nginx-quic: src/event/ngx_event

annotate src/event/ngx_event_openssl.c @ 4192:61e4af19df9f

Autoindex: escape '?' in file names. For files with '?' in their names autoindex generated links with '?' not escaped. This resulted in effectively truncated links as '?' indicates query string start. This is an updated version of the patch originally posted at [1]. It introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but unreserved characters as per RFC 3986. This approach also renders unneeded special colon processing (as colon is percent-encoded now), it's dropped accordingly. [1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html Reported by Konstantin Leonov.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 11 Oct 2011 17:56:51 +0000
parents	cce2fd0acc0f
children	5fef0313f2ff

rev	line source
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	2 /*
444 42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright Igor Sysoev <igor@sysoev.ru> parents: 441 diff changeset	3 * Copyright (C) Igor Sysoev
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	4 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	5
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	6
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	7 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	8 #include <ngx_core.h>
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	9 #include <ngx_event.h>
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	10
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	11
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	12 typedef struct {
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	13 ngx_uint_t engine; /* unsigned engine:1; */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	14 } ngx_openssl_conf_t;
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	15
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	16
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	18 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	19 int ret);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	20 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	21 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	22 static void ngx_ssl_write_handler(ngx_event_t *wev);
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	23 static void ngx_ssl_read_handler(ngx_event_t *rev);
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	24 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	25 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	26 ngx_err_t err, char *text);
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	27 static void ngx_ssl_clear_error(ngx_log_t *log);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	28
3992 a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not Igor Sysoev <igor@sysoev.ru> parents: 3962 diff changeset	29 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t shm_zone, void data);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	30 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	31 ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	32 static ngx_ssl_session_t ngx_ssl_get_cached_session(ngx_ssl_conn_t ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	33 u_char id, int len, int copy);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	34 static void ngx_ssl_remove_session(SSL_CTX ssl, ngx_ssl_session_t sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	35 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	36 ngx_slab_pool_t *shpool, ngx_uint_t n);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	37 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	38 ngx_rbtree_node_t node, ngx_rbtree_node_t sentinel);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	39
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	40 static void ngx_openssl_create_conf(ngx_cycle_t cycle);
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	41 static char ngx_openssl_engine(ngx_conf_t cf, ngx_command_t cmd, void conf);
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	42 static void ngx_openssl_exit(ngx_cycle_t *cycle);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	43
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	44
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	45 static ngx_command_t ngx_openssl_commands[] = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	46
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	47 { ngx_string("ssl_engine"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	48 NGX_MAIN_CONF\|NGX_DIRECT_CONF\|NGX_CONF_TAKE1,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	49 ngx_openssl_engine,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	50 0,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	51 0,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	52 NULL },
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	53
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	54 ngx_null_command
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	55 };
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	56
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	57
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	58 static ngx_core_module_t ngx_openssl_module_ctx = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	59 ngx_string("openssl"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	60 ngx_openssl_create_conf,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	61 NULL
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	62 };
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	63
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	64
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	65 ngx_module_t ngx_openssl_module = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	66 NGX_MODULE_V1,
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	67 &ngx_openssl_module_ctx, /* module context */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	68 ngx_openssl_commands, /* module directives */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	69 NGX_CORE_MODULE, /* module type */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	70 NULL, /* init master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	71 NULL, /* init module */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	72 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	73 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	74 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	75 NULL, /* exit process */
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	76 ngx_openssl_exit, /* exit master */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	77 NGX_MODULE_V1_PADDING
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	78 };
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	79
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	80
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	81 static long ngx_ssl_protocols[] = {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	82 SSL_OP_NO_SSLv2\|SSL_OP_NO_SSLv3\|SSL_OP_NO_TLSv1,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	83 SSL_OP_NO_SSLv3\|SSL_OP_NO_TLSv1,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	84 SSL_OP_NO_SSLv2\|SSL_OP_NO_TLSv1,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	85 SSL_OP_NO_TLSv1,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	86 SSL_OP_NO_SSLv2\|SSL_OP_NO_SSLv3,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	87 SSL_OP_NO_SSLv3,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	88 SSL_OP_NO_SSLv2,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	89 0,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	90 };
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	91
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	92
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	93 int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	94 int ngx_ssl_server_conf_index;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	95 int ngx_ssl_session_cache_index;
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	96
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	97
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	98 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	99 ngx_ssl_init(ngx_log_t *log)
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	100 {
968 1b60ecc8cdb7 OPENSSL_config() Igor Sysoev <igor@sysoev.ru> parents: 671 diff changeset	101 OPENSSL_config(NULL);
1b60ecc8cdb7 OPENSSL_config() Igor Sysoev <igor@sysoev.ru> parents: 671 diff changeset	102
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	103 SSL_library_init();
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	104 SSL_load_error_strings();
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	105
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	106 ENGINE_load_builtin_engines();
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	107
3464 7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	108 OpenSSL_add_all_algorithms();
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	109
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	110 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	111
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	112 if (ngx_ssl_connection_index == -1) {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	113 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	114 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	115 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	116
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	117 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	118 NULL);
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	119 if (ngx_ssl_server_conf_index == -1) {
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	120 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	121 "SSL_CTX_get_ex_new_index() failed");
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	122 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	123 }
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	124
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	125 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	126 NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	127 if (ngx_ssl_session_cache_index == -1) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	128 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	129 "SSL_CTX_get_ex_new_index() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	130 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	131 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	132
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	133 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	134 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	135
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	136
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	137 ngx_int_t
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	138 ngx_ssl_create(ngx_ssl_t ssl, ngx_uint_t protocols, void data)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	139 {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	140 ssl->ctx = SSL_CTX_new(SSLv23_method());
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	141
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	142 if (ssl->ctx == NULL) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	143 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	144 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	145 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	146
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	147 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	148 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	149 "SSL_CTX_set_ex_data() failed");
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	150 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	151 }
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	152
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	153 /* client side options */
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	154
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	155 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	156 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	157
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	158 /* server side options */
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	159
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	160 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	161 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	162
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	163 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	164 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	165
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	166 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	167 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	168 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	169
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	170 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	171
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	172 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	173
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	174 if (ngx_ssl_protocols[protocols >> 1] != 0) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	176 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	177
4185 6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	178 #ifdef SSL_OP_NO_COMPRESSION
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	179 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	180 #endif
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	181
4186 cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	182 #ifdef SSL_MODE_RELEASE_BUFFERS
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	183 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	184 #endif
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	185
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	186 SSL_CTX_set_read_ahead(ssl->ctx, 1);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	187
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	188 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	189
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	190 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	191 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	192
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	193
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	194 ngx_int_t
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	195 ngx_ssl_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	196 ngx_str_t *key)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	197 {
2536 a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK" Igor Sysoev <igor@sysoev.ru> parents: 2504 diff changeset	198 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	199 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	200 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	201
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	202 if (SSL_CTX_use_certificate_chain_file(ssl->ctx, (char *) cert->data)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	203 == 0)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	204 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	205 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	206 "SSL_CTX_use_certificate_chain_file(\"%s\") failed",
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	207 cert->data);
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	208 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	209 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	210
2536 a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK" Igor Sysoev <igor@sysoev.ru> parents: 2504 diff changeset	211 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	212 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	213 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	214
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	215 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	216 SSL_FILETYPE_PEM)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	217 == 0)
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	218 {
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	219 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	220 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	221 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	222 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	223
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	224 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	225 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	226
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	227
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	228 ngx_int_t
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	229 ngx_ssl_client_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	230 ngx_int_t depth)
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	231 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	232 STACK_OF(X509_NAME) *list;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	233
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	234 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_http_ssl_verify_callback);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	235
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	236 SSL_CTX_set_verify_depth(ssl->ctx, depth);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	237
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	238 if (cert->len == 0) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	239 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	240 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	241
2536 a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK" Igor Sysoev <igor@sysoev.ru> parents: 2504 diff changeset	242 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	243 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	244 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	245
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	246 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	247 == 0)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	248 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	249 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	250 "SSL_CTX_load_verify_locations(\"%s\") failed",
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	251 cert->data);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	252 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	253 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	254
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	255 list = SSL_load_client_CA_file((char *) cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	256
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	257 if (list == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	258 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	259 "SSL_load_client_CA_file(\"%s\") failed", cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	260 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	261 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	262
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	263 /*
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	264 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file()
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	265 * always leaved an error in the error queue
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	266 */
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	267
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	268 ERR_clear_error();
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	269
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	270 SSL_CTX_set_client_CA_list(ssl->ctx, list);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	271
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	272 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	273 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	274
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	275
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	276 ngx_int_t
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	277 ngx_ssl_crl(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *crl)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	278 {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	279 X509_STORE *store;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	280 X509_LOOKUP *lookup;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	281
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	282 if (crl->len == 0) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	283 return NGX_OK;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	284 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	285
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	286 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	287 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	288 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	289
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	290 store = SSL_CTX_get_cert_store(ssl->ctx);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	291
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	292 if (store == NULL) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	293 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	294 "SSL_CTX_get_cert_store() failed");
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	295 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	296 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	297
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	298 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	299
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	300 if (lookup == NULL) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	301 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	302 "X509_STORE_add_lookup() failed");
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	303 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	304 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	305
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	306 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	307 == 0)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	308 {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	309 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	310 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	311 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	312 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	313
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	314 X509_STORE_set_flags(store,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	315 X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	316
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	317 return NGX_OK;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	318 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	319
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	320
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	321 static int
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	322 ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	323 {
1977 40c9cb8576bb get certificate info only for debug build Igor Sysoev <igor@sysoev.ru> parents: 1976 diff changeset	324 #if (NGX_DEBUG)
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	325 char subject, issuer;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	326 int err, depth;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	327 X509 *cert;
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	328 X509_NAME sname, iname;
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	329 ngx_connection_t *c;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	330 ngx_ssl_conn_t *ssl_conn;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	331
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	332 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	333 SSL_get_ex_data_X509_STORE_CTX_idx());
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	334
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	335 c = ngx_ssl_get_connection(ssl_conn);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	336
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	337 cert = X509_STORE_CTX_get_current_cert(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	338 err = X509_STORE_CTX_get_error(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	339 depth = X509_STORE_CTX_get_error_depth(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	340
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	341 sname = X509_get_subject_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	342 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	343
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	344 iname = X509_get_issuer_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	345 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	346
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	347 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	348 "verify:%d, error:%d, depth:%d, "
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	349 "subject:\"%s\",issuer: \"%s\"",
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	350 ok, err, depth, subject, issuer);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	351
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	352 if (sname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	353 OPENSSL_free(subject);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	354 }
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	355
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	356 if (iname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	357 OPENSSL_free(issuer);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	358 }
1977 40c9cb8576bb get certificate info only for debug build Igor Sysoev <igor@sysoev.ru> parents: 1976 diff changeset	359 #endif
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	360
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	361 return 1;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	362 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	363
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	364
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	365 static void
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	366 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	367 {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	368 ngx_connection_t *c;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	369
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	370 if (where & SSL_CB_HANDSHAKE_START) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	371 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	372
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	373 if (c->ssl->handshaked) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	374 c->ssl->renegotiation = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	375 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	376 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	377 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	378 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	379
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	380
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	381 RSA *
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	382 ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	383 {
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	384 static RSA *key;
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	385
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	386 if (key_length == 512) {
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	387 if (key == NULL) {
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	388 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	389 }
559 c1f965ef9718 nginx-0.3.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 549 diff changeset	390 }
c1f965ef9718 nginx-0.3.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 549 diff changeset	391
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	392 return key;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	393 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	394
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	395
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	396 ngx_int_t
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	397 ngx_ssl_dhparam(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file)
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	398 {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	399 DH *dh;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	400 BIO *bio;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	401
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	402 /*
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	403 * -----BEGIN DH PARAMETERS-----
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	404 * MIGHAoGBALu8LcrYRnSQfEP89YDpz9vZWKP1aLQtSwju1OsPs1BMbAMCducQgAxc
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	405 * y7qokiYUxb7spWWl/fHSh6K8BJvmd4Bg6RqSp1fjBI9osHb302zI8pul34HcLKcl
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	406 * 7OZicMyaUDXYzs7vnqAnSmOrHlj6/UmI0PZdFGdX2gcd8EXP4WubAgEC
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	407 * -----END DH PARAMETERS-----
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	408 */
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	409
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	410 static unsigned char dh1024_p[] = {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	411 0xBB, 0xBC, 0x2D, 0xCA, 0xD8, 0x46, 0x74, 0x90, 0x7C, 0x43, 0xFC, 0xF5,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	412 0x80, 0xE9, 0xCF, 0xDB, 0xD9, 0x58, 0xA3, 0xF5, 0x68, 0xB4, 0x2D, 0x4B,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	413 0x08, 0xEE, 0xD4, 0xEB, 0x0F, 0xB3, 0x50, 0x4C, 0x6C, 0x03, 0x02, 0x76,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	414 0xE7, 0x10, 0x80, 0x0C, 0x5C, 0xCB, 0xBA, 0xA8, 0x92, 0x26, 0x14, 0xC5,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	415 0xBE, 0xEC, 0xA5, 0x65, 0xA5, 0xFD, 0xF1, 0xD2, 0x87, 0xA2, 0xBC, 0x04,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	416 0x9B, 0xE6, 0x77, 0x80, 0x60, 0xE9, 0x1A, 0x92, 0xA7, 0x57, 0xE3, 0x04,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	417 0x8F, 0x68, 0xB0, 0x76, 0xF7, 0xD3, 0x6C, 0xC8, 0xF2, 0x9B, 0xA5, 0xDF,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	418 0x81, 0xDC, 0x2C, 0xA7, 0x25, 0xEC, 0xE6, 0x62, 0x70, 0xCC, 0x9A, 0x50,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	419 0x35, 0xD8, 0xCE, 0xCE, 0xEF, 0x9E, 0xA0, 0x27, 0x4A, 0x63, 0xAB, 0x1E,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	420 0x58, 0xFA, 0xFD, 0x49, 0x88, 0xD0, 0xF6, 0x5D, 0x14, 0x67, 0x57, 0xDA,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	421 0x07, 0x1D, 0xF0, 0x45, 0xCF, 0xE1, 0x6B, 0x9B
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	422 };
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	423
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	424 static unsigned char dh1024_g[] = { 0x02 };
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	425
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	426
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	427 if (file->len == 0) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	428
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	429 dh = DH_new();
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	430 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	431 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "DH_new() failed");
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	432 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	433 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	434
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	435 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	436 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	437
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	438 if (dh->p == NULL \|\| dh->g == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	439 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "BN_bin2bn() failed");
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	440 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	441 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	442 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	443
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	444 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	445
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	446 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	447
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	448 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	449 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	450
2536 a6d6d762c554 small optimization: " == NGX_ERROR" > " != NGX_OK" Igor Sysoev <igor@sysoev.ru> parents: 2504 diff changeset	451 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	452 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	453 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	454
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	455 bio = BIO_new_file((char *) file->data, "r");
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	456 if (bio == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	457 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	458 "BIO_new_file(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	459 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	460 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	461
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	462 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	463 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	464 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	465 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	466 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	467 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	468 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	469
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	470 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	471
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	472 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	473 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	474
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	475 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	476 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	477
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	478 ngx_int_t
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	479 ngx_ssl_ecdh_curve(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *name)
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	480 {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	481 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	482 #ifndef OPENSSL_NO_ECDH
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	483 int nid;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	484 EC_KEY *ecdh;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	485
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	486 /*
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	487 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	488 * from RFC 4492 section 5.1.1, or explicitely described curves over
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	489 * binary fields. OpenSSL only supports the "named curves", which provide
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	490 * maximum interoperability.
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	491 */
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	492
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	493 nid = OBJ_sn2nid((const char *) name->data);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	494 if (nid == 0) {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	495 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	496 "Unknown curve name \"%s\"", name->data);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	497 return NGX_ERROR;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	498 }
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	499
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	500 ecdh = EC_KEY_new_by_curve_name(nid);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	501 if (ecdh == NULL) {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	502 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	503 "Unable to create curve \"%s\"", name->data);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	504 return NGX_ERROR;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	505 }
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	506
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	507 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	508
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	509 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	510
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	511 EC_KEY_free(ecdh);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	512 #endif
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	513 #endif
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	514
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	515 return NGX_OK;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	516 }
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	517
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	518 ngx_int_t
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	519 ngx_ssl_create_connection(ngx_ssl_t ssl, ngx_connection_t c, ngx_uint_t flags)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	520 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	521 ngx_ssl_connection_t *sc;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	522
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	523 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	524 if (sc == NULL) {
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	525 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	526 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	527
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	528 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	529
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	530 sc->connection = SSL_new(ssl->ctx);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	531
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	532 if (sc->connection == NULL) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	533 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	534 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	535 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	536
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	537 if (SSL_set_fd(sc->connection, c->fd) == 0) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	538 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	539 return NGX_ERROR;
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	540 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	541
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	542 if (flags & NGX_SSL_CLIENT) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	543 SSL_set_connect_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	544
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	545 } else {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	546 SSL_set_accept_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	547 }
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	548
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	549 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	550 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	551 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	552 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	553
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	554 c->ssl = sc;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	555
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	556 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	557 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	558
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	559
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	560 ngx_int_t
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	561 ngx_ssl_set_session(ngx_connection_t c, ngx_ssl_session_t session)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	562 {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	563 if (session) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	564 if (SSL_set_session(c->ssl->connection, session) == 0) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	565 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed");
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	566 return NGX_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	567 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	568 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	569
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	570 return NGX_OK;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	571 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	572
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	573
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	574 ngx_int_t
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	575 ngx_ssl_handshake(ngx_connection_t *c)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	576 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	577 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	578 ngx_err_t err;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	579
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	580 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	581
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	582 n = SSL_do_handshake(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	583
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	584 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	585
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	586 if (n == 1) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	587
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	588 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	589 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	590 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	591
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	592 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	593 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	594 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	595
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	596 #if (NGX_DEBUG)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	597 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	598 char buf[129], s, d;
3851 033015e01eec fix building on Fedora 14 Igor Sysoev <igor@sysoev.ru> parents: 3815 diff changeset	599 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
3488 92378c49456d MSVC8 compatibility with OpenSSL 1.0.0 Igor Sysoev <igor@sysoev.ru> parents: 3464 diff changeset	600 const
92378c49456d MSVC8 compatibility with OpenSSL 1.0.0 Igor Sysoev <igor@sysoev.ru> parents: 3464 diff changeset	601 #endif
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	602 SSL_CIPHER *cipher;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	603
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	604 cipher = SSL_get_current_cipher(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	605
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	606 if (cipher) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	607 SSL_CIPHER_description(cipher, &buf[1], 128);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	608
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	609 for (s = &buf[1], d = buf; *s; s++) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	610 if (s == ' ' && d == ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	611 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	612 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	613
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	614 if (s == LF \|\| s == CR) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	615 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	616 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	617
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	618 ++d = s;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	619 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	620
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	621 if (*d != ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	622 d++;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	623 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	624
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	625 *d = '\0';
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	626
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	627 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	628 "SSL: %s, cipher: \"%s\"",
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	629 SSL_get_version(c->ssl->connection), &buf[1]);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	630
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	631 if (SSL_session_reused(c->ssl->connection)) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	632 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	633 "SSL reused session");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	634 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	635
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	636 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	637 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	638 "SSL no shared ciphers");
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	639 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	640 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	641 #endif
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	642
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	643 c->ssl->handshaked = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	644
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	645 c->recv = ngx_ssl_recv;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	646 c->send = ngx_ssl_write;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	647 c->recv_chain = ngx_ssl_recv_chain;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	648 c->send_chain = ngx_ssl_send_chain;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	649
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	650 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	651 if (c->ssl->connection->s3) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	652 c->ssl->connection->s3->flags \|= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	653 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	654
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	655 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	656 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	657
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	658 sslerr = SSL_get_error(c->ssl->connection, n);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	659
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	660 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	661
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	662 if (sslerr == SSL_ERROR_WANT_READ) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	663 c->read->ready = 0;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	664 c->read->handler = ngx_ssl_handshake_handler;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	665 c->write->handler = ngx_ssl_handshake_handler;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	666
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	667 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	668 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	669 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	670
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	671 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	672 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	673
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	674 if (sslerr == SSL_ERROR_WANT_WRITE) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	675 c->write->ready = 0;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	676 c->read->handler = ngx_ssl_handshake_handler;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	677 c->write->handler = ngx_ssl_handshake_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	678
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	679 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	680 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	681 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	682
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	683 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	684 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	685
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	686 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	687
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	688 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	689 c->ssl->no_send_shutdown = 1;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	690 c->read->eof = 1;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	691
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	692 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	693 ngx_log_error(NGX_LOG_INFO, c->log, err,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	694 "peer closed connection in SSL handshake");
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	695
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	696 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	697 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	698
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	699 c->read->error = 1;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	700
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	701 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	702
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	703 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	704 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	705
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	706
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	707 static void
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	708 ngx_ssl_handshake_handler(ngx_event_t *ev)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	709 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	710 ngx_connection_t *c;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	711
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	712 c = ev->data;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	713
549 e16a8d574da5 nginx-0.2.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 547 diff changeset	714 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	715 "SSL handshake handler: %d", ev->write);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	716
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	717 if (ev->timedout) {
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	718 c->ssl->handler(c);
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	719 return;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	720 }
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	721
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	722 if (ngx_ssl_handshake(c) == NGX_AGAIN) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	723 return;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	724 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	725
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	726 c->ssl->handler(c);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	727 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	728
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	729
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	730 ssize_t
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	731 ngx_ssl_recv_chain(ngx_connection_t c, ngx_chain_t cl)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	732 {
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	733 u_char *last;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	734 ssize_t n, bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	735 ngx_buf_t *b;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	736
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	737 bytes = 0;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	738
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	739 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	740 last = b->last;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	741
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	742 for ( ;; ) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	743
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	744 n = ngx_ssl_recv(c, last, b->end - last);
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	745
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	746 if (n > 0) {
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	747 last += n;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	748 bytes += n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	749
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	750 if (last == b->end) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	751 cl = cl->next;
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	752
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	753 if (cl == NULL) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	754 return bytes;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	755 }
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	756
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	757 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	758 last = b->last;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	759 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	760
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	761 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	762 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	763
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	764 if (bytes) {
2052 b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	765
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	766 if (n == 0 \|\| n == NGX_ERROR) {
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	767 c->read->ready = 1;
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	768 }
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	769
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	770 return bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	771 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	772
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	773 return n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	774 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	775 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	776
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	777
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	778 ssize_t
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	779 ngx_ssl_recv(ngx_connection_t c, u_char buf, size_t size)
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	780 {
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	781 int n, bytes;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	782
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	783 if (c->ssl->last == NGX_ERROR) {
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	784 c->read->error = 1;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	785 return NGX_ERROR;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	786 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	787
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	788 if (c->ssl->last == NGX_DONE) {
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	789 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	790 c->read->eof = 1;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	791 return 0;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	792 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	793
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	794 bytes = 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	795
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	796 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	797
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	798 /*
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	799 * SSL_read() may return data in parts, so try to read
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	800 * until SSL_read() would return no data
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	801 */
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	802
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	803 for ( ;; ) {
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	804
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	805 n = SSL_read(c->ssl->connection, buf, size);
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	806
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	807 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	808
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	809 if (n > 0) {
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	810 bytes += n;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	811 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	812
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	813 c->ssl->last = ngx_ssl_handle_recv(c, n);
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	814
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	815 if (c->ssl->last == NGX_OK) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	816
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	817 size -= n;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	818
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	819 if (size == 0) {
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	820 return bytes;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	821 }
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	822
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	823 buf += n;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	824
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	825 continue;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	826 }
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	827
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	828 if (bytes) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	829 return bytes;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	830 }
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	831
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	832 switch (c->ssl->last) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	833
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	834 case NGX_DONE:
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	835 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	836 c->read->eof = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	837 return 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	838
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	839 case NGX_ERROR:
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	840 c->read->error = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	841
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	842 /* fall thruogh */
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	843
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	844 case NGX_AGAIN:
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	845 return c->ssl->last;
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	846 }
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	847 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	848 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	849
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	850
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	851 static ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	852 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	853 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	854 int sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	855 ngx_err_t err;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	856
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	857 if (c->ssl->renegotiation) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	858 /*
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	859 * disable renegotiation (CVE-2009-3555):
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	860 * OpenSSL (at least up to 0.9.8l) does not handle disabled
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	861 * renegotiation gracefully, so drop connection here
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	862 */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	863
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	864 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	865
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	866 c->ssl->no_wait_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	867 c->ssl->no_send_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	868
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	869 return NGX_ERROR;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	870 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	871
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	872 if (n > 0) {
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	873
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	874 if (c->ssl->saved_write_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	875
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	876 c->write->handler = c->ssl->saved_write_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	877 c->ssl->saved_write_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	878 c->write->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	879
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	880 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	881 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	882 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	883
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	884 ngx_post_event(c->write, &ngx_posted_events);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	885 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	886
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	887 return NGX_OK;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	888 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	889
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	890 sslerr = SSL_get_error(c->ssl->connection, n);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	891
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	892 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	893
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	894 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	895
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	896 if (sslerr == SSL_ERROR_WANT_READ) {
455 295d97d70c69 nginx-0.1.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 452 diff changeset	897 c->read->ready = 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	898 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	899 }
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	900
445 f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import Igor Sysoev <igor@sysoev.ru> parents: 444 diff changeset	901 if (sslerr == SSL_ERROR_WANT_WRITE) {
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	902
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	903 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	904 "peer started SSL renegotiation");
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	905
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	906 c->write->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	907
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	908 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	909 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	910 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	911
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	912 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	913 * we do not set the timer because there is already the read event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	914 */
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	915
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	916 if (c->ssl->saved_write_handler == NULL) {
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	917 c->ssl->saved_write_handler = c->write->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	918 c->write->handler = ngx_ssl_write_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	919 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	920
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	921 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	922 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	923
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	924 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	925 c->ssl->no_send_shutdown = 1;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	926
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	927 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	928 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	929 "peer shutdown SSL cleanly");
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	930 return NGX_DONE;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	931 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	932
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	933 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	934
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	935 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	936 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	937
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	938
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	939 static void
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	940 ngx_ssl_write_handler(ngx_event_t *wev)
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	941 {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	942 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	943
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	944 c = wev->data;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	945
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	946 c->read->handler(c->read);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	947 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	948
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	949
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	950 /*
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	951 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	952 * before the SSL_write() call to decrease a SSL overhead.
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	953 *
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	954 * Besides for protocols such as HTTP it is possible to always buffer
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	955 * the output to decrease a SSL overhead some more.
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	956 */
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	957
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	958 ngx_chain_t *
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	959 ngx_ssl_send_chain(ngx_connection_t c, ngx_chain_t in, off_t limit)
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	960 {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	961 int n;
399 4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import Igor Sysoev <igor@sysoev.ru> parents: 398 diff changeset	962 ngx_uint_t flush;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	963 ssize_t send, size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	964 ngx_buf_t *buf;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	965
2280 6453161bf53e always use buffer, if connection is buffered, Igor Sysoev <igor@sysoev.ru> parents: 2165 diff changeset	966 if (!c->ssl->buffer) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	967
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	968 while (in) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	969 if (ngx_buf_special(in->buf)) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	970 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	971 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	972 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	973
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	974 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	975
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	976 if (n == NGX_ERROR) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	977 return NGX_CHAIN_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	978 }
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	979
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	980 if (n == NGX_AGAIN) {
597 9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	981 c->buffered \|= NGX_SSL_BUFFERED;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	982 return in;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	983 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	984
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	985 in->buf->pos += n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	986
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	987 if (in->buf->pos == in->buf->last) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	988 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	989 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	990 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	991
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	992 return in;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	993 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	994
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	995
3962 df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	996 /* the maximum limit size is the maximum int32_t value - the page size */
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	997
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	998 if (limit == 0 \|\| limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	999 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1000 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1001
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1002 buf = c->ssl->buf;
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1003
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1004 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1005 buf = ngx_create_temp_buf(c->pool, NGX_SSL_BUFSIZE);
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1006 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1007 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1008 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1009
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1010 c->ssl->buf = buf;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1011 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1012
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1013 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1014 buf->start = ngx_palloc(c->pool, NGX_SSL_BUFSIZE);
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1015 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1016 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1017 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1018
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1019 buf->pos = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1020 buf->last = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1021 buf->end = buf->start + NGX_SSL_BUFSIZE;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1022 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1023
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1024 send = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1025 flush = (in == NULL) ? 1 : 0;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1026
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1027 for ( ;; ) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1028
3283 52b1624b93c2 fix segfault in SSL if limit_rate is used Igor Sysoev <igor@sysoev.ru> parents: 3159 diff changeset	1029 while (in && buf->last < buf->end && send < limit) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1030 if (in->buf->last_buf \|\| in->buf->flush) {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1031 flush = 1;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1032 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1033
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1034 if (ngx_buf_special(in->buf)) {
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1035 in = in->next;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1036 continue;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1037 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1038
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1039 size = in->buf->last - in->buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1040
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1041 if (size > buf->end - buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1042 size = buf->end - buf->last;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1043 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1044
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1045 if (send + size > limit) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1046 size = (ssize_t) (limit - send);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1047 flush = 1;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1048 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1049
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1050 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1051 "SSL buf copy: %d", size);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1052
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1053 ngx_memcpy(buf->last, in->buf->pos, size);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1054
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1055 buf->last += size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1056 in->buf->pos += size;
3283 52b1624b93c2 fix segfault in SSL if limit_rate is used Igor Sysoev <igor@sysoev.ru> parents: 3159 diff changeset	1057 send += size;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1058
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1059 if (in->buf->pos == in->buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1060 in = in->next;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1061 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1062 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1063
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1064 size = buf->last - buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1065
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1066 if (!flush && buf->last < buf->end && c->ssl->buffer) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1067 break;
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1068 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1069
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1070 n = ngx_ssl_write(c, buf->pos, size);
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1071
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1072 if (n == NGX_ERROR) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1073 return NGX_CHAIN_ERROR;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1074 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1075
511 c12967aadd87 nginx-0.1.30-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 509 diff changeset	1076 if (n == NGX_AGAIN) {
597 9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1077 c->buffered \|= NGX_SSL_BUFFERED;
511 c12967aadd87 nginx-0.1.30-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 509 diff changeset	1078 return in;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1079 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1080
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1081 buf->pos += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1082 c->sent += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1083
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1084 if (n < size) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1085 break;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1086 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1087
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1088 if (buf->pos == buf->last) {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1089 buf->pos = buf->start;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1090 buf->last = buf->start;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1091 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1092
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1093 if (in == NULL \|\| send == limit) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1094 break;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1095 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1096 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1097
597 9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1098 if (buf->pos < buf->last) {
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1099 c->buffered \|= NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1100
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1101 } else {
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1102 c->buffered &= ~NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1103 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1104
399 4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import Igor Sysoev <igor@sysoev.ru> parents: 398 diff changeset	1105 return in;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1106 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1107
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1108
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	1109 ssize_t
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1110 ngx_ssl_write(ngx_connection_t c, u_char data, size_t size)
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1111 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1112 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1113 ngx_err_t err;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1114
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1115 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1116
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1117 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %d", size);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1118
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1119 n = SSL_write(c->ssl->connection, data, size);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1120
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1121 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1122
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1123 if (n > 0) {
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	1124
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1125 if (c->ssl->saved_read_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1126
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1127 c->read->handler = c->ssl->saved_read_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1128 c->ssl->saved_read_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1129 c->read->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1130
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1131 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1132 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1133 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1134
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	1135 ngx_post_event(c->read, &ngx_posted_events);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1136 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1137
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1138 return n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1139 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1140
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1141 sslerr = SSL_get_error(c->ssl->connection, n);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1142
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1143 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1144
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1145 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1146
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1147 if (sslerr == SSL_ERROR_WANT_WRITE) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1148 c->write->ready = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1149 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1150 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1151
445 f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import Igor Sysoev <igor@sysoev.ru> parents: 444 diff changeset	1152 if (sslerr == SSL_ERROR_WANT_READ) {
452 23fb87bddda1 nginx-0.1.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 445 diff changeset	1153
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1154 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1155 "peer started SSL renegotiation");
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1156
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1157 c->read->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1158
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1159 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1160 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1161 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1162
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1163 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1164 * we do not set the timer because there is already
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1165 * the write event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1166 */
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1167
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1168 if (c->ssl->saved_read_handler == NULL) {
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1169 c->ssl->saved_read_handler = c->read->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1170 c->read->handler = ngx_ssl_read_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1171 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1172
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1173 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1174 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1175
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1176 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1177 c->ssl->no_send_shutdown = 1;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1178 c->write->error = 1;
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1179
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1180 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed");
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1181
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1182 return NGX_ERROR;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1183 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1184
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1185
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1186 static void
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1187 ngx_ssl_read_handler(ngx_event_t *rev)
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1188 {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1189 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1190
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1191 c = rev->data;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1192
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1193 c->write->handler(c->write);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1194 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1195
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1196
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1197 void
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1198 ngx_ssl_free_buffer(ngx_connection_t *c)
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1199 {
1795 3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1200 if (c->ssl->buf && c->ssl->buf->start) {
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1201 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) {
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1202 c->ssl->buf->start = NULL;
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1203 }
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1204 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1205 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1206
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1207
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1208 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1209 ngx_ssl_shutdown(ngx_connection_t *c)
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1210 {
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1211 int n, sslerr, mode;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1212 ngx_err_t err;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1213
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1214 if (c->timedout) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1215 mode = SSL_RECEIVED_SHUTDOWN\|SSL_SENT_SHUTDOWN;
4064 5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1216 SSL_set_quiet_shutdown(c->ssl->connection, 1);
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1217
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1218 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1219 mode = SSL_get_shutdown(c->ssl->connection);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1220
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1221 if (c->ssl->no_wait_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1222 mode \|= SSL_RECEIVED_SHUTDOWN;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1223 }
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1224
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1225 if (c->ssl->no_send_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1226 mode \|= SSL_SENT_SHUTDOWN;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1227 }
4064 5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1228
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1229 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) {
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1230 SSL_set_quiet_shutdown(c->ssl->connection, 1);
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1231 }
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1232 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1233
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1234 SSL_set_shutdown(c->ssl->connection, mode);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1235
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1236 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1237
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1238 n = SSL_shutdown(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1239
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1240 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1241
461 a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	1242 sslerr = 0;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1243
1860 a1f00736852e grammar fix Igor Sysoev <igor@sysoev.ru> parents: 1795 diff changeset	1244 /* SSL_shutdown() never returns -1, on error it returns 0 */
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1245
1865 4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 Igor Sysoev <igor@sysoev.ru> parents: 1861 diff changeset	1246 if (n != 1 && ERR_peek_error()) {
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1247 sslerr = SSL_get_error(c->ssl->connection, n);
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1248
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1249 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1250 "SSL_get_error: %d", sslerr);
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1251 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1252
1865 4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 Igor Sysoev <igor@sysoev.ru> parents: 1861 diff changeset	1253 if (n == 1 \|\| sslerr == 0 \|\| sslerr == SSL_ERROR_ZERO_RETURN) {
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1254 SSL_free(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1255 c->ssl = NULL;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1256
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1257 return NGX_OK;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1258 }
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1259
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1260 if (sslerr == SSL_ERROR_WANT_READ \|\| sslerr == SSL_ERROR_WANT_WRITE) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1261 c->read->handler = ngx_ssl_shutdown_handler;
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1262 c->write->handler = ngx_ssl_shutdown_handler;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1263
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1264 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1265 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1266 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1267
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1268 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1269 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1270 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1271
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1272 if (sslerr == SSL_ERROR_WANT_READ) {
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1273 ngx_add_timer(c->read, 30000);
d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1274 }
d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1275
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1276 return NGX_AGAIN;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1277 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1278
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1279 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1280
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1281 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1282
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1283 SSL_free(c->ssl->connection);
511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1284 c->ssl = NULL;
511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1285
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1286 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1287 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1288
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1289
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1290 static void
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1291 ngx_ssl_shutdown_handler(ngx_event_t *ev)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1292 {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1293 ngx_connection_t *c;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1294 ngx_connection_handler_pt handler;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1295
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1296 c = ev->data;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1297 handler = c->ssl->handler;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1298
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1299 if (ev->timedout) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1300 c->timedout = 1;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1301 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1302
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1303 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler");
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1304
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1305 if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1306 return;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1307 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1308
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1309 handler(c);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1310 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1311
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1312
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1313 static void
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1314 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1315 char *text)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1316 {
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1317 int n;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1318 ngx_uint_t level;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1319
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1320 level = NGX_LOG_CRIT;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1321
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1322 if (sslerr == SSL_ERROR_SYSCALL) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1323
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1324 if (err == NGX_ECONNRESET
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1325 \|\| err == NGX_EPIPE
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1326 \|\| err == NGX_ENOTCONN
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1327 \|\| err == NGX_ETIMEDOUT
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1328 \|\| err == NGX_ECONNREFUSED
1869 192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	1329 \|\| err == NGX_ENETDOWN
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	1330 \|\| err == NGX_ENETUNREACH
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	1331 \|\| err == NGX_EHOSTDOWN
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1332 \|\| err == NGX_EHOSTUNREACH)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1333 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1334 switch (c->log_error) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1335
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1336 case NGX_ERROR_IGNORE_ECONNRESET:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1337 case NGX_ERROR_INFO:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1338 level = NGX_LOG_INFO;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1339 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1340
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1341 case NGX_ERROR_ERR:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1342 level = NGX_LOG_ERR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1343 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1344
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1345 default:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1346 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1347 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1348 }
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1349
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1350 } else if (sslerr == SSL_ERROR_SSL) {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1351
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1352 n = ERR_GET_REASON(ERR_peek_error());
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1353
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1354 /* handshake failures */
3718 bfd84b583868 decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3516 diff changeset	1355 if (n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
bfd84b583868 decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3516 diff changeset	1356 \|\| n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	1357 \|\| n == SSL_R_LENGTH_MISMATCH /* 159 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1358 \|\| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	1359 \|\| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1360 \|\| n == SSL_R_NO_SHARED_CIPHER /* 193 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	1361 \|\| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1362 \|\| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1363 \|\| n == SSL_R_UNEXPECTED_RECORD /* 245 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	1364 \|\| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
3357 fc735aa50b8b decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3300 diff changeset	1365 \|\| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1366 \|\| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1367 \|\| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
1877 a55876dff8f5 low SSL handshake close notify alert error level Igor Sysoev <igor@sysoev.ru> parents: 1876 diff changeset	1368 \|\| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1369 \|\| n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1370 \|\| n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1371 \|\| n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1372 \|\| n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1373 \|\| n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1374 \|\| n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1375 \|\| n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1376 \|\| n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1377 \|\| n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1378 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1379 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1380 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1381 \|\| n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1382 \|\| n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1383 \|\| n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1384 \|\| n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1385 \|\| n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1386 \|\| n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1387 \|\| n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1388 \|\| n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1389 \|\| n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1390 \|\| n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	1391 \|\| n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION) /* 1100 */
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1392 {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1393 switch (c->log_error) {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1394
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1395 case NGX_ERROR_IGNORE_ECONNRESET:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1396 case NGX_ERROR_INFO:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1397 level = NGX_LOG_INFO;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1398 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1399
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1400 case NGX_ERROR_ERR:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1401 level = NGX_LOG_ERR;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1402 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1403
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1404 default:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1405 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1406 }
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	1407 }
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1408 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1409
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1410 ngx_ssl_error(level, c->log, err, text);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1411 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1412
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1413
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1414 static void
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1415 ngx_ssl_clear_error(ngx_log_t *log)
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1416 {
1868 c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	1417 while (ERR_peek_error()) {
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1418 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1419 }
1868 c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	1420
c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	1421 ERR_clear_error();
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1422 }
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1423
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1424
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1425 void ngx_cdecl
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1426 ngx_ssl_error(ngx_uint_t level, ngx_log_t log, ngx_err_t err, char fmt, ...)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1427 {
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1428 u_long n;
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1429 va_list args;
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1430 u_char p, last;
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1431 u_char errstr[NGX_MAX_CONF_ERRSTR];
461 a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	1432
a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	1433 last = errstr + NGX_MAX_CONF_ERRSTR;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1434
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1435 va_start(args, fmt);
2764 d4a717592877 use ngx_vslprintf(), ngx_slprintf() Igor Sysoev <igor@sysoev.ru> parents: 2720 diff changeset	1436 p = ngx_vslprintf(errstr, last - 1, fmt, args);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1437 va_end(args);
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1438
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1439 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1440
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1441 for ( ;; ) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1442
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1443 n = ERR_get_error();
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1444
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1445 if (n == 0) {
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1446 break;
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1447 }
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1448
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1449 if (p >= last) {
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1450 continue;
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1451 }
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	1452
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1453 *p++ = ' ';
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1454
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1455 ERR_error_string_n(n, (char *) p, last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1456
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1457 while (p < last && *p) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1458 p++;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1459 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1460 }
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1461
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1462 ngx_log_error(level, log, err, "%s)", errstr);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1463 }
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1464
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1465
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1466 ngx_int_t
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1467 ngx_ssl_session_cache(ngx_ssl_t ssl, ngx_str_t sess_ctx,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1468 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1469 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1470 long cache_mode;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1471
1778 14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	1472 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	1473 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	1474 return NGX_OK;
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	1475 }
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	1476
3457 17706823a57e Set SSL session context for "ssl_session_cache none". Igor Sysoev <igor@sysoev.ru> parents: 3455 diff changeset	1477 SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
17706823a57e Set SSL session context for "ssl_session_cache none". Igor Sysoev <igor@sysoev.ru> parents: 3455 diff changeset	1478
2032 12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1479 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1480
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1481 /*
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1482 * If the server explicitly says that it does not support
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1483 * session reuse (see SSL_SESS_CACHE_OFF above), then
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1484 * Outlook Express fails to upload a sent email to
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1485 * the Sent Items folder on the IMAP server via a separate IMAP
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1486 * connection in the background. Therefore we have a special
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1487 * mode (SSL_SESS_CACHE_SERVER\|SSL_SESS_CACHE_NO_INTERNAL_STORE)
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1488 * where the server pretends that it supports session reuse,
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1489 * but it does not actually store any session.
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1490 */
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1491
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1492 SSL_CTX_set_session_cache_mode(ssl->ctx,
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1493 SSL_SESS_CACHE_SERVER
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1494 \|SSL_SESS_CACHE_NO_AUTO_CLEAR
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1495 \|SSL_SESS_CACHE_NO_INTERNAL_STORE);
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1496
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1497 SSL_CTX_sess_set_cache_size(ssl->ctx, 1);
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1498
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1499 return NGX_OK;
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1500 }
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	1501
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1502 cache_mode = SSL_SESS_CACHE_SERVER;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1503
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1504 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1505 cache_mode \|= SSL_SESS_CACHE_NO_INTERNAL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1506 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1507
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1508 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1509
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1510 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1511
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1512 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1513 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1514 }
1015 32ebb6b13ff3 ssl_session_timeout was set only if builtin cache was used Igor Sysoev <igor@sysoev.ru> parents: 1014 diff changeset	1515 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1516
2710 218ee852de73 fix building by MSVC8 Igor Sysoev <igor@sysoev.ru> parents: 2611 diff changeset	1517 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1518
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1519 if (shm_zone) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1520 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1521 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1522 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1523
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1524 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1525 == 0)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1526 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1527 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1528 "SSL_CTX_set_ex_data() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1529 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1530 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1531 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1532
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1533 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1534 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1535
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1536
3992 a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not Igor Sysoev <igor@sysoev.ru> parents: 3962 diff changeset	1537 ngx_int_t
993 1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	1538 ngx_ssl_session_cache_init(ngx_shm_zone_t shm_zone, void data)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1539 {
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1540 size_t len;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1541 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1542 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1543
993 1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	1544 if (data) {
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	1545 shm_zone->data = data;
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	1546 return NGX_OK;
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	1547 }
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	1548
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1549 if (shm_zone->shm.exists) {
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1550 shm_zone->data = data;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1551 return NGX_OK;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1552 }
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1553
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1554 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1555
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1556 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1557 if (cache == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1558 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1559 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1560
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1561 shpool->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1562 shm_zone->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	1563
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1564 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel,
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1565 ngx_ssl_session_rbtree_insert_value);
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1566
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1567 ngx_queue_init(&cache->expire_queue);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1568
2716 d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2710 diff changeset	1569 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len;
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1570
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1571 shpool->log_ctx = ngx_slab_alloc(shpool, len);
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1572 if (shpool->log_ctx == NULL) {
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1573 return NGX_ERROR;
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1574 }
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1575
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1576 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
2716 d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2710 diff changeset	1577 &shm_zone->shm.name);
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	1578
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1579 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1580 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1581
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1582
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1583 /*
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1584 * The length of the session id is 16 bytes for SSLv2 sessions and
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1585 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes.
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1586 * It seems that the typical length of the external ASN1 representation
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1587 * of a session is 118 or 119 bytes for SSLv3/TSLv1.
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1588 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1589 * Thus on 32-bit platforms we allocate separately an rbtree node,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1590 * a session id, and an ASN1 representation, they take accordingly
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1591 * 64, 32, and 128 bytes.
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1592 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1593 * On 64-bit platforms we allocate separately an rbtree node + session_id,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1594 * and an ASN1 representation, they take accordingly 128 and 128 bytes.
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1595 *
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1596 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1597 * so they are outside the code locked by shared pool mutex
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1598 */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1599
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1600 static int
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1601 ngx_ssl_new_session(ngx_ssl_conn_t ssl_conn, ngx_ssl_session_t sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1602 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1603 int len;
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1604 u_char p, id, *cached_sess;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1605 uint32_t hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1606 SSL_CTX *ssl_ctx;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1607 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1608 ngx_connection_t *c;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1609 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1610 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1611 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1612 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1613
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1614 len = i2d_SSL_SESSION(sess, NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1615
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1616 /* do not cache too big session */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1617
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1618 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1619 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1620 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1621
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1622 p = buf;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1623 i2d_SSL_SESSION(sess, &p);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1624
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1625 c = ngx_ssl_get_connection(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1626
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1627 ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1628 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1629
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1630 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1631 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1632
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1633 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1634
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1635 /* drop one or two expired sessions */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1636 ngx_ssl_expire_sessions(cache, shpool, 1);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1637
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1638 cached_sess = ngx_slab_alloc_locked(shpool, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1639
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1640 if (cached_sess == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1641
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1642 /* drop the oldest non-expired session and try once more */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1643
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1644 ngx_ssl_expire_sessions(cache, shpool, 0);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1645
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1646 cached_sess = ngx_slab_alloc_locked(shpool, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1647
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1648 if (cached_sess == NULL) {
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1649 sess_id = NULL;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1650 goto failed;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1651 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1652 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1653
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1654 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1655 if (sess_id == NULL) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1656 goto failed;
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1657 }
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1658
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1659 #if (NGX_PTR_SIZE == 8)
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1660
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1661 id = sess_id->sess_id;
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1662
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1663 #else
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1664
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1665 id = ngx_slab_alloc_locked(shpool, sess->session_id_length);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1666 if (id == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1667 goto failed;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1668 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1669
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1670 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1671
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1672 ngx_memcpy(cached_sess, buf, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1673
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1674 ngx_memcpy(id, sess->session_id, sess->session_id_length);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1675
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1676 hash = ngx_crc32_short(sess->session_id, sess->session_id_length);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1677
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1678 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155 e720c4a68ee0 fix debug log message Igor Sysoev <igor@sysoev.ru> parents: 3154 diff changeset	1679 "ssl new session: %08XD:%d:%d",
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1680 hash, sess->session_id_length, len);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1681
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1682 sess_id->node.key = hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1683 sess_id->node.data = (u_char) sess->session_id_length;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1684 sess_id->id = id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1685 sess_id->len = len;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1686 sess_id->session = cached_sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1687
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	1688 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1689
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1690 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1691
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1692 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1693
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1694 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1695
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1696 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1697
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1698 failed:
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1699
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1700 if (cached_sess) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1701 ngx_slab_free_locked(shpool, cached_sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1702 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1703
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1704 if (sess_id) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1705 ngx_slab_free_locked(shpool, sess_id);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1706 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1707
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1708 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1709
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1710 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1711 "could not add new SSL session to the session cache");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1712
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1713 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1714 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1715
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1716
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1717 static ngx_ssl_session_t *
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1718 ngx_ssl_get_cached_session(ngx_ssl_conn_t ssl_conn, u_char id, int len,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1719 int *copy)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1720 {
989 5595e47d4f17 d2i_SSL_SESSION() was changed in 0.9.7f Igor Sysoev <igor@sysoev.ru> parents: 974 diff changeset	1721 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1722 const
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1723 #endif
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1724 u_char *p;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1725 uint32_t hash;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1726 ngx_int_t rc;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1727 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1728 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1729 ngx_rbtree_node_t node, sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1730 ngx_ssl_session_t *sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1731 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1732 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1733 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1734 #if (NGX_DEBUG)
4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1735 ngx_connection_t *c;
4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1736 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1737
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1738 hash = ngx_crc32_short(id, (size_t) len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1739 *copy = 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1740
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1741 #if (NGX_DEBUG)
4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1742 c = ngx_ssl_get_connection(ssl_conn);
4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1743
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1744 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155 e720c4a68ee0 fix debug log message Igor Sysoev <igor@sysoev.ru> parents: 3154 diff changeset	1745 "ssl get session: %08XD:%d", hash, len);
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	1746 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1747
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1748 shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1749 ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1750
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1751 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1752
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1753 sess = NULL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1754
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1755 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1756
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1757 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1758
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1759 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1760 sentinel = cache->session_rbtree.sentinel;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1761
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1762 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1763
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1764 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1765 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1766 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1767 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1768
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1769 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1770 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1771 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1772 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1773
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1774 /* hash == node->key */
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1775
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1776 do {
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1777 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1778
1029 ce08bc4cb97b ngx_strn2cmp() > ngx_memn2cmp() Igor Sysoev <igor@sysoev.ru> parents: 1027 diff changeset	1779 rc = ngx_memn2cmp(id, sess_id->id,
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1780 (size_t) len, (size_t) node->data);
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1781 if (rc == 0) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1782
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	1783 if (sess_id->expire > ngx_time()) {
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1784 ngx_memcpy(buf, sess_id->session, sess_id->len);
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1785
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1786 ngx_shmtx_unlock(&shpool->mutex);
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1787
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1788 p = buf;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1789 sess = d2i_SSL_SESSION(NULL, &p, sess_id->len);
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1790
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1791 return sess;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1792 }
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1793
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1794 ngx_queue_remove(&sess_id->queue);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1795
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1796 ngx_rbtree_delete(&cache->session_rbtree, node);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1797
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1798 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1799 #if (NGX_PTR_SIZE == 4)
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1800 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1801 #endif
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1802 ngx_slab_free_locked(shpool, sess_id);
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1803
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1804 sess = NULL;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1805
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1806 goto done;
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1807 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1808
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1809 node = (rc < 0) ? node->left : node->right;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1810
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1811 } while (node != sentinel && hash == node->key);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1812
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1813 break;
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1814 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1815
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1816 done:
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1817
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1818 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1819
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1820 return sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1821 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1822
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1823
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1824 void
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1825 ngx_ssl_remove_cached_session(SSL_CTX ssl, ngx_ssl_session_t sess)
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1826 {
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1827 SSL_CTX_remove_session(ssl, sess);
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1828
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1829 ngx_ssl_remove_session(ssl, sess);
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1830 }
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1831
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1832
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1833 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1834 ngx_ssl_remove_session(SSL_CTX ssl, ngx_ssl_session_t sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1835 {
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1836 size_t len;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1837 u_char *id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1838 uint32_t hash;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1839 ngx_int_t rc;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1840 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1841 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1842 ngx_rbtree_node_t node, sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1843 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1844 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1845
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1846 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1847
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1848 if (shm_zone == NULL) {
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1849 return;
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1850 }
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	1851
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1852 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1853
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1854 id = sess->session_id;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1855 len = (size_t) sess->session_id_length;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1856
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1857 hash = ngx_crc32_short(id, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1858
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1859 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
3155 e720c4a68ee0 fix debug log message Igor Sysoev <igor@sysoev.ru> parents: 3154 diff changeset	1860 "ssl remove session: %08XD:%uz", hash, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1861
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1862 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1863
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1864 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1865
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1866 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1867 sentinel = cache->session_rbtree.sentinel;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1868
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1869 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1870
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1871 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1872 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1873 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1874 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1875
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1876 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1877 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1878 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1879 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1880
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1881 /* hash == node->key */
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1882
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1883 do {
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1884 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1885
1029 ce08bc4cb97b ngx_strn2cmp() > ngx_memn2cmp() Igor Sysoev <igor@sysoev.ru> parents: 1027 diff changeset	1886 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1887
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1888 if (rc == 0) {
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1889
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1890 ngx_queue_remove(&sess_id->queue);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1891
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	1892 ngx_rbtree_delete(&cache->session_rbtree, node);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1893
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1894 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1895 #if (NGX_PTR_SIZE == 4)
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1896 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1897 #endif
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1898 ngx_slab_free_locked(shpool, sess_id);
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1899
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1900 goto done;
1025 f88651afad40 style fix: remove tabs Igor Sysoev <igor@sysoev.ru> parents: 1017 diff changeset	1901 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1902
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1903 node = (rc < 0) ? node->left : node->right;
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1904
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1905 } while (node != sentinel && hash == node->key);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1906
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1907 break;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1908 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1909
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1910 done:
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	1911
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1912 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1913 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1914
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1915
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1916 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1917 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1918 ngx_slab_pool_t *shpool, ngx_uint_t n)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1919 {
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	1920 time_t now;
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1921 ngx_queue_t *q;
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1922 ngx_ssl_sess_id_t *sess_id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1923
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	1924 now = ngx_time();
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1925
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1926 while (n < 3) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1927
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1928 if (ngx_queue_empty(&cache->expire_queue)) {
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1929 return;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1930 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1931
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1932 q = ngx_queue_last(&cache->expire_queue);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1933
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1934 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1935
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	1936 if (n++ != 0 && sess_id->expire > now) {
1439 36548ad85be1 style fix Igor Sysoev <igor@sysoev.ru> parents: 1426 diff changeset	1937 return;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1938 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1939
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1940 ngx_queue_remove(q);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1941
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1942 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1943 "expire session: %08Xi", sess_id->node.key);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1944
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1945 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	1946
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	1947 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1948 #if (NGX_PTR_SIZE == 4)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1949 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	1950 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1951 ngx_slab_free_locked(shpool, sess_id);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1952 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1953 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1954
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	1955
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1956 static void
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1957 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1958 ngx_rbtree_node_t node, ngx_rbtree_node_t sentinel)
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1959 {
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1960 ngx_rbtree_node_t **p;
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1961 ngx_ssl_sess_id_t sess_id, sess_id_temp;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1962
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1963 for ( ;; ) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1964
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1965 if (node->key < temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1966
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1967 p = &temp->left;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1968
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1969 } else if (node->key > temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1970
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1971 p = &temp->right;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1972
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1973 } else { /* node->key == temp->key */
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1974
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1975 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1976 sess_id_temp = (ngx_ssl_sess_id_t *) temp;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1977
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1978 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id,
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1979 (size_t) node->data, (size_t) temp->data)
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1980 < 0) ? &temp->left : &temp->right;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1981 }
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1982
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1983 if (*p == sentinel) {
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1984 break;
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1985 }
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1986
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1987 temp = *p;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1988 }
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1989
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	1990 *p = node;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1991 node->parent = temp;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1992 node->left = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1993 node->right = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1994 ngx_rbt_red(node);
1043 7073b87fa8e9 style fix: remove trailing spaces Igor Sysoev <igor@sysoev.ru> parents: 1029 diff changeset	1995 }
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1996
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	1997
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1998 void
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1999 ngx_ssl_cleanup_ctx(void *data)
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2000 {
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2001 ngx_ssl_t *ssl = data;
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2002
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2003 SSL_CTX_free(ssl->ctx);
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2004 }
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2005
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2006
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2007 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2008 ngx_ssl_get_protocol(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2009 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2010 s->data = (u_char *) SSL_get_version(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2011 return NGX_OK;
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2012 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2013
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2014
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2015 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2016 ngx_ssl_get_cipher_name(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2017 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2018 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2019 return NGX_OK;
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2020 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2021
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	2022
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2023 ngx_int_t
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2024 ngx_ssl_get_session_id(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2025 {
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2026 int len;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2027 u_char p, buf;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2028 SSL_SESSION *sess;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2029
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2030 sess = SSL_get0_session(c->ssl->connection);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2031
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2032 len = i2d_SSL_SESSION(sess, NULL);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2033
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2034 buf = ngx_alloc(len, c->log);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2035 if (buf == NULL) {
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2036 return NGX_ERROR;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2037 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2038
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2039 s->len = 2 * len;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2040 s->data = ngx_pnalloc(pool, 2 * len);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2041 if (s->data == NULL) {
3159 d4cc5a450ee9 fix r3155 Igor Sysoev <igor@sysoev.ru> parents: 3155 diff changeset	2042 ngx_free(buf);
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2043 return NGX_ERROR;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2044 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2045
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2046 p = buf;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2047 i2d_SSL_SESSION(sess, &p);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2048
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2049 ngx_hex_dump(s->data, buf, len);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2050
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2051 ngx_free(buf);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2052
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2053 return NGX_OK;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2054 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2055
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2056
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	2057 ngx_int_t
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2058 ngx_ssl_get_raw_certificate(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2045 2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2059 {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2060 size_t len;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2061 BIO *bio;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2062 X509 *cert;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2063
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2064 s->len = 0;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2065
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2066 cert = SSL_get_peer_certificate(c->ssl->connection);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2067 if (cert == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2068 return NGX_OK;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2069 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2070
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2071 bio = BIO_new(BIO_s_mem());
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2072 if (bio == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2073 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2074 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2075 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2076 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2077
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2078 if (PEM_write_bio_X509(bio, cert) == 0) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2079 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2080 goto failed;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2081 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2082
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2083 len = BIO_pending(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2084 s->len = len;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2085
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	2086 s->data = ngx_pnalloc(pool, len);
2045 2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2087 if (s->data == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2088 goto failed;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2089 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2090
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2091 BIO_read(bio, s->data, len);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2092
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2093 BIO_free(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2094 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2095
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2096 return NGX_OK;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2097
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2098 failed:
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2099
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2100 BIO_free(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2101 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2102
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2103 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2104 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2105
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2106
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	2107 ngx_int_t
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2108 ngx_ssl_get_certificate(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2109 {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2110 u_char *p;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2111 size_t len;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2112 ngx_uint_t i;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2113 ngx_str_t cert;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2114
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2115 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2116 return NGX_ERROR;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2117 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2118
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2119 if (cert.len == 0) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2120 s->len = 0;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2121 return NGX_OK;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2122 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2123
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2124 len = cert.len - 1;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2125
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2126 for (i = 0; i < cert.len - 1; i++) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2127 if (cert.data[i] == LF) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2128 len++;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2129 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2130 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2131
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2132 s->len = len;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2133 s->data = ngx_pnalloc(pool, len);
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2134 if (s->data == NULL) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2135 return NGX_ERROR;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2136 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2137
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2138 p = s->data;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2139
3002 bf0c7e58e016 fix memory corruption in $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2997 diff changeset	2140 for (i = 0; i < cert.len - 1; i++) {
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2141 *p++ = cert.data[i];
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2142 if (cert.data[i] == LF) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2143 *p++ = '\t';
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2144 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2145 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2146
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2147 return NGX_OK;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2148 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2149
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2150
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	2151 ngx_int_t
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2152 ngx_ssl_get_subject_dn(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2153 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2154 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2155 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2156 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2157 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2158
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2159 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2160
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2161 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2162 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2163 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2164 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2165
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2166 name = X509_get_subject_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2167 if (name == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2168 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2169 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2170 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2171
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2172 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2173
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2174 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2175
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2176 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	2177 s->data = ngx_pnalloc(pool, len);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2178 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2179 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2180 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2181 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2182 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2183
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2184 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2185
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2186 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2187 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2188
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2189 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2190 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2191
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2192
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2193 ngx_int_t
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2194 ngx_ssl_get_issuer_dn(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2195 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2196 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2197 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2198 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2199 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2200
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2201 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2202
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2203 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2204 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2205 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2206 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2207
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2208 name = X509_get_issuer_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2209 if (name == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2210 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2211 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2212 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2213
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2214 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2215
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2216 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2217
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2218 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	2219 s->data = ngx_pnalloc(pool, len);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2220 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2221 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2222 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2223 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2224 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2225
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2226 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2227
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2228 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2229 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2230
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2231 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2232 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2233
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	2234
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2235 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2236 ngx_ssl_get_serial_number(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2237 {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2238 size_t len;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2239 X509 *cert;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2240 BIO *bio;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2241
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2242 s->len = 0;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2243
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2244 cert = SSL_get_peer_certificate(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2245 if (cert == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2246 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2247 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2248
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2249 bio = BIO_new(BIO_s_mem());
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2250 if (bio == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2251 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2252 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2253 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2254
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2255 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2256 len = BIO_pending(bio);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2257
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2258 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	2259 s->data = ngx_pnalloc(pool, len);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2260 if (s->data == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2261 BIO_free(bio);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2262 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2263 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2264 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2265
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2266 BIO_read(bio, s->data, len);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2267 BIO_free(bio);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	2268 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2269
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2270 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2271 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2272
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	2273
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2274 ngx_int_t
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2275 ngx_ssl_get_client_verify(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2276 {
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2277 X509 *cert;
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2278
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2279 if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) {
3516 dd1570b6f237 ngx_str_set() and ngx_str_null() Igor Sysoev <igor@sysoev.ru> parents: 3488 diff changeset	2280 ngx_str_set(s, "FAILED");
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2281 return NGX_OK;
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2282 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2283
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2284 cert = SSL_get_peer_certificate(c->ssl->connection);
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2285
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2286 if (cert) {
3516 dd1570b6f237 ngx_str_set() and ngx_str_null() Igor Sysoev <igor@sysoev.ru> parents: 3488 diff changeset	2287 ngx_str_set(s, "SUCCESS");
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2288
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2289 } else {
3516 dd1570b6f237 ngx_str_set() and ngx_str_null() Igor Sysoev <igor@sysoev.ru> parents: 3488 diff changeset	2290 ngx_str_set(s, "NONE");
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2291 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2292
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2293 X509_free(cert);
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2294
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2295 return NGX_OK;
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2296 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2297
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	2298
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2299 static void *
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2300 ngx_openssl_create_conf(ngx_cycle_t *cycle)
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2301 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2302 ngx_openssl_conf_t *oscf;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2303
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2304 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2305 if (oscf == NULL) {
2912 c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure Igor Sysoev <igor@sysoev.ru> parents: 2764 diff changeset	2306 return NULL;
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2307 }
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2308
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2309 /*
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2310 * set by ngx_pcalloc():
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2311 *
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2312 * oscf->engine = 0;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2313 */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2314
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2315 return oscf;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2316 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2317
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2318
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2319 static char *
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2320 ngx_openssl_engine(ngx_conf_t cf, ngx_command_t cmd, void *conf)
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2321 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2322 ngx_openssl_conf_t *oscf = conf;
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2323
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2324 ENGINE *engine;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2325 ngx_str_t *value;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2326
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2327 if (oscf->engine) {
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2328 return "is duplicate";
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2329 }
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2330
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2331 oscf->engine = 1;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2332
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2333 value = cf->args->elts;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2334
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2335 engine = ENGINE_by_id((const char *) value[1].data);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2336
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2337 if (engine == NULL) {
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2338 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2339 "ENGINE_by_id(\"%V\") failed", &value[1]);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2340 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2341 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2342
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2343 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2344 ngx_ssl_error(NGX_LOG_WARN, cf->log, 0,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2345 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2346 &value[1]);
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2347
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2348 ENGINE_free(engine);
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2349
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2350 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2351 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2352
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2353 ENGINE_free(engine);
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2354
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	2355 return NGX_CONF_OK;
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	2356 }
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2357
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2358
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2359 static void
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2360 ngx_openssl_exit(ngx_cycle_t *cycle)
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2361 {
3464 7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	2362 EVP_cleanup();
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2363 ENGINE_cleanup();
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	2364 }

Mercurial > hg > nginx-quic

annotate src/event/ngx_event_openssl.c @ 4192:61e4af19df9f