Mercurial > hg > nginx-quic
annotate src/event/ngx_event_openssl.c @ 4192:61e4af19df9f
Autoindex: escape '?' in file names.
For files with '?' in their names autoindex generated links with '?' not
escaped. This resulted in effectively truncated links as '?' indicates
query string start.
This is an updated version of the patch originally posted at [1]. It
introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but
unreserved characters as per RFC 3986. This approach also renders unneeded
special colon processing (as colon is percent-encoded now), it's dropped
accordingly.
[1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html
Reported by Konstantin Leonov.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 11 Oct 2011 17:56:51 +0000 |
parents | cce2fd0acc0f |
children | 5fef0313f2ff |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
4 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
6 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_core.h> |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
9 #include <ngx_event.h> |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 |
541 | 11 |
12 typedef struct { | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
13 ngx_uint_t engine; /* unsigned engine:1; */ |
541 | 14 } ngx_openssl_conf_t; |
479 | 15 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 |
671 | 17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
18 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
19 int ret); |
547 | 20 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
489 | 21 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
473 | 22 static void ngx_ssl_write_handler(ngx_event_t *wev); |
23 static void ngx_ssl_read_handler(ngx_event_t *rev); | |
577 | 24 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
547 | 25 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
26 ngx_err_t err, char *text); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
27 static void ngx_ssl_clear_error(ngx_log_t *log); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
28 |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
29 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
30 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
31 ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
32 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
33 u_char *id, int len, int *copy); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
34 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
35 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
36 ngx_slab_pool_t *shpool, ngx_uint_t n); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
37 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
38 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
39 |
541 | 40 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
41 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
571 | 42 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
541 | 43 |
44 | |
45 static ngx_command_t ngx_openssl_commands[] = { | |
46 | |
47 { ngx_string("ssl_engine"), | |
48 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
49 ngx_openssl_engine, |
541 | 50 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
51 0, |
541 | 52 NULL }, |
53 | |
54 ngx_null_command | |
55 }; | |
56 | |
57 | |
58 static ngx_core_module_t ngx_openssl_module_ctx = { | |
59 ngx_string("openssl"), | |
60 ngx_openssl_create_conf, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
61 NULL |
577 | 62 }; |
541 | 63 |
64 | |
65 ngx_module_t ngx_openssl_module = { | |
66 NGX_MODULE_V1, | |
67 &ngx_openssl_module_ctx, /* module context */ | |
68 ngx_openssl_commands, /* module directives */ | |
69 NGX_CORE_MODULE, /* module type */ | |
70 NULL, /* init master */ | |
71 NULL, /* init module */ | |
72 NULL, /* init process */ | |
73 NULL, /* init thread */ | |
74 NULL, /* exit thread */ | |
75 NULL, /* exit process */ | |
571 | 76 ngx_openssl_exit, /* exit master */ |
541 | 77 NGX_MODULE_V1_PADDING |
547 | 78 }; |
79 | |
80 | |
81 static long ngx_ssl_protocols[] = { | |
82 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
83 SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, | |
84 SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, | |
85 SSL_OP_NO_TLSv1, | |
86 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, | |
87 SSL_OP_NO_SSLv3, | |
88 SSL_OP_NO_SSLv2, | |
89 0, | |
90 }; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
91 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
92 |
969 | 93 int ngx_ssl_connection_index; |
94 int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
95 int ngx_ssl_session_cache_index; |
671 | 96 |
97 | |
489 | 98 ngx_int_t |
99 ngx_ssl_init(ngx_log_t *log) | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
100 { |
968 | 101 OPENSSL_config(NULL); |
102 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
103 SSL_library_init(); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
104 SSL_load_error_strings(); |
541 | 105 |
479 | 106 ENGINE_load_builtin_engines(); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
107 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
108 OpenSSL_add_all_algorithms(); |
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
109 |
969 | 110 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
671 | 111 |
969 | 112 if (ngx_ssl_connection_index == -1) { |
671 | 113 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
114 return NGX_ERROR; | |
115 } | |
116 | |
969 | 117 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
118 NULL); | |
119 if (ngx_ssl_server_conf_index == -1) { | |
120 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
121 "SSL_CTX_get_ex_new_index() failed"); | |
122 return NGX_ERROR; | |
123 } | |
124 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
125 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
126 NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
127 if (ngx_ssl_session_cache_index == -1) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
128 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
129 "SSL_CTX_get_ex_new_index() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
130 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
131 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
132 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
133 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
134 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
135 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
136 |
489 | 137 ngx_int_t |
969 | 138 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
547 | 139 { |
577 | 140 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
547 | 141 |
142 if (ssl->ctx == NULL) { | |
143 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
144 return NGX_ERROR; | |
145 } | |
146 | |
969 | 147 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
148 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
149 "SSL_CTX_set_ex_data() failed"); | |
150 return NGX_ERROR; | |
151 } | |
152 | |
577 | 153 /* client side options */ |
154 | |
155 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); | |
156 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); | |
157 | |
158 /* server side options */ | |
563 | 159 |
160 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); | |
161 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); | |
162 | |
163 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ | |
164 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); | |
165 | |
166 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); | |
167 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); | |
168 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); | |
169 | |
170 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); | |
171 | |
2044 | 172 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
547 | 173 |
174 if (ngx_ssl_protocols[protocols >> 1] != 0) { | |
175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | |
176 } | |
177 | |
4185
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
178 #ifdef SSL_OP_NO_COMPRESSION |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
179 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
180 #endif |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
181 |
4186
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
182 #ifdef SSL_MODE_RELEASE_BUFFERS |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
183 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
184 #endif |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
185 |
547 | 186 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
187 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
188 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
189 |
547 | 190 return NGX_OK; |
191 } | |
192 | |
193 | |
194 ngx_int_t | |
563 | 195 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
196 ngx_str_t *key) | |
547 | 197 { |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
198 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
547 | 199 return NGX_ERROR; |
200 } | |
201 | |
563 | 202 if (SSL_CTX_use_certificate_chain_file(ssl->ctx, (char *) cert->data) |
547 | 203 == 0) |
204 { | |
205 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
563 | 206 "SSL_CTX_use_certificate_chain_file(\"%s\") failed", |
207 cert->data); | |
208 return NGX_ERROR; | |
209 } | |
210 | |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
211 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) { |
563 | 212 return NGX_ERROR; |
213 } | |
214 | |
215 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data, | |
647 | 216 SSL_FILETYPE_PEM) |
217 == 0) | |
563 | 218 { |
219 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
220 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data); | |
547 | 221 return NGX_ERROR; |
222 } | |
223 | |
224 return NGX_OK; | |
225 } | |
226 | |
227 | |
228 ngx_int_t | |
671 | 229 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
230 ngx_int_t depth) | |
647 | 231 { |
671 | 232 STACK_OF(X509_NAME) *list; |
233 | |
234 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback); | |
235 | |
236 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
237 | |
238 if (cert->len == 0) { | |
239 return NGX_OK; | |
240 } | |
241 | |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
242 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
647 | 243 return NGX_ERROR; |
244 } | |
245 | |
246 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
247 == 0) | |
248 { | |
249 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
250 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
251 cert->data); | |
252 return NGX_ERROR; | |
253 } | |
254 | |
671 | 255 list = SSL_load_client_CA_file((char *) cert->data); |
256 | |
257 if (list == NULL) { | |
258 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
259 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
260 return NGX_ERROR; | |
261 } | |
262 | |
263 /* | |
264 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file() | |
265 * always leaved an error in the error queue | |
266 */ | |
267 | |
268 ERR_clear_error(); | |
269 | |
270 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
271 | |
647 | 272 return NGX_OK; |
273 } | |
274 | |
275 | |
2995 | 276 ngx_int_t |
277 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) | |
278 { | |
279 X509_STORE *store; | |
280 X509_LOOKUP *lookup; | |
281 | |
282 if (crl->len == 0) { | |
283 return NGX_OK; | |
284 } | |
285 | |
286 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { | |
287 return NGX_ERROR; | |
288 } | |
289 | |
290 store = SSL_CTX_get_cert_store(ssl->ctx); | |
291 | |
292 if (store == NULL) { | |
293 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
294 "SSL_CTX_get_cert_store() failed"); | |
295 return NGX_ERROR; | |
296 } | |
297 | |
298 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
299 | |
300 if (lookup == NULL) { | |
301 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
302 "X509_STORE_add_lookup() failed"); | |
303 return NGX_ERROR; | |
304 } | |
305 | |
306 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
307 == 0) | |
308 { | |
309 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
310 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
311 return NGX_ERROR; | |
312 } | |
313 | |
314 X509_STORE_set_flags(store, | |
315 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
316 | |
317 return NGX_OK; | |
318 } | |
319 | |
320 | |
671 | 321 static int |
322 ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) | |
323 { | |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
324 #if (NGX_DEBUG) |
671 | 325 char *subject, *issuer; |
326 int err, depth; | |
327 X509 *cert; | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
328 X509_NAME *sname, *iname; |
671 | 329 ngx_connection_t *c; |
330 ngx_ssl_conn_t *ssl_conn; | |
331 | |
332 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
333 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
334 | |
335 c = ngx_ssl_get_connection(ssl_conn); | |
336 | |
337 cert = X509_STORE_CTX_get_current_cert(x509_store); | |
338 err = X509_STORE_CTX_get_error(x509_store); | |
339 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
340 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
341 sname = X509_get_subject_name(cert); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
342 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)"; |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
343 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
344 iname = X509_get_issuer_name(cert); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
345 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; |
671 | 346 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
347 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
671 | 348 "verify:%d, error:%d, depth:%d, " |
349 "subject:\"%s\",issuer: \"%s\"", | |
350 ok, err, depth, subject, issuer); | |
351 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
352 if (sname) { |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
353 OPENSSL_free(subject); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
354 } |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
355 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
356 if (iname) { |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
357 OPENSSL_free(issuer); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
358 } |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
359 #endif |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
360 |
671 | 361 return 1; |
362 } | |
363 | |
364 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
365 static void |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
366 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
367 { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
368 ngx_connection_t *c; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
369 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
370 if (where & SSL_CB_HANDSHAKE_START) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
371 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
372 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
373 if (c->ssl->handshaked) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
374 c->ssl->renegotiation = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
375 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
376 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
377 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
378 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
379 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
380 |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
381 RSA * |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
382 ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length) |
547 | 383 { |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
384 static RSA *key; |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
385 |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
386 if (key_length == 512) { |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
387 if (key == NULL) { |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
388 key = RSA_generate_key(512, RSA_F4, NULL, NULL); |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
389 } |
559 | 390 } |
391 | |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
392 return key; |
547 | 393 } |
394 | |
395 | |
396 ngx_int_t | |
2044 | 397 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
398 { | |
399 DH *dh; | |
400 BIO *bio; | |
401 | |
402 /* | |
403 * -----BEGIN DH PARAMETERS----- | |
404 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc | |
405 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl | |
406 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC | |
407 * -----END DH PARAMETERS----- | |
408 */ | |
409 | |
410 static unsigned char dh1024_p[] = { | |
411 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5, | |
412 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B, | |
413 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76, | |
414 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5, | |
415 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04, | |
416 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04, | |
417 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF, | |
418 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50, | |
419 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E, | |
420 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA, | |
421 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B | |
422 }; | |
423 | |
424 static unsigned char dh1024_g[] = { 0x02 }; | |
425 | |
426 | |
427 if (file->len == 0) { | |
428 | |
429 dh = DH_new(); | |
430 if (dh == NULL) { | |
431 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed"); | |
432 return NGX_ERROR; | |
433 } | |
434 | |
435 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); | |
436 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); | |
437 | |
438 if (dh->p == NULL || dh->g == NULL) { | |
439 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed"); | |
440 DH_free(dh); | |
441 return NGX_ERROR; | |
442 } | |
443 | |
444 SSL_CTX_set_tmp_dh(ssl->ctx, dh); | |
445 | |
446 DH_free(dh); | |
447 | |
448 return NGX_OK; | |
449 } | |
450 | |
2536
a6d6d762c554
small optimization: " == NGX_ERROR" > " != NGX_OK"
Igor Sysoev <igor@sysoev.ru>
parents:
2504
diff
changeset
|
451 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
2044 | 452 return NGX_ERROR; |
453 } | |
454 | |
455 bio = BIO_new_file((char *) file->data, "r"); | |
456 if (bio == NULL) { | |
457 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
458 "BIO_new_file(\"%s\") failed", file->data); | |
459 return NGX_ERROR; | |
460 } | |
461 | |
462 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | |
463 if (dh == NULL) { | |
464 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
465 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
466 BIO_free(bio); | |
467 return NGX_ERROR; | |
468 } | |
469 | |
470 SSL_CTX_set_tmp_dh(ssl->ctx, dh); | |
471 | |
472 DH_free(dh); | |
473 BIO_free(bio); | |
474 | |
475 return NGX_OK; | |
476 } | |
477 | |
3960 | 478 ngx_int_t |
479 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
480 { | |
481 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL | |
482 #ifndef OPENSSL_NO_ECDH | |
483 int nid; | |
484 EC_KEY *ecdh; | |
485 | |
486 /* | |
487 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
488 * from RFC 4492 section 5.1.1, or explicitely described curves over | |
489 * binary fields. OpenSSL only supports the "named curves", which provide | |
490 * maximum interoperability. | |
491 */ | |
492 | |
493 nid = OBJ_sn2nid((const char *) name->data); | |
494 if (nid == 0) { | |
495 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
496 "Unknown curve name \"%s\"", name->data); | |
497 return NGX_ERROR; | |
498 } | |
499 | |
500 ecdh = EC_KEY_new_by_curve_name(nid); | |
501 if (ecdh == NULL) { | |
502 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
503 "Unable to create curve \"%s\"", name->data); | |
504 return NGX_ERROR; | |
505 } | |
506 | |
507 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); | |
508 | |
509 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); | |
510 | |
511 EC_KEY_free(ecdh); | |
512 #endif | |
513 #endif | |
514 | |
515 return NGX_OK; | |
516 } | |
2044 | 517 |
518 ngx_int_t | |
547 | 519 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
577 | 520 { |
547 | 521 ngx_ssl_connection_t *sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
522 |
547 | 523 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
524 if (sc == NULL) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
525 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
526 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
527 |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
528 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
529 |
547 | 530 sc->connection = SSL_new(ssl->ctx); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
531 |
547 | 532 if (sc->connection == NULL) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
533 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
534 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
535 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
536 |
547 | 537 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
538 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
539 return NGX_ERROR; |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
540 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
541 |
577 | 542 if (flags & NGX_SSL_CLIENT) { |
543 SSL_set_connect_state(sc->connection); | |
544 | |
545 } else { | |
546 SSL_set_accept_state(sc->connection); | |
547 } | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
548 |
969 | 549 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
671 | 550 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
551 return NGX_ERROR; | |
552 } | |
553 | |
547 | 554 c->ssl = sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
555 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
556 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
557 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
558 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
559 |
547 | 560 ngx_int_t |
577 | 561 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
562 { | |
563 if (session) { | |
564 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
565 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
566 return NGX_ERROR; | |
567 } | |
568 } | |
569 | |
570 return NGX_OK; | |
571 } | |
572 | |
573 | |
574 ngx_int_t | |
547 | 575 ngx_ssl_handshake(ngx_connection_t *c) |
576 { | |
577 int n, sslerr; | |
578 ngx_err_t err; | |
579 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
580 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
581 |
547 | 582 n = SSL_do_handshake(c->ssl->connection); |
583 | |
577 | 584 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
547 | 585 |
586 if (n == 1) { | |
587 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
588 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 589 return NGX_ERROR; |
590 } | |
591 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
592 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 593 return NGX_ERROR; |
594 } | |
595 | |
596 #if (NGX_DEBUG) | |
597 { | |
598 char buf[129], *s, *d; | |
3851 | 599 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
3488
92378c49456d
MSVC8 compatibility with OpenSSL 1.0.0
Igor Sysoev <igor@sysoev.ru>
parents:
3464
diff
changeset
|
600 const |
92378c49456d
MSVC8 compatibility with OpenSSL 1.0.0
Igor Sysoev <igor@sysoev.ru>
parents:
3464
diff
changeset
|
601 #endif |
547 | 602 SSL_CIPHER *cipher; |
603 | |
604 cipher = SSL_get_current_cipher(c->ssl->connection); | |
605 | |
606 if (cipher) { | |
607 SSL_CIPHER_description(cipher, &buf[1], 128); | |
608 | |
609 for (s = &buf[1], d = buf; *s; s++) { | |
610 if (*s == ' ' && *d == ' ') { | |
611 continue; | |
612 } | |
613 | |
614 if (*s == LF || *s == CR) { | |
615 continue; | |
616 } | |
617 | |
618 *++d = *s; | |
619 } | |
620 | |
621 if (*d != ' ') { | |
622 d++; | |
623 } | |
624 | |
625 *d = '\0'; | |
626 | |
583 | 627 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
547 | 628 "SSL: %s, cipher: \"%s\"", |
577 | 629 SSL_get_version(c->ssl->connection), &buf[1]); |
547 | 630 |
631 if (SSL_session_reused(c->ssl->connection)) { | |
583 | 632 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
547 | 633 "SSL reused session"); |
634 } | |
635 | |
636 } else { | |
637 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, | |
577 | 638 "SSL no shared ciphers"); |
547 | 639 } |
640 } | |
641 #endif | |
642 | |
643 c->ssl->handshaked = 1; | |
644 | |
645 c->recv = ngx_ssl_recv; | |
646 c->send = ngx_ssl_write; | |
577 | 647 c->recv_chain = ngx_ssl_recv_chain; |
648 c->send_chain = ngx_ssl_send_chain; | |
547 | 649 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
650 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
651 if (c->ssl->connection->s3) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
652 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
653 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
654 |
547 | 655 return NGX_OK; |
656 } | |
657 | |
658 sslerr = SSL_get_error(c->ssl->connection, n); | |
659 | |
660 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
661 | |
662 if (sslerr == SSL_ERROR_WANT_READ) { | |
663 c->read->ready = 0; | |
664 c->read->handler = ngx_ssl_handshake_handler; | |
591 | 665 c->write->handler = ngx_ssl_handshake_handler; |
547 | 666 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
667 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 668 return NGX_ERROR; |
669 } | |
670 | |
671 return NGX_AGAIN; | |
672 } | |
673 | |
674 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
675 c->write->ready = 0; | |
591 | 676 c->read->handler = ngx_ssl_handshake_handler; |
547 | 677 c->write->handler = ngx_ssl_handshake_handler; |
678 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
679 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 680 return NGX_ERROR; |
681 } | |
682 | |
683 return NGX_AGAIN; | |
684 } | |
685 | |
686 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
687 | |
688 c->ssl->no_wait_shutdown = 1; | |
689 c->ssl->no_send_shutdown = 1; | |
591 | 690 c->read->eof = 1; |
547 | 691 |
692 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
693 ngx_log_error(NGX_LOG_INFO, c->log, err, | |
577 | 694 "peer closed connection in SSL handshake"); |
547 | 695 |
696 return NGX_ERROR; | |
697 } | |
698 | |
591 | 699 c->read->error = 1; |
700 | |
547 | 701 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
702 | |
703 return NGX_ERROR; | |
704 } | |
705 | |
706 | |
707 static void | |
708 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
709 { | |
710 ngx_connection_t *c; | |
711 | |
712 c = ev->data; | |
713 | |
549 | 714 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
577 | 715 "SSL handshake handler: %d", ev->write); |
547 | 716 |
591 | 717 if (ev->timedout) { |
718 c->ssl->handler(c); | |
719 return; | |
720 } | |
721 | |
547 | 722 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
723 return; | |
724 } | |
725 | |
726 c->ssl->handler(c); | |
727 } | |
728 | |
729 | |
489 | 730 ssize_t |
577 | 731 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl) |
732 { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
733 u_char *last; |
577 | 734 ssize_t n, bytes; |
735 ngx_buf_t *b; | |
736 | |
737 bytes = 0; | |
738 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
739 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
740 last = b->last; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
741 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
742 for ( ;; ) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
743 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
744 n = ngx_ssl_recv(c, last, b->end - last); |
577 | 745 |
746 if (n > 0) { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
747 last += n; |
577 | 748 bytes += n; |
749 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
750 if (last == b->end) { |
577 | 751 cl = cl->next; |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
752 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
753 if (cl == NULL) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
754 return bytes; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
755 } |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
756 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
757 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
758 last = b->last; |
577 | 759 } |
760 | |
761 continue; | |
762 } | |
763 | |
764 if (bytes) { | |
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
765 |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
766 if (n == 0 || n == NGX_ERROR) { |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
767 c->read->ready = 1; |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
768 } |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
769 |
577 | 770 return bytes; |
771 } | |
772 | |
773 return n; | |
774 } | |
775 } | |
776 | |
777 | |
778 ssize_t | |
489 | 779 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
780 { |
489 | 781 int n, bytes; |
782 | |
783 if (c->ssl->last == NGX_ERROR) { | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
784 c->read->error = 1; |
489 | 785 return NGX_ERROR; |
786 } | |
787 | |
577 | 788 if (c->ssl->last == NGX_DONE) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
789 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
790 c->read->eof = 1; |
577 | 791 return 0; |
792 } | |
793 | |
489 | 794 bytes = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
795 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
796 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
797 |
489 | 798 /* |
799 * SSL_read() may return data in parts, so try to read | |
800 * until SSL_read() would return no data | |
801 */ | |
802 | |
803 for ( ;; ) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
804 |
543 | 805 n = SSL_read(c->ssl->connection, buf, size); |
489 | 806 |
577 | 807 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
808 |
489 | 809 if (n > 0) { |
810 bytes += n; | |
811 } | |
812 | |
813 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
814 | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
815 if (c->ssl->last == NGX_OK) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
816 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
817 size -= n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
818 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
819 if (size == 0) { |
489 | 820 return bytes; |
577 | 821 } |
489 | 822 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
823 buf += n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
824 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
825 continue; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
826 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
827 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
828 if (bytes) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
829 return bytes; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
830 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
831 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
832 switch (c->ssl->last) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
833 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
834 case NGX_DONE: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
835 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
836 c->read->eof = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
837 return 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
838 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
839 case NGX_ERROR: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
840 c->read->error = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
841 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
842 /* fall thruogh */ |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
843 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
844 case NGX_AGAIN: |
577 | 845 return c->ssl->last; |
479 | 846 } |
489 | 847 } |
848 } | |
849 | |
850 | |
851 static ngx_int_t | |
852 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
853 { | |
547 | 854 int sslerr; |
855 ngx_err_t err; | |
489 | 856 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
857 if (c->ssl->renegotiation) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
858 /* |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
859 * disable renegotiation (CVE-2009-3555): |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
860 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
861 * renegotiation gracefully, so drop connection here |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
862 */ |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
863 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
864 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
865 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
866 c->ssl->no_wait_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
867 c->ssl->no_send_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
868 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
869 return NGX_ERROR; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
870 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
871 |
489 | 872 if (n > 0) { |
479 | 873 |
473 | 874 if (c->ssl->saved_write_handler) { |
875 | |
509 | 876 c->write->handler = c->ssl->saved_write_handler; |
473 | 877 c->ssl->saved_write_handler = NULL; |
878 c->write->ready = 1; | |
879 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
880 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 881 return NGX_ERROR; |
882 } | |
883 | |
563 | 884 ngx_post_event(c->write, &ngx_posted_events); |
473 | 885 } |
886 | |
489 | 887 return NGX_OK; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
888 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
889 |
543 | 890 sslerr = SSL_get_error(c->ssl->connection, n); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
891 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
892 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
893 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
894 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
895 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
896 if (sslerr == SSL_ERROR_WANT_READ) { |
455 | 897 c->read->ready = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
898 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
899 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
900 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
901 if (sslerr == SSL_ERROR_WANT_WRITE) { |
539 | 902 |
547 | 903 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
577 | 904 "peer started SSL renegotiation"); |
473 | 905 |
906 c->write->ready = 0; | |
907 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
908 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 909 return NGX_ERROR; |
910 } | |
911 | |
912 /* | |
913 * we do not set the timer because there is already the read event timer | |
914 */ | |
915 | |
916 if (c->ssl->saved_write_handler == NULL) { | |
509 | 917 c->ssl->saved_write_handler = c->write->handler; |
918 c->write->handler = ngx_ssl_write_handler; | |
473 | 919 } |
920 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
921 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
922 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
923 |
547 | 924 c->ssl->no_wait_shutdown = 1; |
925 c->ssl->no_send_shutdown = 1; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
926 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
927 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
577 | 928 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
929 "peer shutdown SSL cleanly"); | |
930 return NGX_DONE; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
931 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
932 |
547 | 933 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
934 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
935 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
936 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
937 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
938 |
489 | 939 static void |
940 ngx_ssl_write_handler(ngx_event_t *wev) | |
473 | 941 { |
942 ngx_connection_t *c; | |
943 | |
944 c = wev->data; | |
547 | 945 |
509 | 946 c->read->handler(c->read); |
473 | 947 } |
948 | |
949 | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
950 /* |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
951 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
473 | 952 * before the SSL_write() call to decrease a SSL overhead. |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
953 * |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
954 * Besides for protocols such as HTTP it is possible to always buffer |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
955 * the output to decrease a SSL overhead some more. |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
956 */ |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
957 |
489 | 958 ngx_chain_t * |
959 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
960 { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
961 int n; |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
962 ngx_uint_t flush; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
963 ssize_t send, size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
964 ngx_buf_t *buf; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
965 |
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
966 if (!c->ssl->buffer) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
967 |
577 | 968 while (in) { |
969 if (ngx_buf_special(in->buf)) { | |
970 in = in->next; | |
971 continue; | |
972 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
973 |
577 | 974 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
975 | |
976 if (n == NGX_ERROR) { | |
977 return NGX_CHAIN_ERROR; | |
978 } | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
979 |
577 | 980 if (n == NGX_AGAIN) { |
597 | 981 c->buffered |= NGX_SSL_BUFFERED; |
577 | 982 return in; |
983 } | |
984 | |
985 in->buf->pos += n; | |
986 | |
987 if (in->buf->pos == in->buf->last) { | |
988 in = in->next; | |
989 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
990 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
991 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
992 return in; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
993 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
994 |
473 | 995 |
3962
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
996 /* the maximum limit size is the maximum int32_t value - the page size */ |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
997 |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
998 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
999 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
473 | 1000 } |
1001 | |
577 | 1002 buf = c->ssl->buf; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1003 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1004 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1005 buf = ngx_create_temp_buf(c->pool, NGX_SSL_BUFSIZE); |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1006 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1007 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1008 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1009 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1010 c->ssl->buf = buf; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1011 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1012 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1013 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1014 buf->start = ngx_palloc(c->pool, NGX_SSL_BUFSIZE); |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1015 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1016 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1017 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1018 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1019 buf->pos = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1020 buf->last = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1021 buf->end = buf->start + NGX_SSL_BUFSIZE; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1022 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1023 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1024 send = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1025 flush = (in == NULL) ? 1 : 0; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1026 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1027 for ( ;; ) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1028 |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
1029 while (in && buf->last < buf->end && send < limit) { |
583 | 1030 if (in->buf->last_buf || in->buf->flush) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1031 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1032 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1033 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1034 if (ngx_buf_special(in->buf)) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1035 in = in->next; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1036 continue; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1037 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1038 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1039 size = in->buf->last - in->buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1040 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1041 if (size > buf->end - buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1042 size = buf->end - buf->last; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1043 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1044 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1045 if (send + size > limit) { |
577 | 1046 size = (ssize_t) (limit - send); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1047 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1048 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1049 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1050 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1051 "SSL buf copy: %d", size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1052 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1053 ngx_memcpy(buf->last, in->buf->pos, size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1054 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1055 buf->last += size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1056 in->buf->pos += size; |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
1057 send += size; |
577 | 1058 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1059 if (in->buf->pos == in->buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1060 in = in->next; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1061 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1062 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1063 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1064 size = buf->last - buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1065 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1066 if (!flush && buf->last < buf->end && c->ssl->buffer) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1067 break; |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1068 } |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1069 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1070 n = ngx_ssl_write(c, buf->pos, size); |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1071 |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1072 if (n == NGX_ERROR) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
1073 return NGX_CHAIN_ERROR; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1074 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1075 |
511 | 1076 if (n == NGX_AGAIN) { |
597 | 1077 c->buffered |= NGX_SSL_BUFFERED; |
511 | 1078 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1079 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1080 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1081 buf->pos += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1082 c->sent += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1083 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1084 if (n < size) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1085 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1086 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1087 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1088 if (buf->pos == buf->last) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1089 buf->pos = buf->start; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1090 buf->last = buf->start; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1091 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1092 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1093 if (in == NULL || send == limit) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1094 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1095 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1096 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1097 |
597 | 1098 if (buf->pos < buf->last) { |
1099 c->buffered |= NGX_SSL_BUFFERED; | |
1100 | |
1101 } else { | |
1102 c->buffered &= ~NGX_SSL_BUFFERED; | |
1103 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1104 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
1105 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1106 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1107 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1108 |
539 | 1109 ssize_t |
489 | 1110 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1111 { |
547 | 1112 int n, sslerr; |
1113 ngx_err_t err; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1114 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1115 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1116 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1117 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %d", size); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1118 |
543 | 1119 n = SSL_write(c->ssl->connection, data, size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1120 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1121 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1122 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1123 if (n > 0) { |
539 | 1124 |
473 | 1125 if (c->ssl->saved_read_handler) { |
1126 | |
509 | 1127 c->read->handler = c->ssl->saved_read_handler; |
473 | 1128 c->ssl->saved_read_handler = NULL; |
1129 c->read->ready = 1; | |
1130 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1131 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 1132 return NGX_ERROR; |
1133 } | |
1134 | |
563 | 1135 ngx_post_event(c->read, &ngx_posted_events); |
473 | 1136 } |
1137 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1138 return n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1139 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1140 |
543 | 1141 sslerr = SSL_get_error(c->ssl->connection, n); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1142 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1143 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1144 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1145 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1146 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1147 if (sslerr == SSL_ERROR_WANT_WRITE) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1148 c->write->ready = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1149 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1150 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1151 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
1152 if (sslerr == SSL_ERROR_WANT_READ) { |
452 | 1153 |
547 | 1154 ngx_log_error(NGX_LOG_INFO, c->log, 0, |
577 | 1155 "peer started SSL renegotiation"); |
473 | 1156 |
1157 c->read->ready = 0; | |
1158 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1159 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 1160 return NGX_ERROR; |
1161 } | |
1162 | |
1163 /* | |
1164 * we do not set the timer because there is already | |
1165 * the write event timer | |
1166 */ | |
1167 | |
1168 if (c->ssl->saved_read_handler == NULL) { | |
509 | 1169 c->ssl->saved_read_handler = c->read->handler; |
1170 c->read->handler = ngx_ssl_read_handler; | |
473 | 1171 } |
1172 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1173 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1174 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1175 |
547 | 1176 c->ssl->no_wait_shutdown = 1; |
1177 c->ssl->no_send_shutdown = 1; | |
591 | 1178 c->write->error = 1; |
543 | 1179 |
547 | 1180 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1181 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1182 return NGX_ERROR; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1183 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1184 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1185 |
489 | 1186 static void |
1187 ngx_ssl_read_handler(ngx_event_t *rev) | |
473 | 1188 { |
1189 ngx_connection_t *c; | |
1190 | |
1191 c = rev->data; | |
547 | 1192 |
509 | 1193 c->write->handler(c->write); |
473 | 1194 } |
1195 | |
1196 | |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1197 void |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1198 ngx_ssl_free_buffer(ngx_connection_t *c) |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1199 { |
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1200 if (c->ssl->buf && c->ssl->buf->start) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1201 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1202 c->ssl->buf->start = NULL; |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
1203 } |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1204 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1205 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1206 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1207 |
489 | 1208 ngx_int_t |
1209 ngx_ssl_shutdown(ngx_connection_t *c) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1210 { |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1211 int n, sslerr, mode; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1212 ngx_err_t err; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1213 |
577 | 1214 if (c->timedout) { |
547 | 1215 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1216 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1217 |
547 | 1218 } else { |
1219 mode = SSL_get_shutdown(c->ssl->connection); | |
473 | 1220 |
547 | 1221 if (c->ssl->no_wait_shutdown) { |
1222 mode |= SSL_RECEIVED_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1223 } |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1224 |
547 | 1225 if (c->ssl->no_send_shutdown) { |
1226 mode |= SSL_SENT_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1227 } |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1228 |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1229 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1230 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
1231 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1232 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1233 |
547 | 1234 SSL_set_shutdown(c->ssl->connection, mode); |
1235 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1236 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1237 |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1238 n = SSL_shutdown(c->ssl->connection); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1239 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1240 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1241 |
461 | 1242 sslerr = 0; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1243 |
1860 | 1244 /* SSL_shutdown() never returns -1, on error it returns 0 */ |
543 | 1245 |
1865
4bcbb0fe5c8d
fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents:
1861
diff
changeset
|
1246 if (n != 1 && ERR_peek_error()) { |
543 | 1247 sslerr = SSL_get_error(c->ssl->connection, n); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1248 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1249 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
1250 "SSL_get_error: %d", sslerr); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1251 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1252 |
1865
4bcbb0fe5c8d
fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents:
1861
diff
changeset
|
1253 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1254 SSL_free(c->ssl->connection); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1255 c->ssl = NULL; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1256 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1257 return NGX_OK; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1258 } |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1259 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1260 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
577 | 1261 c->read->handler = ngx_ssl_shutdown_handler; |
589 | 1262 c->write->handler = ngx_ssl_shutdown_handler; |
577 | 1263 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1264 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1265 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1266 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1267 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1268 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1269 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1270 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1271 |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
1272 if (sslerr == SSL_ERROR_WANT_READ) { |
589 | 1273 ngx_add_timer(c->read, 30000); |
1274 } | |
1275 | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1276 return NGX_AGAIN; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1277 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1278 |
591 | 1279 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
1280 | |
1281 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1282 |
543 | 1283 SSL_free(c->ssl->connection); |
1284 c->ssl = NULL; | |
1285 | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1286 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1287 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1288 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
1289 |
547 | 1290 static void |
577 | 1291 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
1292 { | |
1293 ngx_connection_t *c; | |
1294 ngx_connection_handler_pt handler; | |
1295 | |
1296 c = ev->data; | |
1297 handler = c->ssl->handler; | |
1298 | |
1299 if (ev->timedout) { | |
1300 c->timedout = 1; | |
1301 } | |
1302 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1303 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
577 | 1304 |
1305 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
1306 return; | |
1307 } | |
1308 | |
1309 handler(c); | |
1310 } | |
1311 | |
1312 | |
1313 static void | |
547 | 1314 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
1315 char *text) | |
1316 { | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1317 int n; |
547 | 1318 ngx_uint_t level; |
1319 | |
1320 level = NGX_LOG_CRIT; | |
1321 | |
1322 if (sslerr == SSL_ERROR_SYSCALL) { | |
1323 | |
1324 if (err == NGX_ECONNRESET | |
1325 || err == NGX_EPIPE | |
1326 || err == NGX_ENOTCONN | |
589 | 1327 || err == NGX_ETIMEDOUT |
547 | 1328 || err == NGX_ECONNREFUSED |
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
1329 || err == NGX_ENETDOWN |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
1330 || err == NGX_ENETUNREACH |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
1331 || err == NGX_EHOSTDOWN |
547 | 1332 || err == NGX_EHOSTUNREACH) |
1333 { | |
1334 switch (c->log_error) { | |
1335 | |
1336 case NGX_ERROR_IGNORE_ECONNRESET: | |
1337 case NGX_ERROR_INFO: | |
1338 level = NGX_LOG_INFO; | |
1339 break; | |
1340 | |
1341 case NGX_ERROR_ERR: | |
1342 level = NGX_LOG_ERR; | |
1343 break; | |
1344 | |
1345 default: | |
1346 break; | |
1347 } | |
1348 } | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1349 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1350 } else if (sslerr == SSL_ERROR_SSL) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1351 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1352 n = ERR_GET_REASON(ERR_peek_error()); |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1353 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1354 /* handshake failures */ |
3718
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
1355 if (n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
1356 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
1357 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1358 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
1359 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1360 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
1361 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1362 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1363 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
1364 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
3357
fc735aa50b8b
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
1365 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1366 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1367 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
1368 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1369 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1370 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1371 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1372 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1373 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1374 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1375 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1376 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1377 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1378 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1379 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1380 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1381 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1382 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1383 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1384 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1385 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1386 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1387 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1388 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1389 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1390 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
1391 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */ |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1392 { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1393 switch (c->log_error) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1394 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1395 case NGX_ERROR_IGNORE_ECONNRESET: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1396 case NGX_ERROR_INFO: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1397 level = NGX_LOG_INFO; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1398 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1399 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1400 case NGX_ERROR_ERR: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1401 level = NGX_LOG_ERR; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1402 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1403 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1404 default: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1405 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1406 } |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
1407 } |
547 | 1408 } |
1409 | |
1410 ngx_ssl_error(level, c->log, err, text); | |
1411 } | |
1412 | |
1413 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1414 static void |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1415 ngx_ssl_clear_error(ngx_log_t *log) |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1416 { |
1868 | 1417 while (ERR_peek_error()) { |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1418 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1419 } |
1868 | 1420 |
1421 ERR_clear_error(); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1422 } |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1423 |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1424 |
583 | 1425 void ngx_cdecl |
489 | 1426 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
577 | 1427 { |
1861 | 1428 u_long n; |
1429 va_list args; | |
1430 u_char *p, *last; | |
1431 u_char errstr[NGX_MAX_CONF_ERRSTR]; | |
461 | 1432 |
1433 last = errstr + NGX_MAX_CONF_ERRSTR; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1434 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1435 va_start(args, fmt); |
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
1436 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1437 va_end(args); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1438 |
547 | 1439 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
1440 | |
1861 | 1441 for ( ;; ) { |
583 | 1442 |
1443 n = ERR_get_error(); | |
1444 | |
1445 if (n == 0) { | |
1446 break; | |
1447 } | |
547 | 1448 |
1861 | 1449 if (p >= last) { |
1450 continue; | |
1451 } | |
1452 | |
547 | 1453 *p++ = ' '; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1454 |
547 | 1455 ERR_error_string_n(n, (char *) p, last - p); |
1456 | |
1457 while (p < last && *p) { | |
1458 p++; | |
1459 } | |
1460 } | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1461 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1462 ngx_log_error(level, log, err, "%s)", errstr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1463 } |
509 | 1464 |
1465 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1466 ngx_int_t |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1467 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1468 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1469 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1470 long cache_mode; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1471 |
1778 | 1472 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
1473 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
1474 return NGX_OK; | |
1475 } | |
1476 | |
3457
17706823a57e
Set SSL session context for "ssl_session_cache none".
Igor Sysoev <igor@sysoev.ru>
parents:
3455
diff
changeset
|
1477 SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len); |
17706823a57e
Set SSL session context for "ssl_session_cache none".
Igor Sysoev <igor@sysoev.ru>
parents:
3455
diff
changeset
|
1478 |
2032 | 1479 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
1480 | |
1481 /* | |
1482 * If the server explicitly says that it does not support | |
1483 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
1484 * Outlook Express fails to upload a sent email to | |
1485 * the Sent Items folder on the IMAP server via a separate IMAP | |
1486 * connection in the background. Therefore we have a special | |
1487 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) | |
1488 * where the server pretends that it supports session reuse, | |
1489 * but it does not actually store any session. | |
1490 */ | |
1491 | |
1492 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
1493 SSL_SESS_CACHE_SERVER | |
1494 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
1495 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
1496 | |
1497 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
1498 | |
1499 return NGX_OK; | |
1500 } | |
1501 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1502 cache_mode = SSL_SESS_CACHE_SERVER; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1503 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1504 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1505 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1506 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1507 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1508 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1509 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1510 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1511 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1512 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1513 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1514 } |
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
1515 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1516 |
2710 | 1517 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1518 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1519 if (shm_zone) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1520 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1521 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1522 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1523 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1524 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1525 == 0) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1526 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1527 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1528 "SSL_CTX_set_ex_data() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1529 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1530 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1531 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1532 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1533 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1534 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1535 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1536 |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
1537 ngx_int_t |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1538 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1539 { |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1540 size_t len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1541 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1542 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1543 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1544 if (data) { |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1545 shm_zone->data = data; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1546 return NGX_OK; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1547 } |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
1548 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1549 if (shm_zone->shm.exists) { |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1550 shm_zone->data = data; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1551 return NGX_OK; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1552 } |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1553 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1554 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1555 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1556 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1557 if (cache == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1558 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1559 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1560 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1561 shpool->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1562 shm_zone->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
1563 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1564 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1565 ngx_ssl_session_rbtree_insert_value); |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1566 |
1760 | 1567 ngx_queue_init(&cache->expire_queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1568 |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
1569 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1570 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1571 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1572 if (shpool->log_ctx == NULL) { |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1573 return NGX_ERROR; |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1574 } |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1575 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1576 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
1577 &shm_zone->shm.name); |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
1578 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1579 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1580 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1581 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1582 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1583 /* |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1584 * The length of the session id is 16 bytes for SSLv2 sessions and |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1585 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1586 * It seems that the typical length of the external ASN1 representation |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1587 * of a session is 118 or 119 bytes for SSLv3/TSLv1. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1588 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1589 * Thus on 32-bit platforms we allocate separately an rbtree node, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1590 * a session id, and an ASN1 representation, they take accordingly |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1591 * 64, 32, and 128 bytes. |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1592 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1593 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1594 * and an ASN1 representation, they take accordingly 128 and 128 bytes. |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1595 * |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1596 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1597 * so they are outside the code locked by shared pool mutex |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1598 */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1599 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1600 static int |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1601 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1602 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1603 int len; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1604 u_char *p, *id, *cached_sess; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1605 uint32_t hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1606 SSL_CTX *ssl_ctx; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1607 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1608 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1609 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1610 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1611 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1612 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1613 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1614 len = i2d_SSL_SESSION(sess, NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1615 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1616 /* do not cache too big session */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1617 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1618 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1619 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1620 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1621 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1622 p = buf; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1623 i2d_SSL_SESSION(sess, &p); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1624 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1625 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1626 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1627 ssl_ctx = SSL_get_SSL_CTX(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1628 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1629 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1630 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1631 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1632 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1633 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1634 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1635 /* drop one or two expired sessions */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1636 ngx_ssl_expire_sessions(cache, shpool, 1); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1637 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1638 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1639 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1640 if (cached_sess == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1641 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1642 /* drop the oldest non-expired session and try once more */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1643 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1644 ngx_ssl_expire_sessions(cache, shpool, 0); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1645 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1646 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1647 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1648 if (cached_sess == NULL) { |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1649 sess_id = NULL; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1650 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1651 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1652 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1653 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1654 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1655 if (sess_id == NULL) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1656 goto failed; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1657 } |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1658 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1659 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1660 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1661 id = sess_id->sess_id; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1662 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1663 #else |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1664 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1665 id = ngx_slab_alloc_locked(shpool, sess->session_id_length); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1666 if (id == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1667 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1668 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1669 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1670 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1671 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1672 ngx_memcpy(cached_sess, buf, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1673 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1674 ngx_memcpy(id, sess->session_id, sess->session_id_length); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1675 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1676 hash = ngx_crc32_short(sess->session_id, sess->session_id_length); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1677 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1678 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3155 | 1679 "ssl new session: %08XD:%d:%d", |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1680 hash, sess->session_id_length, len); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1681 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1682 sess_id->node.key = hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1683 sess_id->node.data = (u_char) sess->session_id_length; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1684 sess_id->id = id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1685 sess_id->len = len; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1686 sess_id->session = cached_sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1687 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1688 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1689 |
1760 | 1690 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1691 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1692 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1693 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1694 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1695 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1696 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1697 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1698 failed: |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1699 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1700 if (cached_sess) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1701 ngx_slab_free_locked(shpool, cached_sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1702 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1703 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1704 if (sess_id) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1705 ngx_slab_free_locked(shpool, sess_id); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1706 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1707 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1708 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1709 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1710 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1711 "could not add new SSL session to the session cache"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1712 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1713 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1714 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1715 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1716 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1717 static ngx_ssl_session_t * |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1718 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, u_char *id, int len, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1719 int *copy) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1720 { |
989
5595e47d4f17
d2i_SSL_SESSION() was changed in 0.9.7f
Igor Sysoev <igor@sysoev.ru>
parents:
974
diff
changeset
|
1721 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1722 const |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1723 #endif |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1724 u_char *p; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1725 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1726 ngx_int_t rc; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1727 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1728 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1729 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1730 ngx_ssl_session_t *sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1731 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1732 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1733 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1734 #if (NGX_DEBUG) |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1735 ngx_connection_t *c; |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1736 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1737 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1738 hash = ngx_crc32_short(id, (size_t) len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1739 *copy = 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1740 |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1741 #if (NGX_DEBUG) |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1742 c = ngx_ssl_get_connection(ssl_conn); |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1743 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1744 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3155 | 1745 "ssl get session: %08XD:%d", hash, len); |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
1746 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1747 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1748 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn), |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1749 ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1750 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1751 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1752 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1753 sess = NULL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1754 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1755 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1756 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1757 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1758 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1759 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1760 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1761 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1762 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1763 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1764 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1765 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1766 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1767 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1768 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1769 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1770 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1771 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1772 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1773 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1774 /* hash == node->key */ |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1775 |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1776 do { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1777 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1778 |
1029
ce08bc4cb97b
ngx_strn2cmp() > ngx_memn2cmp()
Igor Sysoev <igor@sysoev.ru>
parents:
1027
diff
changeset
|
1779 rc = ngx_memn2cmp(id, sess_id->id, |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1780 (size_t) len, (size_t) node->data); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1781 if (rc == 0) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1782 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1783 if (sess_id->expire > ngx_time()) { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1784 ngx_memcpy(buf, sess_id->session, sess_id->len); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1785 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1786 ngx_shmtx_unlock(&shpool->mutex); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1787 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1788 p = buf; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1789 sess = d2i_SSL_SESSION(NULL, &p, sess_id->len); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1790 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1791 return sess; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1792 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1793 |
1760 | 1794 ngx_queue_remove(&sess_id->queue); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1795 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1796 ngx_rbtree_delete(&cache->session_rbtree, node); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1797 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1798 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1799 #if (NGX_PTR_SIZE == 4) |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1800 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1801 #endif |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1802 ngx_slab_free_locked(shpool, sess_id); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1803 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1804 sess = NULL; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1805 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1806 goto done; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1807 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1808 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1809 node = (rc < 0) ? node->left : node->right; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1810 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1811 } while (node != sentinel && hash == node->key); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1812 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1813 break; |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1814 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1815 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1816 done: |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1817 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1818 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1819 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1820 return sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1821 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1822 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1823 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1824 void |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1825 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1826 { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1827 SSL_CTX_remove_session(ssl, sess); |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1828 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1829 ngx_ssl_remove_session(ssl, sess); |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1830 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1831 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1832 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1833 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1834 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1835 { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1836 size_t len; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1837 u_char *id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1838 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1839 ngx_int_t rc; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1840 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1841 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1842 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1843 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1844 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1845 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1846 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1847 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1848 if (shm_zone == NULL) { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1849 return; |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1850 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
1851 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1852 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1853 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1854 id = sess->session_id; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1855 len = (size_t) sess->session_id_length; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1856 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1857 hash = ngx_crc32_short(id, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1858 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1859 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
3155 | 1860 "ssl remove session: %08XD:%uz", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1861 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1862 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1863 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1864 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1865 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1866 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1867 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1868 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1869 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1870 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1871 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1872 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1873 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1874 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1875 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1876 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1877 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1878 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1879 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1880 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1881 /* hash == node->key */ |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1882 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1883 do { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1884 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1885 |
1029
ce08bc4cb97b
ngx_strn2cmp() > ngx_memn2cmp()
Igor Sysoev <igor@sysoev.ru>
parents:
1027
diff
changeset
|
1886 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1887 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1888 if (rc == 0) { |
1760 | 1889 |
1890 ngx_queue_remove(&sess_id->queue); | |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1891 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
1892 ngx_rbtree_delete(&cache->session_rbtree, node); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1893 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1894 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1895 #if (NGX_PTR_SIZE == 4) |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1896 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1897 #endif |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1898 ngx_slab_free_locked(shpool, sess_id); |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1899 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1900 goto done; |
1025 | 1901 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1902 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1903 node = (rc < 0) ? node->left : node->right; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1904 |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1905 } while (node != sentinel && hash == node->key); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1906 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1907 break; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1908 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1909 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1910 done: |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
1911 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1912 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1913 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1914 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1915 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1916 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1917 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1918 ngx_slab_pool_t *shpool, ngx_uint_t n) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1919 { |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1920 time_t now; |
1760 | 1921 ngx_queue_t *q; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1922 ngx_ssl_sess_id_t *sess_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1923 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1924 now = ngx_time(); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1925 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1926 while (n < 3) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1927 |
1760 | 1928 if (ngx_queue_empty(&cache->expire_queue)) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1929 return; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1930 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1931 |
1760 | 1932 q = ngx_queue_last(&cache->expire_queue); |
1933 | |
1934 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
1935 | |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
1936 if (n++ != 0 && sess_id->expire > now) { |
1439 | 1937 return; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1938 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1939 |
1760 | 1940 ngx_queue_remove(q); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1941 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1942 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1943 "expire session: %08Xi", sess_id->node.key); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1944 |
1760 | 1945 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
1946 | |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
1947 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1948 #if (NGX_PTR_SIZE == 4) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1949 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
1950 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1951 ngx_slab_free_locked(shpool, sess_id); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1952 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1953 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1954 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1955 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1956 static void |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1957 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1958 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1959 { |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1960 ngx_rbtree_node_t **p; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1961 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1962 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1963 for ( ;; ) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1964 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1965 if (node->key < temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1966 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1967 p = &temp->left; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1968 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1969 } else if (node->key > temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1970 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1971 p = &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1972 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1973 } else { /* node->key == temp->key */ |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1974 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1975 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1976 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1977 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1978 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1979 (size_t) node->data, (size_t) temp->data) |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1980 < 0) ? &temp->left : &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1981 } |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1982 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1983 if (*p == sentinel) { |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1984 break; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1985 } |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1986 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1987 temp = *p; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1988 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1989 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
1990 *p = node; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1991 node->parent = temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1992 node->left = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1993 node->right = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1994 ngx_rbt_red(node); |
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
1995 } |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1996 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
1997 |
509 | 1998 void |
1999 ngx_ssl_cleanup_ctx(void *data) | |
2000 { | |
589 | 2001 ngx_ssl_t *ssl = data; |
509 | 2002 |
589 | 2003 SSL_CTX_free(ssl->ctx); |
509 | 2004 } |
541 | 2005 |
2006 | |
671 | 2007 ngx_int_t |
2008 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 2009 { |
671 | 2010 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
2011 return NGX_OK; | |
611 | 2012 } |
2013 | |
2014 | |
671 | 2015 ngx_int_t |
2016 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 2017 { |
671 | 2018 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
2019 return NGX_OK; | |
611 | 2020 } |
2021 | |
2022 | |
647 | 2023 ngx_int_t |
3154 | 2024 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2025 { | |
2026 int len; | |
2027 u_char *p, *buf; | |
2028 SSL_SESSION *sess; | |
2029 | |
2030 sess = SSL_get0_session(c->ssl->connection); | |
2031 | |
2032 len = i2d_SSL_SESSION(sess, NULL); | |
2033 | |
2034 buf = ngx_alloc(len, c->log); | |
2035 if (buf == NULL) { | |
2036 return NGX_ERROR; | |
2037 } | |
2038 | |
2039 s->len = 2 * len; | |
2040 s->data = ngx_pnalloc(pool, 2 * len); | |
2041 if (s->data == NULL) { | |
3159 | 2042 ngx_free(buf); |
3154 | 2043 return NGX_ERROR; |
2044 } | |
2045 | |
2046 p = buf; | |
2047 i2d_SSL_SESSION(sess, &p); | |
2048 | |
2049 ngx_hex_dump(s->data, buf, len); | |
2050 | |
2051 ngx_free(buf); | |
2052 | |
2053 return NGX_OK; | |
2054 } | |
2055 | |
2056 | |
2057 ngx_int_t | |
2123 | 2058 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2045 | 2059 { |
2060 size_t len; | |
2061 BIO *bio; | |
2062 X509 *cert; | |
2063 | |
2064 s->len = 0; | |
2065 | |
2066 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2067 if (cert == NULL) { | |
2068 return NGX_OK; | |
2069 } | |
2070 | |
2071 bio = BIO_new(BIO_s_mem()); | |
2072 if (bio == NULL) { | |
2073 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
2074 X509_free(cert); | |
2075 return NGX_ERROR; | |
2076 } | |
2077 | |
2078 if (PEM_write_bio_X509(bio, cert) == 0) { | |
2079 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
2080 goto failed; | |
2081 } | |
2082 | |
2083 len = BIO_pending(bio); | |
2084 s->len = len; | |
2085 | |
2049 | 2086 s->data = ngx_pnalloc(pool, len); |
2045 | 2087 if (s->data == NULL) { |
2088 goto failed; | |
2089 } | |
2090 | |
2091 BIO_read(bio, s->data, len); | |
2092 | |
2093 BIO_free(bio); | |
2094 X509_free(cert); | |
2095 | |
2096 return NGX_OK; | |
2097 | |
2098 failed: | |
2099 | |
2100 BIO_free(bio); | |
2101 X509_free(cert); | |
2102 | |
2103 return NGX_ERROR; | |
2104 } | |
2105 | |
2106 | |
2107 ngx_int_t | |
2123 | 2108 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2109 { | |
2110 u_char *p; | |
2111 size_t len; | |
2112 ngx_uint_t i; | |
2113 ngx_str_t cert; | |
2114 | |
2115 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
2116 return NGX_ERROR; | |
2117 } | |
2118 | |
2119 if (cert.len == 0) { | |
2120 s->len = 0; | |
2121 return NGX_OK; | |
2122 } | |
2123 | |
2124 len = cert.len - 1; | |
2125 | |
2126 for (i = 0; i < cert.len - 1; i++) { | |
2127 if (cert.data[i] == LF) { | |
2128 len++; | |
2129 } | |
2130 } | |
2131 | |
2132 s->len = len; | |
2133 s->data = ngx_pnalloc(pool, len); | |
2134 if (s->data == NULL) { | |
2135 return NGX_ERROR; | |
2136 } | |
2137 | |
2138 p = s->data; | |
2139 | |
3002
bf0c7e58e016
fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents:
2997
diff
changeset
|
2140 for (i = 0; i < cert.len - 1; i++) { |
2123 | 2141 *p++ = cert.data[i]; |
2142 if (cert.data[i] == LF) { | |
2143 *p++ = '\t'; | |
2144 } | |
2145 } | |
2146 | |
2147 return NGX_OK; | |
2148 } | |
2149 | |
2150 | |
2151 ngx_int_t | |
647 | 2152 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2153 { | |
2154 char *p; | |
2155 size_t len; | |
2156 X509 *cert; | |
2157 X509_NAME *name; | |
2158 | |
2159 s->len = 0; | |
2160 | |
2161 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2162 if (cert == NULL) { | |
2163 return NGX_OK; | |
2164 } | |
2165 | |
2166 name = X509_get_subject_name(cert); | |
2167 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2168 X509_free(cert); |
647 | 2169 return NGX_ERROR; |
2170 } | |
2171 | |
2172 p = X509_NAME_oneline(name, NULL, 0); | |
2173 | |
2174 for (len = 0; p[len]; len++) { /* void */ } | |
2175 | |
2176 s->len = len; | |
2049 | 2177 s->data = ngx_pnalloc(pool, len); |
647 | 2178 if (s->data == NULL) { |
2179 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2180 X509_free(cert); |
647 | 2181 return NGX_ERROR; |
2182 } | |
2183 | |
2184 ngx_memcpy(s->data, p, len); | |
2185 | |
2186 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2187 X509_free(cert); |
647 | 2188 |
2189 return NGX_OK; | |
2190 } | |
2191 | |
2192 | |
2193 ngx_int_t | |
2194 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
2195 { | |
2196 char *p; | |
2197 size_t len; | |
2198 X509 *cert; | |
2199 X509_NAME *name; | |
2200 | |
2201 s->len = 0; | |
2202 | |
2203 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2204 if (cert == NULL) { | |
2205 return NGX_OK; | |
2206 } | |
2207 | |
2208 name = X509_get_issuer_name(cert); | |
2209 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2210 X509_free(cert); |
647 | 2211 return NGX_ERROR; |
2212 } | |
2213 | |
2214 p = X509_NAME_oneline(name, NULL, 0); | |
2215 | |
2216 for (len = 0; p[len]; len++) { /* void */ } | |
2217 | |
2218 s->len = len; | |
2049 | 2219 s->data = ngx_pnalloc(pool, len); |
647 | 2220 if (s->data == NULL) { |
2221 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2222 X509_free(cert); |
647 | 2223 return NGX_ERROR; |
2224 } | |
2225 | |
2226 ngx_memcpy(s->data, p, len); | |
2227 | |
2228 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2229 X509_free(cert); |
647 | 2230 |
2231 return NGX_OK; | |
2232 } | |
2233 | |
2234 | |
671 | 2235 ngx_int_t |
2236 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
2237 { | |
2238 size_t len; | |
2239 X509 *cert; | |
2240 BIO *bio; | |
2241 | |
2242 s->len = 0; | |
2243 | |
2244 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2245 if (cert == NULL) { | |
2246 return NGX_OK; | |
2247 } | |
2248 | |
2249 bio = BIO_new(BIO_s_mem()); | |
2250 if (bio == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2251 X509_free(cert); |
671 | 2252 return NGX_ERROR; |
2253 } | |
2254 | |
2255 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
2256 len = BIO_pending(bio); | |
2257 | |
2258 s->len = len; | |
2049 | 2259 s->data = ngx_pnalloc(pool, len); |
671 | 2260 if (s->data == NULL) { |
2261 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2262 X509_free(cert); |
671 | 2263 return NGX_ERROR; |
2264 } | |
2265 | |
2266 BIO_read(bio, s->data, len); | |
2267 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
2268 X509_free(cert); |
671 | 2269 |
2270 return NGX_OK; | |
2271 } | |
2272 | |
2273 | |
2994 | 2274 ngx_int_t |
2275 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
2276 { | |
2277 X509 *cert; | |
2278 | |
2279 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { | |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
2280 ngx_str_set(s, "FAILED"); |
2994 | 2281 return NGX_OK; |
2282 } | |
2283 | |
2284 cert = SSL_get_peer_certificate(c->ssl->connection); | |
2285 | |
2286 if (cert) { | |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
2287 ngx_str_set(s, "SUCCESS"); |
2994 | 2288 |
2289 } else { | |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
2290 ngx_str_set(s, "NONE"); |
2994 | 2291 } |
2292 | |
2293 X509_free(cert); | |
2294 | |
2295 return NGX_OK; | |
2296 } | |
2297 | |
2298 | |
541 | 2299 static void * |
2300 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
2301 { | |
2302 ngx_openssl_conf_t *oscf; | |
577 | 2303 |
541 | 2304 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
2305 if (oscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
2306 return NULL; |
541 | 2307 } |
577 | 2308 |
541 | 2309 /* |
2310 * set by ngx_pcalloc(): | |
577 | 2311 * |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2312 * oscf->engine = 0; |
577 | 2313 */ |
541 | 2314 |
2315 return oscf; | |
2316 } | |
2317 | |
2318 | |
2319 static char * | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2320 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
541 | 2321 { |
2322 ngx_openssl_conf_t *oscf = conf; | |
571 | 2323 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2324 ENGINE *engine; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2325 ngx_str_t *value; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2326 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2327 if (oscf->engine) { |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2328 return "is duplicate"; |
541 | 2329 } |
577 | 2330 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2331 oscf->engine = 1; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2332 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2333 value = cf->args->elts; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2334 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2335 engine = ENGINE_by_id((const char *) value[1].data); |
541 | 2336 |
2337 if (engine == NULL) { | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2338 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2339 "ENGINE_by_id(\"%V\") failed", &value[1]); |
541 | 2340 return NGX_CONF_ERROR; |
2341 } | |
2342 | |
2343 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2344 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, |
541 | 2345 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2346 &value[1]); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2347 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2348 ENGINE_free(engine); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2349 |
541 | 2350 return NGX_CONF_ERROR; |
2351 } | |
2352 | |
2353 ENGINE_free(engine); | |
2354 | |
2355 return NGX_CONF_OK; | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
2356 } |
571 | 2357 |
2358 | |
2359 static void | |
2360 ngx_openssl_exit(ngx_cycle_t *cycle) | |
2361 { | |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
2362 EVP_cleanup(); |
571 | 2363 ENGINE_cleanup(); |
2364 } |