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3207
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3208 if (n == 0 && tries-- > 1) {
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3209 continue;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3210 }
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3211
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3212 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3213
543
511a89da35ad nginx-0.2.0-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 541
diff changeset
3214 sslerr = SSL_get_error(c->ssl->connection, n);
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3215
396
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
3216 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents: 395
diff changeset
3217 "SSL_get_error: %d", sslerr);
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3218
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3219 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) {
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3220 c->read->handler = ngx_ssl_shutdown_handler;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3221 c->write->handler = ngx_ssl_shutdown_handler;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3222
7707
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3223 if (sslerr == SSL_ERROR_WANT_READ) {
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3224 c->read->ready = 0;
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3225
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3226 } else {
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3227 c->write->ready = 0;
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3228 }
adaec579a967 SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7706
diff changeset
3229
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3230 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3231 goto failed;
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3232 }
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3233
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3234 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3235 goto failed;
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3236 }
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3237
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3238 ngx_add_timer(c->read, 3000);
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3239
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3240 return NGX_AGAIN;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3241 }
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3242
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3243 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3244 goto done;
7694
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3245 }
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3246
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3247 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3248
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3249 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
09fb2135a589 SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7672
diff changeset
3250
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3251 break;
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3252 }
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3253
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3254 failed:
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3255
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3256 rc = NGX_ERROR;
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3257
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3258 done:
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3259
7871
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7870
diff changeset
3260 if (c->ssl->shutdown_without_free) {
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7870
diff changeset
3261 c->ssl->shutdown_without_free = 0;
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7870
diff changeset
3262 c->recv = ngx_recv;
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7870
diff changeset
3263 return rc;
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7870
diff changeset
3264 }
5f765427c17a Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7870
diff changeset
3265
7870
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3266 SSL_free(c->ssl->connection);
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3267 c->ssl = NULL;
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3268 c->recv = ngx_recv;
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3269
fecf645ff2f8 SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7781
diff changeset
3270 return rc;
394
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3271 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3272
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents: 393
diff changeset
3273
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3274 static void
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3275 ngx_ssl_shutdown_handler(ngx_event_t *ev)
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3276 {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3277 ngx_connection_t *c;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3278 ngx_connection_handler_pt handler;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3279
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3280 c = ev->data;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3281 handler = c->ssl->handler;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3282
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3283 if (ev->timedout) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3284 c->timedout = 1;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3285 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3286
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3287 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler");
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3288
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3289 if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3290 return;
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3291 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3292
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3293 handler(c);
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3294 }
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3295
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3296
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3297 static void
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3298 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3299 char *text)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3300 {
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3301 int n;
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3302 ngx_uint_t level;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3303
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3304 level = NGX_LOG_CRIT;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3305
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3306 if (sslerr == SSL_ERROR_SYSCALL) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3307
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3308 if (err == NGX_ECONNRESET
7560
2432a687e789 SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7509
diff changeset
3309 #if (NGX_WIN32)
2432a687e789 SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7509
diff changeset
3310 || err == NGX_ECONNABORTED
2432a687e789 SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7509
diff changeset
3311 #endif
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3312 || err == NGX_EPIPE
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3313 || err == NGX_ENOTCONN
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
3314 || err == NGX_ETIMEDOUT
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3315 || err == NGX_ECONNREFUSED
1869
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
3316 || err == NGX_ENETDOWN
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
3317 || err == NGX_ENETUNREACH
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents: 1868
diff changeset
3318 || err == NGX_EHOSTDOWN
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3319 || err == NGX_EHOSTUNREACH)
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3320 {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3321 switch (c->log_error) {
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3322
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3323 case NGX_ERROR_IGNORE_ECONNRESET:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3324 case NGX_ERROR_INFO:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3325 level = NGX_LOG_INFO;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3326 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3327
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3328 case NGX_ERROR_ERR:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3329 level = NGX_LOG_ERR;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3330 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3331
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3332 default:
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3333 break;
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3334 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3335 }
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3336
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3337 } else if (sslerr == SSL_ERROR_SSL) {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3338
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3339 n = ERR_GET_REASON(ERR_peek_error());
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3340
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3341 /* handshake failures */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3342 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
7360
8f25a44d9add SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7357
diff changeset
3343 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
8f25a44d9add SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7357
diff changeset
3344 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */
8f25a44d9add SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7357
diff changeset
3345 #endif
8054
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3346 #ifdef SSL_R_BAD_KEY_SHARE
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3347 || n == SSL_R_BAD_KEY_SHARE /* 108 */
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3348 #endif
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3349 #ifdef SSL_R_BAD_EXTENSION
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3350 || n == SSL_R_BAD_EXTENSION /* 110 */
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3351 #endif
7361
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7360
diff changeset
3352 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7360
diff changeset
3353 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7360
diff changeset
3354 #endif
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3355 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
3718
bfd84b583868 decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3516
diff changeset
3356 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3357 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3358 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
7311
778358452a81 SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7291
diff changeset
3359 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */
778358452a81 SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7291
diff changeset
3360 || n == SSL_R_HTTP_REQUEST /* 156 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
3361 || n == SSL_R_LENGTH_MISMATCH /* 159 */
6652
1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6591
diff changeset
3362 #ifdef SSL_R_NO_CIPHERS_PASSED
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3363 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
6652
1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6591
diff changeset
3364 #endif
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
3365 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
8054
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3366 #ifdef SSL_R_BAD_CIPHER
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3367 || n == SSL_R_BAD_CIPHER /* 186 */
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3368 #endif
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3369 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3370 || n == SSL_R_NO_SHARED_CIPHER /* 193 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
3371 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
7472
d430babbe643 SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
3372 #ifdef SSL_R_CLIENTHELLO_TLSEXT
d430babbe643 SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
3373 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
d430babbe643 SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
3374 #endif
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3375 #ifdef SSL_R_PARSE_TLSEXT
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3376 || n == SSL_R_PARSE_TLSEXT /* 227 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3377 #endif
7472
d430babbe643 SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
3378 #ifdef SSL_R_CALLBACK_FAILED
d430babbe643 SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
3379 || n == SSL_R_CALLBACK_FAILED /* 234 */
d430babbe643 SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7465
diff changeset
3380 #endif
7936
b9e02e9b2f1d Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents: 7935
diff changeset
3381 #ifdef SSL_R_NO_APPLICATION_PROTOCOL
b9e02e9b2f1d Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents: 7935
diff changeset
3382 || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */
b9e02e9b2f1d Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents: 7935
diff changeset
3383 #endif
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3384 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3385 || n == SSL_R_UNEXPECTED_RECORD /* 245 */
3455
028f0892e0cd decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3357
diff changeset
3386 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
3357
fc735aa50b8b decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents: 3300
diff changeset
3387 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
7361
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7360
diff changeset
3388 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7360
diff changeset
3389 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */
c09c7d47acb9 SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7360
diff changeset
3390 #endif
7317
6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7311
diff changeset
3391 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
7360
8f25a44d9add SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7357
diff changeset
3392 #ifdef SSL_R_NO_SHARED_GROUP
8f25a44d9add SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7357
diff changeset
3393 || n == SSL_R_NO_SHARED_GROUP /* 266 */
8f25a44d9add SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7357
diff changeset
3394 #endif
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3395 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3396 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
8009
a736a7a613ea SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents: 7997
diff changeset
3397 #ifdef SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY
a736a7a613ea SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents: 7997
diff changeset
3398 || n == SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY /* 291 */
a736a7a613ea SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents: 7997
diff changeset
3399 #endif
a736a7a613ea SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents: 7997
diff changeset
3400 #ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
a736a7a613ea SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents: 7997
diff changeset
3401 || n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */
a736a7a613ea SSL: logging level of "application data after close notify".
Sergey Kandaurov <pluknet@nginx.com>
parents: 7997
diff changeset
3402 #endif
8054
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3403 #ifdef SSL_R_BAD_ECPOINT
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3404 || n == SSL_R_BAD_ECPOINT /* 306 */
cac164d0807e SSL: logging levels of various errors added in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8009
diff changeset
3405 #endif
4228
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3406 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3407 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3408 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3409 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3410 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3411 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3412 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3413 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3414 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3415 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
5fef0313f2ff Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents: 4186
diff changeset
3416 #endif
5902
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5892
diff changeset
3417 #ifdef SSL_R_INAPPROPRIATE_FALLBACK
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5892
diff changeset
3418 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5892
diff changeset
3419 #endif
7461
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
3420 #ifdef SSL_R_CERT_CB_ERROR
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
3421 || n == SSL_R_CERT_CB_ERROR /* 377 */
a68799465b19 SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7460
diff changeset
3422 #endif
7317
6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7311
diff changeset
3423 #ifdef SSL_R_VERSION_TOO_LOW
6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7311
diff changeset
3424 || n == SSL_R_VERSION_TOO_LOW /* 396 */
6565f0dbe8c5 SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents: 7311
diff changeset
3425 #endif
8063
9cf231508a8d SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents: 8054
diff changeset
3426 #ifdef SSL_R_BAD_RECORD_TYPE
9cf231508a8d SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents: 8054
diff changeset
3427 || n == SSL_R_BAD_RECORD_TYPE /* 443 */
9cf231508a8d SSL: logging level of "bad record type" errors.
Murilo Andrade <murilo.b.andrade@gmail.com>
parents: 8054
diff changeset
3428 #endif
1877
a55876dff8f5 low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents: 1876
diff changeset
3429 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
6486
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
3430 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
2315
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3431 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3432 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3433 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3434 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3435 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3436 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3437 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3438 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3439 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3440 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3441 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3442 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3443 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3444 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3445 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3446 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3447 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3448 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3449 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3450 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3451 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
31fafd8e7436 low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 2280
diff changeset
3452 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
6486
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
3453 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
3454 #endif
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6485
diff changeset
3455 )
1876
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3456 {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3457 switch (c->log_error) {
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3458
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3459 case NGX_ERROR_IGNORE_ECONNRESET:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3460 case NGX_ERROR_INFO:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3461 level = NGX_LOG_INFO;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3462 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3463
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3464 case NGX_ERROR_ERR:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3465 level = NGX_LOG_ERR;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3466 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3467
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3468 default:
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3469 break;
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3470 }
5d663752fd96 low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents: 1873
diff changeset
3471 }
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3472 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3473
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3474 ngx_ssl_error(level, c->log, err, text);
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3475 }
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3476
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3477
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3478 static void
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3479 ngx_ssl_clear_error(ngx_log_t *log)
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3480 {
1868
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
3481 while (ERR_peek_error()) {
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3482 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3483 }
1868
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
3484
c2cd0720f292 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1865
diff changeset
3485 ERR_clear_error();
1755
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3486 }
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3487
59e36c1c6296 cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents: 1754
diff changeset
3488
583
4e296b7d25bf nginx-0.3.13-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 577
diff changeset
3489 void ngx_cdecl
489
45a460f82aec nginx-0.1.19-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 479
diff changeset
3490 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
3491 {
4877
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
3492 int flags;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
3493 u_long n;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
3494 va_list args;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
3495 u_char *p, *last;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
3496 u_char errstr[NGX_MAX_CONF_ERRSTR];
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 4875
diff changeset
3497 const char *data;
461
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
3498
a88a3e4e158f nginx-0.1.5-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 455
diff changeset
3499 last = errstr + NGX_MAX_CONF_ERRSTR;
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
3500
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
3501 va_start(args, fmt);
2764
d4a717592877 use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents: 2720
diff changeset
3502 p = ngx_vslprintf(errstr, last - 1, fmt, args);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
3503 va_end(args);
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
3504
7459
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3505 if (ERR_peek_error()) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3506 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3507
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3508 for ( ;; ) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3509
7897
4195a6f0c61c SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7896
diff changeset
3510 n = ERR_peek_error_data(&data, &flags);
7459
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3511
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3512 if (n == 0) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3513 break;
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3514 }
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3515
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3516 /* ERR_error_string_n() requires at least one byte */
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3517
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3518 if (p >= last - 1) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3519 goto next;
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3520 }
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3521
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3522 *p++ = ' ';
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3523
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3524 ERR_error_string_n(n, (char *) p, last - p);
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3525
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3526 while (p < last && *p) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3527 p++;
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3528 }
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3529
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3530 if (p < last && *data && (flags & ERR_TXT_STRING)) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3531 *p++ = ':';
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3532 p = ngx_cpystrn(p, (u_char *) data, last - p);
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3533 }
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3534
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3535 next:
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3536
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3537 (void) ERR_get_error();
1861
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
3538 }
f00b30557c81 pull all errors
Igor Sysoev <igor@sysoev.ru>
parents: 1860
diff changeset
3539
7459
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3540 if (p < last) {
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3541 *p++ = ')';
547
818fbd4750b9 nginx-0.2.2-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 543
diff changeset
3542 }
7459
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3543 }
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3544
982008fbc4ba SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents: 7455
diff changeset
3545 ngx_log_error(level, log, err, "%*s", p - errstr, errstr);
393
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff changeset
3546 }
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3547
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
3548
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3549 ngx_int_t
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3550 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3551 ngx_array_t *certificates, ssize_t builtin_session_cache,
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3552 ngx_shm_zone_t *shm_zone, time_t timeout)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3553 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3554 long cache_mode;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3555
5424
767aa37f12de SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5423
diff changeset
3556 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
767aa37f12de SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5423
diff changeset
3557
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3558 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3559 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3560 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3561
1778
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
3562 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
3563 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
3564 return NGX_OK;
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
3565 }
14510c3cc6cb ssl_session_cache off
Igor Sysoev <igor@sysoev.ru>
parents: 1760
diff changeset
3566
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3567 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3568
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3569 /*
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3570 * If the server explicitly says that it does not support
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3571 * session reuse (see SSL_SESS_CACHE_OFF above), then
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3572 * Outlook Express fails to upload a sent email to
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3573 * the Sent Items folder on the IMAP server via a separate IMAP
6552
addd98357629 SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6551
diff changeset
3574 * connection in the background. Therefore we have a special
2032
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3575 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE)
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3576 * where the server pretends that it supports session reuse,
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3577 * but it does not actually store any session.
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3578 */
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3579
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3580 SSL_CTX_set_session_cache_mode(ssl->ctx,
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3581 SSL_SESS_CACHE_SERVER
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3582 |SSL_SESS_CACHE_NO_AUTO_CLEAR
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3583 |SSL_SESS_CACHE_NO_INTERNAL_STORE);
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3584
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3585 SSL_CTX_sess_set_cache_size(ssl->ctx, 1);
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3586
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3587 return NGX_OK;
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3588 }
12b3ad3353f9 ssl_session_cache none
Igor Sysoev <igor@sysoev.ru>
parents: 1977
diff changeset
3589
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3590 cache_mode = SSL_SESS_CACHE_SERVER;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3591
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3592 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3593 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3594 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3595
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3596 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3597
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3598 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3599
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3600 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3601 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3602 }
1015
32ebb6b13ff3 ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents: 1014
diff changeset
3603 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3604
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3605 if (shm_zone) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3606 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3607 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3608 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3609
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3610 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3611 == 0)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3612 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3613 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3614 "SSL_CTX_set_ex_data() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3615 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3616 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3617 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3618
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3619 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3620 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3621
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3622
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3623 static ngx_int_t
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3624 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3625 ngx_array_t *certificates)
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3626 {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3627 int n, i;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3628 X509 *cert;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3629 X509_NAME *name;
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3630 ngx_str_t *certs;
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3631 ngx_uint_t k;
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3632 EVP_MD_CTX *md;
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3633 unsigned int len;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3634 STACK_OF(X509_NAME) *list;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3635 u_char buf[EVP_MAX_MD_SIZE];
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3636
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3637 /*
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3638 * Session ID context is set based on the string provided,
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3639 * the server certificates, and the client CA list.
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3640 */
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3641
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3642 md = EVP_MD_CTX_create();
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3643 if (md == NULL) {
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3644 return NGX_ERROR;
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3645 }
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3646
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3647 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3648 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3649 "EVP_DigestInit_ex() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3650 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3651 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3652
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3653 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3654 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3655 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3656 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3657 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3658
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3659 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3660 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3661 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3662 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3663 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3664 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3665 "X509_digest() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3666 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3667 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3668
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3669 if (EVP_DigestUpdate(md, buf, len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3670 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3671 "EVP_DigestUpdate() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3672 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
3673 }
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3674 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3675
7732
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
3676 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
3677 && certificates != NULL)
59e1c73fe02b SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7729
diff changeset
3678 {
7465
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3679 /*
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3680 * If certificates are loaded dynamically, we use certificate
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3681 * names as specified in the configuration (with variables).
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3682 */
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3683
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3684 certs = certificates->elts;
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3685 for (k = 0; k < certificates->nelts; k++) {
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3686
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3687 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) {
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3688 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3689 "EVP_DigestUpdate() failed");
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3690 goto failed;
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3691 }
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3692 }
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3693 }
6708bec13757 SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7463
diff changeset
3694
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3695 list = SSL_CTX_get_client_CA_list(ssl->ctx);
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3696
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3697 if (list != NULL) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3698 n = sk_X509_NAME_num(list);
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3699
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3700 for (i = 0; i < n; i++) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3701 name = sk_X509_NAME_value(list, i);
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3702
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3703 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3704 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3705 "X509_NAME_digest() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3706 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3707 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3708
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3709 if (EVP_DigestUpdate(md, buf, len) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3710 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3711 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3712 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3713 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3714 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3715 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3716
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3717 if (EVP_DigestFinal_ex(md, buf, &len) == 0) {
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3718 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
7455
992bf7540a98 SSL: fixed EVP_DigestFinal_ex() error message.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7454
diff changeset
3719 "EVP_DigestFinal_ex() failed");
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3720 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3721 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3722
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3723 EVP_MD_CTX_destroy(md);
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3724
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3725 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3726 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3727 "SSL_CTX_set_session_id_context() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3728 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3729 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3730
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3731 return NGX_OK;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3732
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3733 failed:
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3734
6490
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6489
diff changeset
3735 EVP_MD_CTX_destroy(md);
5834
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3736
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3737 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3738 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3739
ca63fc5ed9b1 SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5823
diff changeset
3740
3992
a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents: 3962
diff changeset
3741 ngx_int_t
993
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
3742 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3743 {
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3744 size_t len;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3745 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3746 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3747
993
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
3748 if (data) {
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
3749 shm_zone->data = data;
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
3750 return NGX_OK;
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
3751 }
1b9a4d92173f pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents: 989
diff changeset
3752
5640
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5634
diff changeset
3753 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5634
diff changeset
3754
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3755 if (shm_zone->shm.exists) {
5640
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents: 5634
diff changeset
3756 shm_zone->data = shpool->data;
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3757 return NGX_OK;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3758 }
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3759
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3760 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3761 if (cache == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3762 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3763 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3764
2720
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3765 shpool->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3766 shm_zone->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2716
diff changeset
3767
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
3768 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel,
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
3769 ngx_ssl_session_rbtree_insert_value);
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
3770
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
3771 ngx_queue_init(&cache->expire_queue);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3772
8075
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3773 cache->fail_time = 0;
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3774
2716
d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2710
diff changeset
3775 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len;
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3776
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3777 shpool->log_ctx = ngx_slab_alloc(shpool, len);
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3778 if (shpool->log_ctx == NULL) {
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3779 return NGX_ERROR;
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3780 }
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3781
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3782 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
2716
d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents: 2710
diff changeset
3783 &shm_zone->shm.name);
2611
2bce3f6416c6 improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents: 2536
diff changeset
3784
5634
5024d29354f1 Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
3785 shpool->log_nomem = 0;
5024d29354f1 Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5573
diff changeset
3786
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3787 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3788 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3789
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3790
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3791 /*
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
3792 * The length of the session id is 16 bytes for SSLv2 sessions and
8076
fa4b4f38da4a SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
3793 * between 1 and 32 bytes for SSLv3 and TLS, typically 32 bytes.
fa4b4f38da4a SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
3794 * Typical length of the external ASN1 representation of a session
fa4b4f38da4a SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
3795 * is about 150 bytes plus SNI server name.
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3796 *
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3797 * On 32-bit platforms we allocate an rbtree node, a session id, and
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3798 * an ASN1 representation in a single allocation, it typically takes
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3799 * 256 bytes.
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3800 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3801 * On 64-bit platforms we allocate separately an rbtree node + session_id,
8076
fa4b4f38da4a SSL: updated comment about session sizes.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8075
diff changeset
3802 * and an ASN1 representation, they take accordingly 128 and 256 bytes.
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
3803 *
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3804 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3805 * so they are outside the code locked by shared pool mutex
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3806 */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3807
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3808 static int
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3809 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3810 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3811 int len;
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3812 u_char *p, *session_id;
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3813 size_t n;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3814 uint32_t hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3815 SSL_CTX *ssl_ctx;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3816 unsigned int session_id_length;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3817 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3818 ngx_connection_t *c;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3819 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3820 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3821 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3822 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3823
8074
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3824 #ifdef TLS1_3_VERSION
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3825
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3826 /*
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3827 * OpenSSL tries to save TLSv1.3 sessions into session cache
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3828 * even when using tickets for stateless session resumption,
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3829 * "because some applications just want to know about the creation
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3830 * of a session"; do not cache such sessions
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3831 */
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3832
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3833 if (SSL_version(ssl_conn) == TLS1_3_VERSION
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3834 && (SSL_get_options(ssl_conn) & SSL_OP_NO_TICKET) == 0)
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3835 {
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3836 return 0;
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3837 }
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3838
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3839 #endif
026ee23b6774 SSL: disabled saving tickets to session cache.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8070
diff changeset
3840
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3841 len = i2d_SSL_SESSION(sess, NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3842
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3843 /* do not cache too big session */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3844
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3845 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3846 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3847 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3848
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3849 p = buf;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3850 i2d_SSL_SESSION(sess, &p);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3851
8077
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3852 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3853
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3854 /* do not cache sessions with too long session id */
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3855
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3856 if (session_id_length > 32) {
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3857 return 0;
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3858 }
ec1fa010c3a5 SSL: explicit session id length checking.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8076
diff changeset
3859
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3860 c = ngx_ssl_get_connection(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3861
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
3862 ssl_ctx = c->ssl->session_ctx;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3863 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3864
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3865 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3866 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3867
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3868 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3869
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3870 /* drop one or two expired sessions */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3871 ngx_ssl_expire_sessions(cache, shpool, 1);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3872
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3873 #if (NGX_PTR_SIZE == 8)
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3874 n = sizeof(ngx_ssl_sess_id_t);
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3875 #else
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3876 n = offsetof(ngx_ssl_sess_id_t, session) + len;
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3877 #endif
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3878
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3879 sess_id = ngx_slab_alloc_locked(shpool, n);
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3880
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3881 if (sess_id == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3882
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3883 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3884
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3885 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3886
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3887 sess_id = ngx_slab_alloc_locked(shpool, n);
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3888
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3889 if (sess_id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3890 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3891 }
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3892 }
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3893
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3894 #if (NGX_PTR_SIZE == 8)
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3895
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3896 sess_id->session = ngx_slab_alloc_locked(shpool, len);
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3897
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3898 if (sess_id->session == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3899
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3900 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3901
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3902 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3903
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3904 sess_id->session = ngx_slab_alloc_locked(shpool, len);
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3905
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3906 if (sess_id->session == NULL) {
5081
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3907 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5024
diff changeset
3908 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3909 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3910
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3911 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3912
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3913 ngx_memcpy(sess_id->session, buf, len);
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
3914 ngx_memcpy(sess_id->id, session_id, session_id_length);
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3915
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3916 hash = ngx_crc32_short(session_id, session_id_length);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3917
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3918 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3919 "ssl new session: %08XD:%ud:%d",
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3920 hash, session_id_length, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3921
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3922 sess_id->node.key = hash;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
3923 sess_id->node.data = (u_char) session_id_length;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3924 sess_id->len = len;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3925
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
3926 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3927
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
3928 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3929
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
3930 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3931
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3932 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3933
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3934 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3935
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3936 failed:
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3937
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3938 if (sess_id) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
3939 ngx_slab_free_locked(shpool, sess_id);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3940 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3941
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3942 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3943
8075
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3944 if (cache->fail_time != ngx_time()) {
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3945 cache->fail_time = ngx_time();
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3946 ngx_log_error(NGX_LOG_WARN, c->log, 0,
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3947 "could not allocate new session%s", shpool->log_ctx);
38c71f9b2293 SSL: reduced logging of session cache failures (ticket #621).
Maxim Dounin <mdounin@mdounin.ru>
parents: 8074
diff changeset
3948 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3949
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3950 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3951 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3952
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3953
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3954 static ngx_ssl_session_t *
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
3955 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
3956 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
3957 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
3958 #endif
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
3959 u_char *id, int len, int *copy)
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3960 {
7365
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents: 7361
diff changeset
3961 size_t slen;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3962 uint32_t hash;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
3963 ngx_int_t rc;
7509
b99cbafd51da SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7484
diff changeset
3964 const u_char *p;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3965 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3966 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3967 ngx_rbtree_node_t *node, *sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3968 ngx_ssl_session_t *sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3969 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3970 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3971 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
3972 ngx_connection_t *c;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3973
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
3974 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3975 *copy = 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3976
3961
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
3977 c = ngx_ssl_get_connection(ssl_conn);
4048aa055411 fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents: 3960
diff changeset
3978
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3979 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155
e720c4a68ee0 fix debug log message
Igor Sysoev <igor@sysoev.ru>
parents: 3154
diff changeset
3980 "ssl get session: %08XD:%d", hash, len);
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
3981
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
3982 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx,
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3983 ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3984
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3985 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3986
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3987 sess = NULL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3988
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3989 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3990
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3991 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3992
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
3993 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
3994 sentinel = cache->session_rbtree.sentinel;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3995
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3996 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3997
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3998 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
3999 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4000 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4001 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4002
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4003 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4004 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4005 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4006 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4007
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4008 /* hash == node->key */
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4009
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4010 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4011
6487
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
4012 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6486
diff changeset
4013 (size_t) len, (size_t) node->data);
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4014
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4015 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4016
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4017 if (sess_id->expire > ngx_time()) {
7365
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents: 7361
diff changeset
4018 slen = sess_id->len;
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents: 7361
diff changeset
4019
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents: 7361
diff changeset
4020 ngx_memcpy(buf, sess_id->session, slen);
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4021
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4022 ngx_shmtx_unlock(&shpool->mutex);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4023
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4024 p = buf;
7365
cd4fa2fab8d8 SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents: 7361
diff changeset
4025 sess = d2i_SSL_SESSION(NULL, &p, slen);
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4026
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4027 return sess;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4028 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4029
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4030 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4031
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4032 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4033
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
4034 #if (NGX_PTR_SIZE == 8)
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4035 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
4036 #endif
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4037 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4038
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4039 sess = NULL;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4040
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4041 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4042 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4043
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4044 node = (rc < 0) ? node->left : node->right;
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4045 }
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4046
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4047 done:
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4048
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4049 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4050
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4051 return sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4052 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4053
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4054
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4055 void
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4056 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4057 {
6474
Ruslan Ermilov <ru@nginx.com>
parents: 6407
diff changeset
4058 SSL_CTX_remove_session(ssl, sess);
Ruslan Ermilov <ru@nginx.com>
parents: 6407
diff changeset
4059
Ruslan Ermilov <ru@nginx.com>
parents: 6407
diff changeset
4060 ngx_ssl_remove_session(ssl, sess);
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4061 }
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4062
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4063
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4064 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4065 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4066 {
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4067 u_char *id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4068 uint32_t hash;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4069 ngx_int_t rc;
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4070 unsigned int len;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4071 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4072 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4073 ngx_rbtree_node_t *node, *sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4074 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4075 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4076
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4077 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4078
1924
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4079 if (shm_zone == NULL) {
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4080 return;
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4081 }
291689a7e5dc invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents: 1877
diff changeset
4082
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4083 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4084
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4085 id = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4086
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4087 hash = ngx_crc32_short(id, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4088
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4089 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4090 "ssl remove session: %08XD:%ud", hash, len);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4091
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4092 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4093
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4094 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4095
1759
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
4096 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents: 1758
diff changeset
4097 sentinel = cache->session_rbtree.sentinel;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4098
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4099 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4100
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4101 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4102 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4103 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4104 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4105
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4106 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4107 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4108 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4109 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4110
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4111 /* hash == node->key */
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4112
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4113 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4114
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4115 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4116
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4117 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4118
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4119 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4120
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4121 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4122
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
4123 #if (NGX_PTR_SIZE == 8)
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4124 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
4125 #endif
4497
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4126 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4127
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4128 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4129 }
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4130
95ab6658654a Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents: 4414
diff changeset
4131 node = (rc < 0) ? node->left : node->right;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4132 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4133
1013
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4134 done:
7dd987e09701 stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents: 993
diff changeset
4135
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4136 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4137 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4138
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4139
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4140 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4141 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4142 ngx_slab_pool_t *shpool, ngx_uint_t n)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4143 {
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
4144 time_t now;
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4145 ngx_queue_t *q;
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
4146 ngx_ssl_sess_id_t *sess_id;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4147
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
4148 now = ngx_time();
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4149
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4150 while (n < 3) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4151
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4152 if (ngx_queue_empty(&cache->expire_queue)) {
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4153 return;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4154 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4155
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4156 q = ngx_queue_last(&cache->expire_queue);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4157
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4158 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4159
1757
7ab8bd535eed use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents: 1756
diff changeset
4160 if (n++ != 0 && sess_id->expire > now) {
1439
36548ad85be1 style fix
Igor Sysoev <igor@sysoev.ru>
parents: 1426
diff changeset
4161 return;
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4162 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4163
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4164 ngx_queue_remove(q);
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4165
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4166 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4167 "expire session: %08Xi", sess_id->node.key);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4168
1760
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4169 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
49429f5b2d94 use ngx_queue.h
Igor Sysoev <igor@sysoev.ru>
parents: 1759
diff changeset
4170
8078
5244d3b165ff SSL: single allocation in session cache on 32-bit platforms.
Maxim Dounin <mdounin@mdounin.ru>
parents: 8077
diff changeset
4171 #if (NGX_PTR_SIZE == 8)
1014
5ffd76a9ccf3 optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents: 1013
diff changeset
4172 ngx_slab_free_locked(shpool, sess_id->session);
1017
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents: 1015
diff changeset
4173 #endif
974
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4174 ngx_slab_free_locked(shpool, sess_id);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4175 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4176 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4177
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents: 969
diff changeset
4178
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4179 static void
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4180 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4181 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel)
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4182 {
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4183 ngx_rbtree_node_t **p;
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4184 ngx_ssl_sess_id_t *sess_id, *sess_id_temp;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4185
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4186 for ( ;; ) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4187
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4188 if (node->key < temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4189
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4190 p = &temp->left;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4191
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4192 } else if (node->key > temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4193
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4194 p = &temp->right;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4195
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4196 } else { /* node->key == temp->key */
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4197
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4198 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4199 sess_id_temp = (ngx_ssl_sess_id_t *) temp;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4200
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4201 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id,
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4202 (size_t) node->data, (size_t) temp->data)
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4203 < 0) ? &temp->left : &temp->right;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4204 }
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4205
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4206 if (*p == sentinel) {
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4207 break;
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4208 }
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4209
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4210 temp = *p;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4211 }
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4212
1743
4fc402c3ec73 optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents: 1439
diff changeset
4213 *p = node;
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4214 node->parent = temp;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4215 node->left = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4216 node->right = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4217 ngx_rbt_red(node);
1043
7073b87fa8e9 style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents: 1029
diff changeset
4218 }
1027
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4219
ff07ccfaad50 fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents: 1025
diff changeset
4220
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4221 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4222
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4223 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4224 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4225 {
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4226 u_char buf[80];
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4227 size_t size;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4228 ssize_t n;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4229 ngx_str_t *path;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4230 ngx_file_t file;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4231 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4232 ngx_array_t *keys;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4233 ngx_file_info_t fi;
7453
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4234 ngx_pool_cleanup_t *cln;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4235 ngx_ssl_session_ticket_key_t *key;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4236
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4237 if (paths == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4238 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4239 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4240
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4241 keys = ngx_array_create(cf->pool, paths->nelts,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4242 sizeof(ngx_ssl_session_ticket_key_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4243 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4244 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4245 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4246
7453
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4247 cln = ngx_pool_cleanup_add(cf->pool, 0);
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4248 if (cln == NULL) {
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4249 return NGX_ERROR;
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4250 }
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4251
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4252 cln->handler = ngx_ssl_session_ticket_keys_cleanup;
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4253 cln->data = keys;
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4254
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4255 path = paths->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4256 for (i = 0; i < paths->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4257
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4258 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4259 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4260 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4261
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4262 ngx_memzero(&file, sizeof(ngx_file_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4263 file.name = path[i];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4264 file.log = cf->log;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4265
7087
47b7ffc3339d Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7086
diff changeset
4266 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY,
47b7ffc3339d Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7086
diff changeset
4267 NGX_FILE_OPEN, 0);
7086
Sergey Kandaurov <pluknet@nginx.com>
parents: 7074
diff changeset
4268
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4269 if (file.fd == NGX_INVALID_FILE) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4270 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4271 ngx_open_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4272 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4273 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4274
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4275 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4276 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4277 ngx_fd_info_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4278 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4279 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4280
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4281 size = ngx_file_size(&fi);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4282
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4283 if (size != 48 && size != 80) {
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4284 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4285 "\"%V\" must be 48 or 80 bytes", &file.name);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4286 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4287 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4288
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4289 n = ngx_read_file(&file, buf, size, 0);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4290
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4291 if (n == NGX_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4292 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4293 ngx_read_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4294 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4295 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4296
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4297 if ((size_t) n != size) {
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4298 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4299 ngx_read_file_n " \"%V\" returned only "
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4300 "%z bytes instead of %uz", &file.name, n, size);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4301 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4302 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4303
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4304 key = ngx_array_push(keys);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4305 if (key == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4306 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4307 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4308
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4309 if (size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4310 key->size = 48;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4311 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4312 ngx_memcpy(key->aes_key, buf + 16, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4313 ngx_memcpy(key->hmac_key, buf + 32, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4314
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4315 } else {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4316 key->size = 80;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4317 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4318 ngx_memcpy(key->hmac_key, buf + 16, 32);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4319 ngx_memcpy(key->aes_key, buf + 48, 32);
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4320 }
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4321
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4322 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4323 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4324 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4325 }
7453
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4326
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4327 ngx_explicit_memzero(&buf, 80);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4328 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4329
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4330 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4331 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4332 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4333 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4334 "SSL_CTX_set_ex_data() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4335 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4336 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4337
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4338 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4339 ngx_ssl_session_ticket_key_callback)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4340 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4341 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4342 ngx_log_error(NGX_LOG_WARN, cf->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4343 "nginx was built with Session Tickets support, however, "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4344 "now it is linked dynamically to an OpenSSL library "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4345 "which has no tlsext support, therefore Session Tickets "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4346 "are not available");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4347 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4348
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4349 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4350
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4351 failed:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4352
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4353 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4354 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4355 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4356 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4357
7453
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4358 ngx_explicit_memzero(&buf, 80);
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4359
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4360 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4361 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4362
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4363
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4364 static int
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4365 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4366 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4367 HMAC_CTX *hctx, int enc)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4368 {
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4369 size_t size;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4370 SSL_CTX *ssl_ctx;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4371 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4372 ngx_array_t *keys;
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
4373 ngx_connection_t *c;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4374 ngx_ssl_session_ticket_key_t *key;
6686
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4375 const EVP_MD *digest;
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4376 const EVP_CIPHER *cipher;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4377
6261
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
4378 c = ngx_ssl_get_connection(ssl_conn);
97f102a13f33 SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6259
diff changeset
4379 ssl_ctx = c->ssl->session_ctx;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4380
6686
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4381 #ifdef OPENSSL_NO_SHA256
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4382 digest = EVP_sha1();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4383 #else
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4384 digest = EVP_sha256();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4385 #endif
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6660
diff changeset
4386
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4387 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4388 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4389 return -1;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4390 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4391
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4392 key = keys->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4393
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4394 if (enc == 1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4395 /* encrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4396
5657
3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5640
diff changeset
4397 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
7736
a46fcf101cfc Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents: 7732
diff changeset
4398 "ssl session ticket encrypt, key: \"%*xs\" (%s session)",
a46fcf101cfc Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents: 7732
diff changeset
4399 (size_t) 16, key[0].name,
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4400 SSL_session_reused(ssl_conn) ? "reused" : "new");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4401
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4402 if (key[0].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4403 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4404 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4405
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4406 } else {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4407 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4408 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4409 }
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4410
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4411 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4412 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4413 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4414 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4415
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4416 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4417 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4418 "EVP_EncryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4419 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4420 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4421
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4422 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4423 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4424 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4425 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4426 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4427 #else
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4428 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL);
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4429 #endif
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4430
5760
4b668378ad8b Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents: 5756
diff changeset
4431 ngx_memcpy(name, key[0].name, 16);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4432
6660
3eb1a92a2f05 SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6659
diff changeset
4433 return 1;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4434
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4435 } else {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4436 /* decrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4437
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4438 for (i = 0; i < keys->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4439 if (ngx_memcmp(name, key[i].name, 16) == 0) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4440 goto found;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4441 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4442 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4443
5657
3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5640
diff changeset
4444 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
7736
a46fcf101cfc Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents: 7732
diff changeset
4445 "ssl session ticket decrypt, key: \"%*xs\" not found",
a46fcf101cfc Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents: 7732
diff changeset
4446 (size_t) 16, name);
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4447
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4448 return 0;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4449
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4450 found:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4451
5657
3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5640
diff changeset
4452 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
7736
a46fcf101cfc Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents: 7732
diff changeset
4453 "ssl session ticket decrypt, key: \"%*xs\"%s",
a46fcf101cfc Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents: 7732
diff changeset
4454 (size_t) 16, key[i].name, (i == 0) ? " (default)" : "");
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4455
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4456 if (key[i].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4457 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4458 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4459
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4460 } else {
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4461 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4462 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4463 }
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4464
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4465 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4466 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4467 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4468 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4469 }
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4470 #else
6854
75e7d55214bd SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6842
diff changeset
4471 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL);
6687
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4472 #endif
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4473
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4474 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4475 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4476 "EVP_DecryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4477 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6686
diff changeset
4478 }
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4479
7997
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4480 /* renew if TLSv1.3 */
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4481
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4482 #ifdef TLS1_3_VERSION
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4483 if (SSL_version(ssl_conn) == TLS1_3_VERSION) {
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4484 return 2;
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4485 }
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4486 #endif
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4487
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4488 /* renew if non-default key */
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4489
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4490 if (i != 0) {
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4491 return 2;
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4492 }
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4493
e30f7dc7f143 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7994
diff changeset
4494 return 1;
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4495 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4496 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4497
7453
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4498
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4499 static void
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4500 ngx_ssl_session_ticket_keys_cleanup(void *data)
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4501 {
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4502 ngx_array_t *keys = data;
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4503
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4504 ngx_explicit_memzero(keys->elts,
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4505 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t));
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4506 }
873150addfeb SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents: 7431
diff changeset
4507
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4508 #else
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4509
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4510 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4511 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4512 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4513 if (paths) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4514 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
7074
07a49cce21ca SSL: fixed typo in the error message.
Sergey Kandaurov <pluknet@nginx.com>
parents: 6995
diff changeset
4515 "\"ssl_session_ticket_key\" ignored, not supported");
5425
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4516 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4517
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4518 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4519 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4520
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4521 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4522
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents: 5424
diff changeset
4523
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
4524 void
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
4525 ngx_ssl_cleanup_ctx(void *data)
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
4526 {
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
4527 ngx_ssl_t *ssl = data;
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
4528
6548
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4529 X509 *cert, *next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4530
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4531 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4532
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4533 while (cert) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4534 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4535 X509_free(cert);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4536 cert = next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4537 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6545
diff changeset
4538
589
d4e858a5751a nginx-0.3.16-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 583
diff changeset
4539 SSL_CTX_free(ssl->ctx);
509
9b8c906f6e63 nginx-0.1.29-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 501
diff changeset
4540 }
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
4542
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4543 ngx_int_t
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4544 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name)
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4545 {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4546 X509 *cert;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4547
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4548 cert = SSL_get_peer_certificate(c->ssl->connection);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4549 if (cert == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4550 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4551 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4552
6725
9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6699
diff changeset
4553 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4554
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4555 /* X509_check_host() is only available in OpenSSL 1.0.2+ */
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4556
5669
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
4557 if (name->len == 0) {
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
4558 goto failed;
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
4559 }
cac82b9b3499 SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5666
diff changeset
4560
5767
abd460ece11e SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents: 5760
diff changeset
4561 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4562 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4563 "X509_check_host(): no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4564 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4565 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4566
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4567 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4568 "X509_check_host(): match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4569
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4570 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4571
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4572 #else
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4573 {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4574 int n, i;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4575 X509_NAME *sname;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4576 ASN1_STRING *str;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4577 X509_NAME_ENTRY *entry;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4578 GENERAL_NAME *altname;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4579 STACK_OF(GENERAL_NAME) *altnames;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4580
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4581 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4582 * As per RFC6125 and RFC2818, we check subjectAltName extension,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4583 * and if it's not present - commonName in Subject is checked.
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4584 */
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4585
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4586 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4587
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4588 if (altnames) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4589 n = sk_GENERAL_NAME_num(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4590
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4591 for (i = 0; i < n; i++) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4592 altname = sk_GENERAL_NAME_value(altnames, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4593
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4594 if (altname->type != GEN_DNS) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4595 continue;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4596 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4597
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4598 str = altname->d.dNSName;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4599
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4600 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4601 "SSL subjectAltName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4602 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4603
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4604 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4605 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4606 "SSL subjectAltName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4607 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4608 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4609 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4610 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4611
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4612 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4613 "SSL subjectAltName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4614
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4615 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4616 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4617 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4618
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4619 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4620 * If there is no subjectAltName extension, check commonName
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4621 * in Subject. While RFC2818 requires to only check "most specific"
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4622 * CN, both Apache and OpenSSL check all CNs, and so do we.
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4623 */
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4624
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4625 sname = X509_get_subject_name(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4626
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4627 if (sname == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4628 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4629 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4630
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4631 i = -1;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4632 for ( ;; ) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4633 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4634
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4635 if (i < 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4636 break;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4637 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4638
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4639 entry = X509_NAME_get_entry(sname, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4640 str = X509_NAME_ENTRY_get_data(entry);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4641
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4642 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4643 "SSL commonName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4644 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4645
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4646 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4647 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4648 "SSL commonName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4649 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4650 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4651 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4652
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4653 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4654 "SSL commonName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4655 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4656 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4657
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4658 failed:
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4659
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4660 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4661 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4662
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4663 found:
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4664
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4665 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4666 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4667 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4668
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4669
6725
9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6699
diff changeset
4670 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4671
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4672 static ngx_int_t
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4673 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern)
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4674 {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4675 u_char *s, *p, *end;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4676 size_t slen, plen;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4677
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4678 s = name->data;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4679 slen = name->len;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4680
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4681 p = ASN1_STRING_data(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4682 plen = ASN1_STRING_length(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4683
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4684 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4685 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4686 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4687
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4688 if (plen > 2 && p[0] == '*' && p[1] == '.') {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4689 plen -= 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4690 p += 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4691
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4692 end = s + slen;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4693 s = ngx_strlchr(s, end, '.');
5666
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
4694
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
4695 if (s == NULL) {
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
4696 return NGX_ERROR;
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
4697 }
a77c0839c993 SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5661
diff changeset
4698
5661
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4699 slen = end - s;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4700
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4701 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4702 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4703 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4704 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4705
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4706 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4707 }
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4708
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4709 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4710
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4711
060c2e692b96 Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5658
diff changeset
4712 ngx_int_t
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4713 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4714 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4715 s->data = (u_char *) SSL_get_version(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4716 return NGX_OK;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4717 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4718
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4719
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4720 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4721 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4722 {
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4723 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
4724 return NGX_OK;
611
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4725 }
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4726
3f8a2132b93d nginx-0.3.27-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 597
diff changeset
4727
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
4728 ngx_int_t
6816
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4729 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4730 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4731 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4732
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4733 int n, i, bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4734 size_t len;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4735 u_char *ciphers, *p;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4736 const SSL_CIPHER *cipher;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4737
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4738 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4739 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4740
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4741 if (n <= 0) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4742 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4743 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4744 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4745
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4746 len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4747 n /= bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4748
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4749 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4750 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4751
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4752 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4753 len += ngx_strlen(SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4754
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4755 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4756 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4757 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4758
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4759 len += sizeof(":") - 1;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4760 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4761
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4762 s->data = ngx_pnalloc(pool, len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4763 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4764 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4765 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4766
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4767 p = s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4768
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4769 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4770 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4771
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4772 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4773 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4774
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4775 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4776 p = ngx_sprintf(p, "0x");
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4777 p = ngx_hex_dump(p, ciphers + i * bytes, bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4778 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4779
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4780 *p++ = ':';
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4781 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4782
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4783 p--;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4784
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4785 s->len = p - s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4786
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4787 #else
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4788
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4789 u_char buf[4096];
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4790
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4791 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4792 == NULL)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4793 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4794 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4795 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4796 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4797
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4798 s->len = ngx_strlen(buf);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4799 s->data = ngx_pnalloc(pool, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4800 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4801 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4802 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4803
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4804 ngx_memcpy(s->data, buf, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4805
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4806 #endif
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4807
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4808 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4809 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4810
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4811
ea93c7d8752a SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6815
diff changeset
4812 ngx_int_t
7973
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4813 ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4814 {
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4815 #ifdef SSL_get_negotiated_group
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4816
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4817 int nid;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4818
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4819 nid = SSL_get_negotiated_group(c->ssl->connection);
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4820
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4821 if (nid != NID_undef) {
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4822
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4823 if ((nid & TLSEXT_nid_unknown) == 0) {
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4824 s->len = ngx_strlen(OBJ_nid2sn(nid));
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4825 s->data = (u_char *) OBJ_nid2sn(nid);
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4826 return NGX_OK;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4827 }
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4828
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4829 s->len = sizeof("0x0000") - 1;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4830
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4831 s->data = ngx_pnalloc(pool, s->len);
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4832 if (s->data == NULL) {
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4833 return NGX_ERROR;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4834 }
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4835
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4836 ngx_sprintf(s->data, "0x%04xd", nid & 0xffff);
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4837
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4838 return NGX_OK;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4839 }
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4840
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4841 #endif
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4842
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4843 s->len = 0;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4844 return NGX_OK;
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4845 }
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4846
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4847
3443c02ca1d1 SSL: $ssl_curve (ticket #2135).
Sergey Kandaurov <pluknet@nginx.com>
parents: 7941
diff changeset
4848 ngx_int_t
6817
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4849 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4850 {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4851 #ifdef SSL_CTRL_GET_CURVES
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4852
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4853 int *curves, n, i, nid;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4854 u_char *p;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4855 size_t len;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4856
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4857 n = SSL_get1_curves(c->ssl->connection, NULL);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4858
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4859 if (n <= 0) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4860 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4861 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4862 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4863
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4864 curves = ngx_palloc(pool, n * sizeof(int));
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4865
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4866 n = SSL_get1_curves(c->ssl->connection, curves);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4867 len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4868
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4869 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4870 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4871
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4872 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4873 len += sizeof("0x0000") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4874
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4875 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4876 len += ngx_strlen(OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4877 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4878
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4879 len += sizeof(":") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4880 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4881
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4882 s->data = ngx_pnalloc(pool, len);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4883 if (s->data == NULL) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4884 return NGX_ERROR;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4885 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4886
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4887 p = s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4888
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4889 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4890 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4891
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4892 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4893 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4894
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4895 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4896 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4897 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4898
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4899 *p++ = ':';
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4900 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4901
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4902 p--;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4903
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4904 s->len = p - s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4905
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4906 #else
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4907
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4908 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4909
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4910 #endif
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4911
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4912 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4913 }
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4914
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4915
e75e854657ba SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents: 6816
diff changeset
4916 ngx_int_t
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4917 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4918 {
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4919 u_char *buf;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4920 SSL_SESSION *sess;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4921 unsigned int len;
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4922
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4923 sess = SSL_get0_session(c->ssl->connection);
5537
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
4924 if (sess == NULL) {
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
4925 s->len = 0;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
4926 return NGX_OK;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5531
diff changeset
4927 }
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4928
5756
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4929 buf = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents: 5755
diff changeset
4930
3154
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4931 s->len = 2 * len;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4932 s->data = ngx_pnalloc(pool, 2 * len);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4933 if (s->data == NULL) {
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4934 return NGX_ERROR;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4935 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4936
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4937 ngx_hex_dump(s->data, buf, len);
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4938
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4939 return NGX_OK;
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4940 }
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4941
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4942
823f72db46c0 $ssl_session_id
Igor Sysoev <igor@sysoev.ru>
parents: 3002
diff changeset
4943 ngx_int_t
5573
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4944 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4945 {
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4946 if (SSL_session_reused(c->ssl->connection)) {
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4947 ngx_str_set(s, "r");
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4948
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4949 } else {
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4950 ngx_str_set(s, ".");
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4951 }
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4952
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4953 return NGX_OK;
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4954 }
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4955
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4956
7c05f6590753 SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5537
diff changeset
4957 ngx_int_t
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4958 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4959 {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4960 s->len = 0;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4961
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4962 #ifdef SSL_ERROR_EARLY_DATA_REJECTED
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4963
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4964 /* BoringSSL */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4965
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4966 if (SSL_in_early_data(c->ssl->connection)) {
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4967 ngx_str_set(s, "1");
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4968 }
7357
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4969
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4970 #elif defined SSL_READ_EARLY_DATA_SUCCESS
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4971
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4972 /* OpenSSL */
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4973
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4974 if (!SSL_is_init_finished(c->ssl->connection)) {
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4975 ngx_str_set(s, "1");
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4976 }
548a63b354a2 SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents: 7356
diff changeset
4977
7333
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4978 #endif
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4979
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4980 return NGX_OK;
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4981 }
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4982
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4983
ba971deb4b44 SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7332
diff changeset
4984 ngx_int_t
5658
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
4985 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
4986 {
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
4987 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
4988
7092
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4989 size_t len;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4990 const char *name;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4991
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4992 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4993
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4994 if (name) {
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4995 len = ngx_strlen(name);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4996
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4997 s->len = len;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4998 s->data = ngx_pnalloc(pool, len);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
4999 if (s->data == NULL) {
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
5000 return NGX_ERROR;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
5001 }
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
5002
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
5003 ngx_memcpy(s->data, name, len);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7091
diff changeset
5004
5658
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5005 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5006 }
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5007
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5008 #endif
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5009
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5010 s->len = 0;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5011 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5012 }
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5013
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5014
94ae92776441 SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents: 5657
diff changeset
5015 ngx_int_t
7935
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5016 ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5017 {
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5018 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5019
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5020 unsigned int len;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5021 const unsigned char *data;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5022
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5023 SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5024
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5025 if (len > 0) {
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5026
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5027 s->data = ngx_pnalloc(pool, len);
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5028 if (s->data == NULL) {
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5029 return NGX_ERROR;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5030 }
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5031
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5032 ngx_memcpy(s->data, data, len);
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5033 s->len = len;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5034
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5035 return NGX_OK;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5036 }
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5037
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5038 #endif
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5039
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5040 s->len = 0;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5041 return NGX_OK;
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5042 }
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5043
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5044
eb6c77e6d55d SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents: 7901
diff changeset
5045 ngx_int_t
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5046 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5047 {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5048 size_t len;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5049 BIO *bio;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5050 X509 *cert;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5051
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5052 s->len = 0;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5053
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5054 cert = SSL_get_peer_certificate(c->ssl->connection);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5055 if (cert == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5056 return NGX_OK;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5057 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5058
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5059 bio = BIO_new(BIO_s_mem());
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5060 if (bio == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5061 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5062 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5063 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5064 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5065
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5066 if (PEM_write_bio_X509(bio, cert) == 0) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5067 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5068 goto failed;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5069 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5070
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5071 len = BIO_pending(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5072 s->len = len;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5073
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
5074 s->data = ngx_pnalloc(pool, len);
2045
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5075 if (s->data == NULL) {
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5076 goto failed;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5077 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5078
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5079 BIO_read(bio, s->data, len);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5080
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5081 BIO_free(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5082 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5083
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5084 return NGX_OK;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5085
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5086 failed:
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5087
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5088 BIO_free(bio);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5089 X509_free(cert);
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5090
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5091 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5092 }
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5093
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5094
2b11822b12d6 $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2044
diff changeset
5095 ngx_int_t
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5096 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5097 {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5098 u_char *p;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5099 size_t len;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5100 ngx_uint_t i;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5101 ngx_str_t cert;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5102
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5103 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5104 return NGX_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5105 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5106
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5107 if (cert.len == 0) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5108 s->len = 0;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5109 return NGX_OK;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5110 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5111
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5112 len = cert.len - 1;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5113
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5114 for (i = 0; i < cert.len - 1; i++) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5115 if (cert.data[i] == LF) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5116 len++;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5117 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5118 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5119
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5120 s->len = len;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5121 s->data = ngx_pnalloc(pool, len);
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5122 if (s->data == NULL) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5123 return NGX_ERROR;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5124 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5125
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5126 p = s->data;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5127
3002
bf0c7e58e016 fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents: 2997
diff changeset
5128 for (i = 0; i < cert.len - 1; i++) {
2123
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5129 *p++ = cert.data[i];
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5130 if (cert.data[i] == LF) {
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5131 *p++ = '\t';
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5132 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5133 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5134
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5135 return NGX_OK;
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5136 }
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5137
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5138
9697407e9ecb *) ssl_verify_client ask
Igor Sysoev <igor@sysoev.ru>
parents: 2052
diff changeset
5139 ngx_int_t
7091
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5140 ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5141 ngx_str_t *s)
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5142 {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5143 ngx_str_t cert;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5144 uintptr_t n;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5145
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5146 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5147 return NGX_ERROR;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5148 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5149
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5150 if (cert.len == 0) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5151 s->len = 0;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5152 return NGX_OK;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5153 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5154
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5155 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5156
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5157 s->len = cert.len + n * 2;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5158 s->data = ngx_pnalloc(pool, s->len);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5159 if (s->data == NULL) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5160 return NGX_ERROR;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5161 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5162
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5163 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5164
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5165 return NGX_OK;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5166 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5167
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5168
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents: 7087
diff changeset
5169 ngx_int_t
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5170 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5171 {
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5172 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5173 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5174 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5175
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5176 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5177
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5178 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5179 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5180 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5181 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5182
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5183 name = X509_get_subject_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5184 if (name == NULL) {
7484
65074e13f171 SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents: 7477
diff changeset
5185 X509_free(cert);
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5186 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5187 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5188
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5189 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5190 if (bio == NULL) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5191 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5192 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5193 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5194 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5195
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5196 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5197 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed");
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5198 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5199 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5200
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5201 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5202 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5203 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5204 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5205 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5206
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5207 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5208
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5209 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5210 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5211
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5212 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5213
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5214 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5215
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5216 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5217 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5218
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5219 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5220 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5221
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5222
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5223 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5224 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5225 {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5226 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5227 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5228 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5229
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5230 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5231
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5232 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5233 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5234 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5235 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5236
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5237 name = X509_get_issuer_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5238 if (name == NULL) {
7484
65074e13f171 SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents: 7477
diff changeset
5239 X509_free(cert);
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5240 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5241 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5242
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5243 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5244 if (bio == NULL) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5245 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5246 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5247 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5248 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5249
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5250 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5251 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed");
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5252 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5253 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5254
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5255 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5256 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5257 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5258 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5259 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5260
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5261 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5262
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5263 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5264 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5265
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5266 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5267
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5268 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5269
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5270 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5271 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5272
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5273 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5274 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5275
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5276
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5277 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5278 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5279 ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5280 {
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5281 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5282 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5283 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5284 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5285
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5286 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5287
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5288 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5289 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5290 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5291 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5292
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5293 name = X509_get_subject_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5294 if (name == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5295 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5296 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5297 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5298
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5299 p = X509_NAME_oneline(name, NULL, 0);
7779
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5300 if (p == NULL) {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5301 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed");
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5302 X509_free(cert);
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5303 return NGX_ERROR;
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5304 }
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5305
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5306 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5307
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5308 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
5309 s->data = ngx_pnalloc(pool, len);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5310 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5311 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5312 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5313 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5314 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5315
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5316 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5317
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5318 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5319 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5320
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5321 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5322 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5323
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5324
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5325 ngx_int_t
6780
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5326 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents: 6775
diff changeset
5327 ngx_str_t *s)
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5328 {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5329 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5330 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5331 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5332 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5333
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5334 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5335
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5336 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5337 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5338 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5339 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5340
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5341 name = X509_get_issuer_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5342 if (name == NULL) {
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5343 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5344 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5345 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5346
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5347 p = X509_NAME_oneline(name, NULL, 0);
7779
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5348 if (p == NULL) {
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5349 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed");
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5350 X509_free(cert);
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5351 return NGX_ERROR;
018a09b766ef SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7751
diff changeset
5352 }
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5353
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5354 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5355
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5356 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
5357 s->data = ngx_pnalloc(pool, len);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5358 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5359 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5360 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5361 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5362 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5363
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5364 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5365
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5366 OPENSSL_free(p);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5367 X509_free(cert);
647
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5368
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5369 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5370 }
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5371
95d7da23ea53 nginx-0.3.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 611
diff changeset
5372
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5373 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5374 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5375 {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5376 size_t len;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5377 X509 *cert;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5378 BIO *bio;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5379
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5380 s->len = 0;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5381
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5382 cert = SSL_get_peer_certificate(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5383 if (cert == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5384 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5385 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5386
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5387 bio = BIO_new(BIO_s_mem());
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5388 if (bio == NULL) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5389 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5390 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5391 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5392 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5393
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5394 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5395 len = BIO_pending(bio);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5396
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5397 s->len = len;
2049
2a92804f4109 *) back out r2040
Igor Sysoev <igor@sysoev.ru>
parents: 2045
diff changeset
5398 s->data = ngx_pnalloc(pool, len);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5399 if (s->data == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5400 BIO_free(bio);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5401 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5402 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5403 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5404
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5405 BIO_read(bio, s->data, len);
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5406 BIO_free(bio);
1974
f32cc6df6bd6 fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents: 1948
diff changeset
5407 X509_free(cert);
671
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5408
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5409 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5410 }
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5411
cec32b3753ac nginx-0.3.57-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 647
diff changeset
5412
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5413 ngx_int_t
5700
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5414 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5415 {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5416 X509 *cert;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5417 unsigned int len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5418 u_char buf[EVP_MAX_MD_SIZE];
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5419
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5420 s->len = 0;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5421
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5422 cert = SSL_get_peer_certificate(c->ssl->connection);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5423 if (cert == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5424 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5425 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5426
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5427 if (!X509_digest(cert, EVP_sha1(), buf, &len)) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5428 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_digest() failed");
5700
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5429 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5430 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5431 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5432
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5433 s->len = 2 * len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5434 s->data = ngx_pnalloc(pool, 2 * len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5435 if (s->data == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5436 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5437 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5438 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5439
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5440 ngx_hex_dump(s->data, buf, len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5441
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5442 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5443
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5444 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5445 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5446
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5447
5e892d40e5cc SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents: 5669
diff changeset
5448 ngx_int_t
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5449 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5450 {
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5451 X509 *cert;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5452 long rc;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5453 const char *str;
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5454
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5455 cert = SSL_get_peer_certificate(c->ssl->connection);
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5456 if (cert == NULL) {
3516
dd1570b6f237 ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents: 3488
diff changeset
5457 ngx_str_set(s, "NONE");
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5458 return NGX_OK;
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5459 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5460
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5461 X509_free(cert);
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5462
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5463 rc = SSL_get_verify_result(c->ssl->connection);
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5464
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5465 if (rc == X509_V_OK) {
7653
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5466 if (ngx_ssl_ocsp_get_status(c, &str) == NGX_OK) {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5467 ngx_str_set(s, "SUCCESS");
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5468 return NGX_OK;
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5469 }
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5470
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5471 } else {
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5472 str = X509_verify_cert_error_string(rc);
8409f9df6219 SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents: 7617
diff changeset
5473 }
6814
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5474
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5475 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5476 if (s->data == NULL) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5477 return NGX_ERROR;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5478 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5479
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5480 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
379139020d36 SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6812
diff changeset
5481
2994
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5482 return NGX_OK;
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5483 }
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5484
f33c48457d0c *) $ssl_client_verify
Igor Sysoev <igor@sysoev.ru>
parents: 2912
diff changeset
5485
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5486 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5487 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5488 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5489 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5490 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5491 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5492
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5493 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5494
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5495 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5496 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5497 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5498 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5499
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5500 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5501 if (bio == NULL) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5502 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5503 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5504 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5505 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5506
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5507 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5508 ASN1_TIME_print(bio, X509_get0_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5509 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5510 ASN1_TIME_print(bio, X509_get_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5511 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5512
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5513 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5514
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5515 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5516 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5517 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5518 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5519 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5520 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5521 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5522
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5523 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5524 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5525 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5526
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5527 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5528 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5529
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5530
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5531 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5532 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5533 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5534 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5535 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5536 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5537
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5538 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5539
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5540 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5541 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5542 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5543 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5544
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5545 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5546 if (bio == NULL) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5547 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5548 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5549 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5550 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5551
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5552 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5553 ASN1_TIME_print(bio, X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5554 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5555 ASN1_TIME_print(bio, X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5556 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5557
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5558 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5559
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5560 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5561 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5562 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5563 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5564 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5565 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5566 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5567
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5568 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5569 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5570 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5571
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5572 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5573 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5574
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5575
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5576 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5577 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5578 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5579 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5580 time_t now, end;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5581
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5582 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5583
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5584 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5585 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5586 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5587 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5588
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5589 #if OPENSSL_VERSION_NUMBER > 0x10100000L
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5590 end = ngx_ssl_parse_time(X509_get0_notAfter(cert), c->log);
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5591 #else
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5592 end = ngx_ssl_parse_time(X509_get_notAfter(cert), c->log);
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5593 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5594
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5595 if (end == (time_t) NGX_ERROR) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5596 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5597 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5598 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5599
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5600 now = ngx_time();
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5601
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5602 if (end < now + 86400) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5603 ngx_str_set(s, "0");
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5604 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5605 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5606 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5607
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5608 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5609 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5610 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5611 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5612 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5613
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5614 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5615
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5616 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5617
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5618 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5619 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5620
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5621
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5622 static time_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5623 ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5624 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5625 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5626 #endif
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5627 ASN1_TIME *asn1time, ngx_log_t *log)
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5628 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5629 BIO *bio;
6842
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
5630 char *value;
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5631 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5632 time_t time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5633
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5634 /*
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5635 * OpenSSL doesn't provide a way to convert ASN1_TIME
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5636 * into time_t. To do this, we use ASN1_TIME_print(),
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5637 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5638 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5639 */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5640
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5641 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5642 if (bio == NULL) {
7780
3bed5797a1b7 SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents: 7779
diff changeset
5643 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "BIO_new() failed");
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5644 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5645 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5646
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5647 /* fake weekday prepended to match C asctime() format */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5648
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5649 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5650 ASN1_TIME_print(bio, asn1time);
6842
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
5651 len = BIO_get_mem_data(bio, &value);
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
5652
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6841
diff changeset
5653 time = ngx_parse_http_time((u_char *) value, len);
6815
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5654
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5655 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5656
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5657 return time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5658 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5659
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6814
diff changeset
5660
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5661 static void *
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5662 ngx_openssl_create_conf(ngx_cycle_t *cycle)
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5663 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5664 ngx_openssl_conf_t *oscf;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
5665
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5666 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5667 if (oscf == NULL) {
2912
c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents: 2764
diff changeset
5668 return NULL;
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5669 }
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
5670
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5671 /*
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5672 * set by ngx_pcalloc():
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
5673 *
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5674 * oscf->engine = 0;
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
5675 */
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5676
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5677 return oscf;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5678 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5679
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5680
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5681 static char *
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5682 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5683 {
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5684 #ifndef OPENSSL_NO_ENGINE
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5685
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5686 ngx_openssl_conf_t *oscf = conf;
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5687
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5688 ENGINE *engine;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5689 ngx_str_t *value;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5690
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5691 if (oscf->engine) {
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5692 return "is duplicate";
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5693 }
577
4d9ea73a627a nginx-0.3.10-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 571
diff changeset
5694
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5695 oscf->engine = 1;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5696
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5697 value = cf->args->elts;
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5698
6552
addd98357629 SSL: style.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6551
diff changeset
5699 engine = ENGINE_by_id((char *) value[1].data);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5700
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5701 if (engine == NULL) {
6699
9cf2dce316e5 Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents: 6687
diff changeset
5702 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5703 "ENGINE_by_id(\"%V\") failed", &value[1]);
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5704 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5705 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5706
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5707 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
6699
9cf2dce316e5 Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents: 6687
diff changeset
5708 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5709 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5710 &value[1]);
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5711
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5712 ENGINE_free(engine);
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5713
541
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5714 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5715 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5716
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5717 ENGINE_free(engine);
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5718
b09ee85d0ac8 nginx-0.1.45-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 539
diff changeset
5719 return NGX_CONF_OK;
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5720
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5721 #else
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5722
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5723 return "is not supported";
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5724
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5725 #endif
2504
9e9a985d956a load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents: 2388
diff changeset
5726 }
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5727
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5728
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5729 static void
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5730 ngx_openssl_exit(ngx_cycle_t *cycle)
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5731 {
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
5732 #if OPENSSL_VERSION_NUMBER < 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
5733
3464
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents: 3457
diff changeset
5734 EVP_cleanup();
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5735 #ifndef OPENSSL_NO_ENGINE
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5736 ENGINE_cleanup();
5777
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents: 5775
diff changeset
5737 #endif
6488
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
5738
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents: 6487
diff changeset
5739 #endif
571
458b6c3fea65 nginx-0.3.7-RELEASE import
Igor Sysoev <igor@sysoev.ru>
parents: 563
diff changeset
5740 }