Mercurial > hg > nginx-quic
annotate src/event/ngx_event_openssl.c @ 8713:d6ef13c5fd8e quic
QUIC: simplified configuration.
Directives that set transport parameters are removed from the configuration.
Corresponding values are derived from the quic configuration or initialized
to default. Whenever possible, quic configuration parameters are taken from
higher-level protocol settings, i.e. HTTP/3.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Mon, 06 Dec 2021 15:19:54 +0300 |
parents | 61d0fa67b55e |
children | 5c86189a1c1b |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
6 |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
10 #include <ngx_event.h> |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
541 | 12 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
14 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
15 |
541 | 16 typedef struct { |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
17 ngx_uint_t engine; /* unsigned engine:1; */ |
541 | 18 } ngx_openssl_conf_t; |
479 | 19 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
21 static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
22 ngx_str_t *cert, STACK_OF(X509) **chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
23 static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
24 ngx_str_t *key, ngx_array_t *passwords); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
25 static int ngx_ssl_password_callback(char *buf, int size, int rwflag, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
26 void *userdata); |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
27 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
28 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
29 int ret); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
30 static void ngx_ssl_passwords_cleanup(void *data); |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
31 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
32 ngx_ssl_session_t *sess); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
33 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
34 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
35 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
36 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
37 static void ngx_ssl_handshake_log(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
38 #endif |
547 | 39 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
40 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
41 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
42 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
43 #endif |
489 | 44 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
473 | 45 static void ngx_ssl_write_handler(ngx_event_t *wev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
46 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
47 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
48 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
49 #endif |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
50 static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
51 size_t size); |
473 | 52 static void ngx_ssl_read_handler(ngx_event_t *rev); |
577 | 53 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
547 | 54 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
55 ngx_err_t err, char *text); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
56 static void ngx_ssl_clear_error(ngx_log_t *log); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
57 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
58 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
59 ngx_str_t *sess_ctx, ngx_array_t *certificates); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
60 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
61 ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
62 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
63 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
64 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
65 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 u_char *id, int len, int *copy); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
67 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
68 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
69 ngx_slab_pool_t *shpool, ngx_uint_t n); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
70 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
71 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
72 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
73 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
74 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
75 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
76 HMAC_CTX *hctx, int enc); |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
77 static void ngx_ssl_session_ticket_keys_cleanup(void *data); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
78 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
79 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
80 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
81 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
82 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
83 |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
84 static time_t ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
85 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
86 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
87 #endif |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
88 ASN1_TIME *asn1time, ngx_log_t *log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
89 |
541 | 90 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
91 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
571 | 92 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
541 | 93 |
94 | |
95 static ngx_command_t ngx_openssl_commands[] = { | |
96 | |
97 { ngx_string("ssl_engine"), | |
98 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
99 ngx_openssl_engine, |
541 | 100 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
101 0, |
541 | 102 NULL }, |
103 | |
104 ngx_null_command | |
105 }; | |
106 | |
107 | |
108 static ngx_core_module_t ngx_openssl_module_ctx = { | |
109 ngx_string("openssl"), | |
110 ngx_openssl_create_conf, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
111 NULL |
577 | 112 }; |
541 | 113 |
114 | |
115 ngx_module_t ngx_openssl_module = { | |
116 NGX_MODULE_V1, | |
117 &ngx_openssl_module_ctx, /* module context */ | |
118 ngx_openssl_commands, /* module directives */ | |
119 NGX_CORE_MODULE, /* module type */ | |
120 NULL, /* init master */ | |
121 NULL, /* init module */ | |
122 NULL, /* init process */ | |
123 NULL, /* init thread */ | |
124 NULL, /* exit thread */ | |
125 NULL, /* exit process */ | |
571 | 126 ngx_openssl_exit, /* exit master */ |
541 | 127 NGX_MODULE_V1_PADDING |
547 | 128 }; |
129 | |
130 | |
969 | 131 int ngx_ssl_connection_index; |
132 int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
133 int ngx_ssl_session_cache_index; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
134 int ngx_ssl_session_ticket_keys_index; |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
135 int ngx_ssl_ocsp_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
136 int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
137 int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
138 int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
139 int ngx_ssl_stapling_index; |
671 | 140 |
141 | |
489 | 142 ngx_int_t |
143 ngx_ssl_init(ngx_log_t *log) | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
144 { |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
145 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
146 |
6902
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
147 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) { |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
148 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
149 return NGX_ERROR; |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
150 } |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
151 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
152 /* |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
153 * OPENSSL_init_ssl() may leave errors in the error queue |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
154 * while returning success |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
155 */ |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
156 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
157 ERR_clear_error(); |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
158 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
159 #else |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
160 |
968 | 161 OPENSSL_config(NULL); |
162 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
163 SSL_library_init(); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
164 SSL_load_error_strings(); |
541 | 165 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
166 OpenSSL_add_all_algorithms(); |
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
167 |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
168 #endif |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
169 |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
170 #ifndef SSL_OP_NO_COMPRESSION |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
171 { |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
172 /* |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
173 * Disable gzip compression in OpenSSL prior to 1.0.0 version, |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
174 * this saves about 522K per connection. |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
175 */ |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
176 int n; |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
177 STACK_OF(SSL_COMP) *ssl_comp_methods; |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
178 |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
179 ssl_comp_methods = SSL_COMP_get_compression_methods(); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
180 n = sk_SSL_COMP_num(ssl_comp_methods); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
181 |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
182 while (n--) { |
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
183 (void) sk_SSL_COMP_pop(ssl_comp_methods); |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
184 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
185 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
186 #endif |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
187 |
969 | 188 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
671 | 189 |
969 | 190 if (ngx_ssl_connection_index == -1) { |
671 | 191 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
192 return NGX_ERROR; | |
193 } | |
194 | |
969 | 195 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
196 NULL); | |
197 if (ngx_ssl_server_conf_index == -1) { | |
198 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
199 "SSL_CTX_get_ex_new_index() failed"); | |
200 return NGX_ERROR; | |
201 } | |
202 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
203 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
204 NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
205 if (ngx_ssl_session_cache_index == -1) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
206 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
207 "SSL_CTX_get_ex_new_index() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
208 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
209 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
210 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
211 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
212 NULL, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
213 if (ngx_ssl_session_ticket_keys_index == -1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
214 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
215 "SSL_CTX_get_ex_new_index() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
216 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
217 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
218 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
219 ngx_ssl_ocsp_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
220 if (ngx_ssl_ocsp_index == -1) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
221 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
222 "SSL_CTX_get_ex_new_index() failed"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
223 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
224 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
225 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
226 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
227 NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
228 if (ngx_ssl_certificate_index == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
229 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
230 "SSL_CTX_get_ex_new_index() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
231 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
232 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
233 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
234 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
235 NULL); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
236 if (ngx_ssl_next_certificate_index == -1) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
237 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
238 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
239 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
240 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
241 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
242 NULL); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
243 |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
244 if (ngx_ssl_certificate_name_index == -1) { |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
245 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
246 return NGX_ERROR; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
247 } |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
248 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
249 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
250 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
251 if (ngx_ssl_stapling_index == -1) { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
252 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
253 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
254 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
255 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
256 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
257 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
258 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
259 |
489 | 260 ngx_int_t |
969 | 261 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
547 | 262 { |
577 | 263 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
547 | 264 |
265 if (ssl->ctx == NULL) { | |
266 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
267 return NGX_ERROR; | |
268 } | |
269 | |
969 | 270 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
271 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
272 "SSL_CTX_set_ex_data() failed"); | |
273 return NGX_ERROR; | |
274 } | |
275 | |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
276 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
277 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
278 "SSL_CTX_set_ex_data() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
279 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
280 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
281 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
282 ssl->buffer_size = NGX_SSL_BUFSIZE; |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
283 |
577 | 284 /* client side options */ |
285 | |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
286 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG |
577 | 287 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
288 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
289 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
290 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG |
577 | 291 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
292 #endif |
577 | 293 |
294 /* server side options */ | |
563 | 295 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
296 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
563 | 297 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
298 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
299 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
300 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
563 | 301 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
302 #endif |
563 | 303 |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
304 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
563 | 305 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
306 #endif |
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
307 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
308 #ifdef SSL_OP_TLS_D5_BUG |
563 | 309 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
310 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
311 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
312 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG |
563 | 313 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
314 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
315 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
316 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
563 | 317 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
318 #endif |
563 | 319 |
2044 | 320 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
547 | 321 |
7318
3443fe40bdc7
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7317
diff
changeset
|
322 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
323 /* only in 0.9.8m+ */ |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
324 SSL_CTX_clear_options(ssl->ctx, |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
325 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
326 #endif |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
327 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
328 if (!(protocols & NGX_SSL_SSLv2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
330 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
331 if (!(protocols & NGX_SSL_SSLv3)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
332 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
333 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
334 if (!(protocols & NGX_SSL_TLSv1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
335 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
547 | 336 } |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
337 #ifdef SSL_OP_NO_TLSv1_1 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
338 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
339 if (!(protocols & NGX_SSL_TLSv1_1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
340 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
341 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
342 #endif |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
343 #ifdef SSL_OP_NO_TLSv1_2 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
344 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
345 if (!(protocols & NGX_SSL_TLSv1_2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
346 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
347 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
348 #endif |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
349 #ifdef SSL_OP_NO_TLSv1_3 |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
350 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
351 if (!(protocols & NGX_SSL_TLSv1_3)) { |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
352 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
353 } |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
354 #endif |
547 | 355 |
7372
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
356 #ifdef SSL_CTX_set_min_proto_version |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
357 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
358 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
359 #endif |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
360 |
7332
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
361 #ifdef TLS1_3_VERSION |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
362 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
363 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
364 #endif |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
365 |
4185
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
366 #ifdef SSL_OP_NO_COMPRESSION |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
367 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
368 #endif |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
369 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
370 #ifdef SSL_OP_NO_ANTI_REPLAY |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
371 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
372 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
373 |
7474
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
374 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
375 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
376 #endif |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
377 |
8573
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8571
diff
changeset
|
378 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8571
diff
changeset
|
379 SSL_CTX_set_options(ssl->ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8571
diff
changeset
|
380 #endif |
1a03af395f44
SSL: use of the SSL_OP_IGNORE_UNEXPECTED_EOF option.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8571
diff
changeset
|
381 |
4186
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
382 #ifdef SSL_MODE_RELEASE_BUFFERS |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
383 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
384 #endif |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
385 |
6036
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
386 #ifdef SSL_MODE_NO_AUTO_CHAIN |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
387 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
388 #endif |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
389 |
547 | 390 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
391 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
392 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
393 |
547 | 394 return NGX_OK; |
395 } | |
396 | |
397 | |
398 ngx_int_t | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
399 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
400 ngx_array_t *keys, ngx_array_t *passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
401 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
402 ngx_str_t *cert, *key; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
403 ngx_uint_t i; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
404 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
405 cert = certs->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
406 key = keys->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
407 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
408 for (i = 0; i < certs->nelts; i++) { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
409 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
410 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
411 != NGX_OK) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
412 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
413 return NGX_ERROR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
414 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
415 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
416 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
417 return NGX_OK; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
418 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
419 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
420 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
421 ngx_int_t |
563 | 422 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
423 ngx_str_t *key, ngx_array_t *passwords) |
547 | 424 { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
425 char *err; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
426 X509 *x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
427 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
428 STACK_OF(X509) *chain; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
429 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
430 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
431 if (x509 == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
432 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
433 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
434 "cannot load certificate \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
435 cert->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
436 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
437 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
438 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
439 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
440 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
441 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
442 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
443 "SSL_CTX_use_certificate(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
444 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
445 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
446 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
447 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
448 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
449 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
450 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
451 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
452 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
453 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
454 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
455 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
456 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
457 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
458 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
459 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
460 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
461 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
462 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
463 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
464 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
465 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
466 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
467 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
468 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
469 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
470 "SSL_CTX_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
471 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
472 sk_X509_pop_free(chain, X509_free); |
547 | 473 return NGX_ERROR; |
474 } | |
475 | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
476 /* |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
477 * Note that x509 is not freed here, but will be instead freed in |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
478 * ngx_ssl_cleanup_ctx(). This is because we need to preserve all |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
479 * certificates to be able to iterate all of them through exdata |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
480 * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index), |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
481 * while OpenSSL can free a certificate if it is replaced with another |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
482 * certificate of the same type. |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
483 */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
484 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
485 #ifdef SSL_CTX_set0_chain |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
486 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
487 if (SSL_CTX_set0_chain(ssl->ctx, chain) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
488 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
489 "SSL_CTX_set0_chain(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
490 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
491 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
492 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
493 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
494 #else |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
495 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
496 int n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
497 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
498 /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
499 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
500 n = sk_X509_num(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
501 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
502 while (n--) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
503 x509 = sk_X509_shift(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
504 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
505 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
506 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
507 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
508 cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
509 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
510 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
511 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
512 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
513 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
514 sk_X509_free(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
515 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
516 #endif |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
517 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
518 pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
519 if (pkey == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
520 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
521 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
522 "cannot load certificate key \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
523 key->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
524 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
525 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
526 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
527 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
528 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
529 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
530 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
531 "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
532 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
533 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
534 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
535 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
536 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
537 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
538 return NGX_OK; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
539 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
540 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
541 |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
542 ngx_int_t |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
543 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
544 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
545 { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
546 char *err; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
547 X509 *x509; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
548 EVP_PKEY *pkey; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
549 STACK_OF(X509) *chain; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
550 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
551 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
552 if (x509 == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
553 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
554 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
555 "cannot load certificate \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
556 cert->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
557 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
558 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
559 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
560 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
561 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
562 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
563 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
564 "SSL_use_certificate(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
565 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
566 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
567 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
568 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
569 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
570 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
571 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
572 #ifdef SSL_set0_chain |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
573 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
574 /* |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
575 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
576 * but this function is only called via certificate callback, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
577 * which is only available in OpenSSL 1.0.2+ as well |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
578 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
579 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
580 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
581 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
582 "SSL_set0_chain(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
583 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
584 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
585 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
586 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
587 #endif |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
588 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
589 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
590 if (pkey == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
591 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
592 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
593 "cannot load certificate key \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
594 key->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
595 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
596 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
597 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
598 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
599 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
600 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
601 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
602 "SSL_use_PrivateKey(\"%s\") failed", key->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
603 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
604 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
605 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
606 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
607 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
608 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
609 return NGX_OK; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
610 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
611 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
612 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
613 static X509 * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
614 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
615 STACK_OF(X509) **chain) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
616 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
617 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
618 X509 *x509, *temp; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
619 u_long n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
620 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
621 if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
622 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
623 bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
624 cert->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
625 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
626 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
627 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
628 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
629 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
630 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
631 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
632 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
633 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
634 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
635 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
636 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
637 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
638 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
639 bio = BIO_new_file((char *) cert->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
640 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
641 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
642 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
643 } |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
644 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
645 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
646 /* certificate itself */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
647 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
648 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
649 if (x509 == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
650 *err = "PEM_read_bio_X509_AUX() failed"; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
651 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
652 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
653 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
654 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
655 /* rest of the chain */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
656 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
657 *chain = sk_X509_new_null(); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
658 if (*chain == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
659 *err = "sk_X509_new_null() failed"; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
660 BIO_free(bio); |
5384
cfbf1d1cc233
SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents:
5378
diff
changeset
|
661 X509_free(x509); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
662 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
663 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
664 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
665 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
666 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
667 temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
668 if (temp == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
669 n = ERR_peek_last_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
670 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
671 if (ERR_GET_LIB(n) == ERR_LIB_PEM |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
672 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
673 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
674 /* end of file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
675 ERR_clear_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
676 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
677 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
678 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
679 /* some real error */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
680 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
681 *err = "PEM_read_bio_X509() failed"; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
682 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
683 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
684 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
685 return NULL; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
686 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
687 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
688 if (sk_X509_push(*chain, temp) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
689 *err = "sk_X509_push() failed"; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
690 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
691 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
692 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
693 return NULL; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
694 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
695 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
696 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
697 BIO_free(bio); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
698 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
699 return x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
700 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
701 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
702 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
703 static EVP_PKEY * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
704 ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
705 ngx_str_t *key, ngx_array_t *passwords) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
706 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
707 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
708 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
709 ngx_str_t *pwd; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
710 ngx_uint_t tries; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
711 pem_password_cb *cb; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
712 |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
713 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
714 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
715 #ifndef OPENSSL_NO_ENGINE |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
716 |
7476
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
717 u_char *p, *last; |
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
718 ENGINE *engine; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
719 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
720 p = key->data + sizeof("engine:") - 1; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
721 last = (u_char *) ngx_strchr(p, ':'); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
722 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
723 if (last == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
724 *err = "invalid syntax"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
725 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
726 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
727 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
728 *last = '\0'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
729 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
730 engine = ENGINE_by_id((char *) p); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
731 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
732 if (engine == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
733 *err = "ENGINE_by_id() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
734 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
735 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
736 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
737 *last++ = ':'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
738 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
739 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
740 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
741 if (pkey == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
742 *err = "ENGINE_load_private_key() failed"; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
743 ENGINE_free(engine); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
744 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
745 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
746 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
747 ENGINE_free(engine); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
748 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
749 return pkey; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
750 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
751 #else |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
752 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
753 *err = "loading \"engine:...\" certificate keys is not supported"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
754 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
755 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
756 #endif |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
757 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
758 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
759 if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
760 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
761 bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
762 key->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
763 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
764 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
765 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
766 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
767 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
768 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
769 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
770 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
771 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
772 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
773 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
774 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
775 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
776 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
777 bio = BIO_new_file((char *) key->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
778 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
779 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
780 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
781 } |
563 | 782 } |
783 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
784 if (passwords) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
785 tries = passwords->nelts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
786 pwd = passwords->elts; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
787 cb = ngx_ssl_password_callback; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
788 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
789 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
790 tries = 1; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
791 pwd = NULL; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
792 cb = NULL; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
793 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
794 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
795 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
796 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
797 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
798 if (pkey != NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
799 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
800 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
801 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
802 if (tries-- > 1) { |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
803 ERR_clear_error(); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
804 (void) BIO_reset(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
805 pwd++; |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
806 continue; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
807 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
808 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
809 *err = "PEM_read_bio_PrivateKey() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
810 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
811 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
812 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
813 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
814 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
815 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
816 return pkey; |
547 | 817 } |
818 | |
819 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
820 static int |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
821 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
822 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
823 ngx_str_t *pwd = userdata; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
824 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
825 if (rwflag) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
826 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
827 "ngx_ssl_password_callback() is called for encryption"); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
828 return 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
829 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
830 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
831 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
832 return 0; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
833 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
834 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
835 if (pwd->len > (size_t) size) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
836 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
837 "password is truncated to %d bytes", size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
838 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
839 size = pwd->len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
840 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
841 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
842 ngx_memcpy(buf, pwd->data, size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
843 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
844 return size; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
845 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
846 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
847 |
547 | 848 ngx_int_t |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
849 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
850 ngx_uint_t prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
851 { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
852 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
853 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
854 "SSL_CTX_set_cipher_list(\"%V\") failed", |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
855 ciphers); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
856 return NGX_ERROR; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
857 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
858 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
859 if (prefer_server_ciphers) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
860 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
861 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
862 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
863 return NGX_OK; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
864 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
865 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
866 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
867 ngx_int_t |
671 | 868 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
869 ngx_int_t depth) | |
647 | 870 { |
671 | 871 STACK_OF(X509_NAME) *list; |
872 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
873 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); |
671 | 874 |
875 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
876 | |
877 if (cert->len == 0) { | |
878 return NGX_OK; | |
879 } | |
880 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
881 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
647 | 882 return NGX_ERROR; |
883 } | |
884 | |
885 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
886 == 0) | |
887 { | |
888 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
889 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
890 cert->data); | |
891 return NGX_ERROR; | |
892 } | |
893 | |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
894 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
895 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
896 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
897 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
898 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
899 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
900 |
671 | 901 list = SSL_load_client_CA_file((char *) cert->data); |
902 | |
903 if (list == NULL) { | |
904 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
905 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
906 return NGX_ERROR; | |
907 } | |
908 | |
909 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
910 | |
647 | 911 return NGX_OK; |
912 } | |
913 | |
914 | |
2995 | 915 ngx_int_t |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
916 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
917 ngx_int_t depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
918 { |
7975
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7967
diff
changeset
|
919 SSL_CTX_set_verify(ssl->ctx, SSL_CTX_get_verify_mode(ssl->ctx), |
3dcb1aba894a
SSL: fixed unexpected certificate requests (ticket #2008).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7967
diff
changeset
|
920 ngx_ssl_verify_callback); |
7967
699f6e55bbb4
SSL: added verify callback to ngx_ssl_trusted_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7899
diff
changeset
|
921 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
922 SSL_CTX_set_verify_depth(ssl->ctx, depth); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
923 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
924 if (cert->len == 0) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
925 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
926 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
927 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
928 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
929 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
930 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
931 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
932 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
933 == 0) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
934 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
935 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
936 "SSL_CTX_load_verify_locations(\"%s\") failed", |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
937 cert->data); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
938 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
939 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
940 |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
941 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
942 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
943 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
944 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
945 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
946 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
947 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
948 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
949 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
950 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
951 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
952 ngx_int_t |
2995 | 953 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) |
954 { | |
955 X509_STORE *store; | |
956 X509_LOOKUP *lookup; | |
957 | |
958 if (crl->len == 0) { | |
959 return NGX_OK; | |
960 } | |
961 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
962 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { |
2995 | 963 return NGX_ERROR; |
964 } | |
965 | |
966 store = SSL_CTX_get_cert_store(ssl->ctx); | |
967 | |
968 if (store == NULL) { | |
969 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
970 "SSL_CTX_get_cert_store() failed"); | |
971 return NGX_ERROR; | |
972 } | |
973 | |
974 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
975 | |
976 if (lookup == NULL) { | |
977 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
978 "X509_STORE_add_lookup() failed"); | |
979 return NGX_ERROR; | |
980 } | |
981 | |
982 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
983 == 0) | |
984 { | |
985 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
986 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
987 return NGX_ERROR; | |
988 } | |
989 | |
990 X509_STORE_set_flags(store, | |
991 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
992 | |
993 return NGX_OK; | |
994 } | |
995 | |
996 | |
671 | 997 static int |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
998 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) |
671 | 999 { |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1000 #if (NGX_DEBUG) |
671 | 1001 char *subject, *issuer; |
1002 int err, depth; | |
1003 X509 *cert; | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1004 X509_NAME *sname, *iname; |
671 | 1005 ngx_connection_t *c; |
1006 ngx_ssl_conn_t *ssl_conn; | |
1007 | |
1008 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
1009 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
1010 | |
1011 c = ngx_ssl_get_connection(ssl_conn); | |
1012 | |
8330
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
1013 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
1014 return 1; |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
1015 } |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
1016 |
671 | 1017 cert = X509_STORE_CTX_get_current_cert(x509_store); |
1018 err = X509_STORE_CTX_get_error(x509_store); | |
1019 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
1020 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1021 sname = X509_get_subject_name(cert); |
8328
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1022 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1023 if (sname) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1024 subject = X509_NAME_oneline(sname, NULL, 0); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1025 if (subject == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1026 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1027 "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1028 } |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1029 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1030 } else { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1031 subject = NULL; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1032 } |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1033 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1034 iname = X509_get_issuer_name(cert); |
8328
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1035 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1036 if (iname) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1037 issuer = X509_NAME_oneline(iname, NULL, 0); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1038 if (issuer == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1039 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1040 "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1041 } |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1042 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1043 } else { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1044 issuer = NULL; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1045 } |
671 | 1046 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1047 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
671 | 1048 "verify:%d, error:%d, depth:%d, " |
5775
294d020bbcfe
SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5767
diff
changeset
|
1049 "subject:\"%s\", issuer:\"%s\"", |
8328
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1050 ok, err, depth, |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1051 subject ? subject : "(none)", |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1052 issuer ? issuer : "(none)"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1053 |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1054 if (subject) { |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1055 OPENSSL_free(subject); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1056 } |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1057 |
8328
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
1058 if (issuer) { |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1059 OPENSSL_free(issuer); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1060 } |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1061 #endif |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1062 |
671 | 1063 return 1; |
1064 } | |
1065 | |
1066 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1067 static void |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1068 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1069 { |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1070 BIO *rbio, *wbio; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1071 ngx_connection_t *c; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1072 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1073 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1074 |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1075 if ((where & SSL_CB_HANDSHAKE_START) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1076 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1077 { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1078 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1079 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1080 if (c->ssl->handshaked) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1081 c->ssl->renegotiation = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1082 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1083 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1084 } |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1085 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1086 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1087 |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1088 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1089 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1090 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1091 if (!c->ssl->handshake_buffer_set) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1092 /* |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1093 * By default OpenSSL uses 4k buffer during a handshake, |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1094 * which is too low for long certificate chains and might |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1095 * result in extra round-trips. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1096 * |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1097 * To adjust a buffer size we detect that buffering was added |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1098 * to write side of the connection by comparing rbio and wbio. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1099 * If they are different, we assume that it's due to buffering |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1100 * added to wbio, and set buffer size. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1101 */ |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1102 |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1103 rbio = SSL_get_rbio(ssl_conn); |
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1104 wbio = SSL_get_wbio(ssl_conn); |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1105 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1106 if (rbio != wbio) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1107 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1108 c->ssl->handshake_buffer_set = 1; |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1109 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1110 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1111 } |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1112 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1113 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1114 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1115 ngx_array_t * |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1116 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1117 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1118 u_char *p, *last, *end; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1119 size_t len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1120 ssize_t n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1121 ngx_fd_t fd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1122 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1123 ngx_array_t *passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1124 ngx_pool_cleanup_t *cln; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1125 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1126 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1127 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1128 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1129 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1130 |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1131 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1132 if (passwords == NULL) { |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1133 return NULL; |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1134 } |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1135 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1136 cln = ngx_pool_cleanup_add(cf->temp_pool, 0); |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1137 if (cln == NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1138 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1139 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1140 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1141 cln->handler = ngx_ssl_passwords_cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1142 cln->data = passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1143 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1144 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
7086 | 1145 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1146 if (fd == NGX_INVALID_FILE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1147 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1148 ngx_open_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1149 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1150 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1151 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1152 len = 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1153 last = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1154 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1155 do { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1156 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1157 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1158 if (n == -1) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1159 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1160 ngx_read_fd_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1161 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1162 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1163 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1164 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1165 end = last + n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1166 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1167 if (len && n == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1168 *end++ = LF; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1169 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1170 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1171 p = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1172 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1173 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1174 last = ngx_strlchr(last, end, LF); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1175 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1176 if (last == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1177 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1178 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1179 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1180 len = last++ - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1181 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1182 if (len && p[len - 1] == CR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1183 len--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1184 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1185 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1186 if (len) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1187 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1188 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1189 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1190 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1191 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1192 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1193 pwd->len = len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1194 pwd->data = ngx_pnalloc(cf->temp_pool, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1195 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1196 if (pwd->data == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1197 passwords->nelts--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1198 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1199 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1200 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1201 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1202 ngx_memcpy(pwd->data, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1203 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1204 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1205 p = last; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1206 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1207 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1208 len = end - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1209 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1210 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1211 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1212 "too long line in \"%s\"", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1213 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1214 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1215 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1216 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1217 ngx_memmove(buf, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1218 last = buf + len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1219 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1220 } while (n != 0); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1221 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1222 if (passwords->nelts == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1223 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1224 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1225 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1226 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1227 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1228 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1229 ngx_memzero(pwd, sizeof(ngx_str_t)); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1230 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1231 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1232 cleanup: |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1233 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1234 if (ngx_close_file(fd) == NGX_FILE_ERROR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1235 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1236 ngx_close_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1237 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1238 |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1239 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1240 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1241 return passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1242 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1243 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1244 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1245 ngx_array_t * |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1246 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords) |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1247 { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1248 ngx_str_t *opwd, *pwd; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1249 ngx_uint_t i; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1250 ngx_array_t *pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1251 ngx_pool_cleanup_t *cln; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1252 static ngx_array_t empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1253 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1254 if (passwords == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1255 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1256 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1257 * If there are no passwords, an empty array is used |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1258 * to make sure OpenSSL's default password callback |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1259 * won't block on reading from stdin. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1260 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1261 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1262 return &empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1263 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1264 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1265 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1266 * Passwords are normally allocated from the temporary pool |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1267 * and cleared after parsing configuration. To be used at |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1268 * runtime they have to be copied to the configuration pool. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1269 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1270 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1271 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t)); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1272 if (pwds == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1273 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1274 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1275 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1276 cln = ngx_pool_cleanup_add(cf->pool, 0); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1277 if (cln == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1278 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1279 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1280 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1281 cln->handler = ngx_ssl_passwords_cleanup; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1282 cln->data = pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1283 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1284 opwd = passwords->elts; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1285 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1286 for (i = 0; i < passwords->nelts; i++) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1287 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1288 pwd = ngx_array_push(pwds); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1289 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1290 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1291 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1292 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1293 pwd->len = opwd[i].len; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1294 pwd->data = ngx_pnalloc(cf->pool, pwd->len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1295 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1296 if (pwd->data == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1297 pwds->nelts--; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1298 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1299 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1300 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1301 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1302 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1303 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1304 return pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1305 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1306 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1307 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1308 static void |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1309 ngx_ssl_passwords_cleanup(void *data) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1310 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1311 ngx_array_t *passwords = data; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1312 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1313 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1314 ngx_uint_t i; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1315 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1316 pwd = passwords->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1317 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1318 for (i = 0; i < passwords->nelts; i++) { |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1319 ngx_explicit_memzero(pwd[i].data, pwd[i].len); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1320 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1321 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1322 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1323 |
547 | 1324 ngx_int_t |
2044 | 1325 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
1326 { | |
1327 BIO *bio; | |
1328 | |
1329 if (file->len == 0) { | |
1330 return NGX_OK; | |
1331 } | |
1332 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
1333 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
2044 | 1334 return NGX_ERROR; |
1335 } | |
1336 | |
1337 bio = BIO_new_file((char *) file->data, "r"); | |
1338 if (bio == NULL) { | |
1339 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1340 "BIO_new_file(\"%s\") failed", file->data); | |
1341 return NGX_ERROR; | |
1342 } | |
1343 | |
8570
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1344 #ifdef SSL_CTX_set_tmp_dh |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1345 { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1346 DH *dh; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1347 |
2044 | 1348 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); |
1349 if (dh == NULL) { | |
1350 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1351 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
1352 BIO_free(bio); | |
1353 return NGX_ERROR; | |
1354 } | |
1355 | |
8566
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1356 if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) { |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1357 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1358 "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1359 DH_free(dh); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1360 BIO_free(bio); |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1361 return NGX_ERROR; |
34a3a1a2d197
SSL: SSL_CTX_set_tmp_dh() error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8565
diff
changeset
|
1362 } |
2044 | 1363 |
1364 DH_free(dh); | |
8570
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1365 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1366 #else |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1367 { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1368 EVP_PKEY *dh; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1369 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1370 /* |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1371 * PEM_read_bio_DHparams() and SSL_CTX_set_tmp_dh() |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1372 * are deprecated in OpenSSL 3.0 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1373 */ |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1374 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1375 dh = PEM_read_bio_Parameters(bio, NULL); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1376 if (dh == NULL) { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1377 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1378 "PEM_read_bio_Parameters(\"%s\") failed", file->data); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1379 BIO_free(bio); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1380 return NGX_ERROR; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1381 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1382 |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1383 if (SSL_CTX_set0_tmp_dh_pkey(ssl->ctx, dh) != 1) { |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1384 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1385 "SSL_CTX_set0_tmp_dh_pkey(\%s\") failed", file->data); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1386 BIO_free(bio); |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1387 return NGX_ERROR; |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1388 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1389 } |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1390 #endif |
1e0fabbe01c7
SSL: using SSL_CTX_set0_tmp_dh_pkey() with OpenSSL 3.0 in dhparam.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8568
diff
changeset
|
1391 |
2044 | 1392 BIO_free(bio); |
1393 | |
1394 return NGX_OK; | |
1395 } | |
1396 | |
4522 | 1397 |
3960 | 1398 ngx_int_t |
1399 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
1400 { | |
1401 #ifndef OPENSSL_NO_ECDH | |
1402 | |
1403 /* | |
1404 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
4572
67653855682e
Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4522
diff
changeset
|
1405 * from RFC 4492 section 5.1.1, or explicitly described curves over |
6552 | 1406 * binary fields. OpenSSL only supports the "named curves", which provide |
3960 | 1407 * maximum interoperability. |
1408 */ | |
1409 | |
6983
3518287d995e
SSL: compatibility with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6982
diff
changeset
|
1410 #if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1411 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1412 /* |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1413 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1414 * curve previously supported. By default an internal list is used, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1415 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1416 * and X25519 in OpenSSL 1.1.0+. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1417 * |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1418 * By default a curve preferred by the client will be used for |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1419 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1420 * be used to prefer server curves instead, similar to what it |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1421 * does for ciphers. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1422 */ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1423 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1424 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1425 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1426 #if SSL_CTRL_SET_ECDH_AUTO |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1427 /* not needed in OpenSSL 1.1.0+ */ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1428 SSL_CTX_set_ecdh_auto(ssl->ctx, 1); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1429 #endif |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1430 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1431 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1432 return NGX_OK; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1433 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1434 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1435 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1436 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1437 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1438 return NGX_ERROR; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1439 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1440 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1441 #else |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1442 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1443 int nid; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1444 char *curve; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1445 EC_KEY *ecdh; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1446 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1447 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1448 curve = "prime256v1"; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1449 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1450 } else { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1451 curve = (char *) name->data; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1452 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1453 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1454 nid = OBJ_sn2nid(curve); |
3960 | 1455 if (nid == 0) { |
1456 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1457 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); |
3960 | 1458 return NGX_ERROR; |
1459 } | |
1460 | |
1461 ecdh = EC_KEY_new_by_curve_name(nid); | |
1462 if (ecdh == NULL) { | |
1463 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1464 "EC_KEY_new_by_curve_name(\"%s\") failed", curve); |
3960 | 1465 return NGX_ERROR; |
1466 } | |
1467 | |
5003
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1468 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1469 |
3960 | 1470 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); |
1471 | |
1472 EC_KEY_free(ecdh); | |
1473 #endif | |
1474 #endif | |
1475 | |
1476 return NGX_OK; | |
1477 } | |
2044 | 1478 |
4522 | 1479 |
2044 | 1480 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1481 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1482 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1483 if (!enable) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1484 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1485 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1486 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1487 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1488 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1489 /* BoringSSL */ |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1490 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1491 SSL_CTX_set_early_data_enabled(ssl->ctx, 1); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1492 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1493 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1494 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1495 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1496 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1497 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1498 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1499 #else |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1500 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1501 "\"ssl_early_data\" is not supported on this platform, " |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1502 "ignored"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1503 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1504 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1505 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1506 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1507 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1508 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1509 ngx_int_t |
8182
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1510 ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands) |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1511 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1512 if (commands == NULL) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1513 return NGX_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1514 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1515 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1516 #ifdef SSL_CONF_FLAG_FILE |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1517 { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1518 int type; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1519 u_char *key, *value; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1520 ngx_uint_t i; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1521 ngx_keyval_t *cmd; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1522 SSL_CONF_CTX *cctx; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1523 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1524 cctx = SSL_CONF_CTX_new(); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1525 if (cctx == NULL) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1526 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1527 "SSL_CONF_CTX_new() failed"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1528 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1529 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1530 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1531 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1532 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1533 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1534 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1535 SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1536 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1537 SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1538 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1539 cmd = commands->elts; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1540 for (i = 0; i < commands->nelts; i++) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1541 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1542 key = cmd[i].key.data; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1543 type = SSL_CONF_cmd_value_type(cctx, (char *) key); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1544 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1545 if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1546 if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1547 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1548 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1549 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1550 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1551 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1552 value = cmd[i].value.data; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1553 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1554 if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1555 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1556 "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1557 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1558 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1559 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1560 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1561 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1562 if (SSL_CONF_CTX_finish(cctx) != 1) { |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1563 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1564 "SSL_CONF_finish() failed"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1565 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1566 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1567 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1568 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1569 SSL_CONF_CTX_free(cctx); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1570 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1571 return NGX_OK; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1572 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1573 #else |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1574 ngx_log_error(NGX_LOG_EMERG, ssl->log, 0, |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1575 "SSL_CONF_cmd() is not available on this platform"); |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1576 return NGX_ERROR; |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1577 #endif |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1578 } |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1579 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1580 |
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8112
diff
changeset
|
1581 ngx_int_t |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1582 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1583 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1584 if (!enable) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1585 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1586 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1587 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1588 SSL_CTX_set_session_cache_mode(ssl->ctx, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1589 SSL_SESS_CACHE_CLIENT |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1590 |SSL_SESS_CACHE_NO_INTERNAL); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1591 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1592 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1593 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1594 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1595 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1596 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1597 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1598 static int |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1599 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1600 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1601 ngx_connection_t *c; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1602 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1603 c = ngx_ssl_get_connection(ssl_conn); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1604 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1605 if (c->ssl->save_session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1606 c->ssl->session = sess; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1607 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1608 c->ssl->save_session(c); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1609 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1610 c->ssl->session = NULL; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1611 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1612 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1613 return 0; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1614 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1615 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1616 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1617 ngx_int_t |
547 | 1618 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
577 | 1619 { |
547 | 1620 ngx_ssl_connection_t *sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1621 |
547 | 1622 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
1623 if (sc == NULL) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1624 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1625 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1626 |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1627 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
1628 sc->buffer_size = ssl->buffer_size; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1629 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1630 sc->session_ctx = ssl->ctx; |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1631 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1632 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1633 if (SSL_CTX_get_max_early_data(ssl->ctx)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1634 sc->try_early_data = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1635 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1636 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1637 |
547 | 1638 sc->connection = SSL_new(ssl->ctx); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1639 |
547 | 1640 if (sc->connection == NULL) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1641 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1642 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1643 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1644 |
547 | 1645 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1646 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1647 return NGX_ERROR; |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1648 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1649 |
577 | 1650 if (flags & NGX_SSL_CLIENT) { |
1651 SSL_set_connect_state(sc->connection); | |
1652 | |
1653 } else { | |
1654 SSL_set_accept_state(sc->connection); | |
7319
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1655 |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1656 #ifdef SSL_OP_NO_RENEGOTIATION |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1657 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION); |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1658 #endif |
577 | 1659 } |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1660 |
969 | 1661 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
671 | 1662 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
1663 return NGX_ERROR; | |
1664 } | |
1665 | |
547 | 1666 c->ssl = sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1667 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1668 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1669 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1670 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1671 |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1672 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1673 ngx_ssl_get_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1674 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1675 #ifdef TLS1_3_VERSION |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1676 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1677 SSL_SESSION_up_ref(c->ssl->session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1678 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1679 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1680 #endif |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1681 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1682 return SSL_get1_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1683 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1684 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1685 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1686 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1687 ngx_ssl_get0_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1688 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1689 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1690 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1691 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1692 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1693 return SSL_get0_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1694 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1695 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1696 |
547 | 1697 ngx_int_t |
577 | 1698 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
1699 { | |
1700 if (session) { | |
1701 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
1702 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
1703 return NGX_ERROR; | |
1704 } | |
1705 } | |
1706 | |
1707 return NGX_OK; | |
1708 } | |
1709 | |
1710 | |
1711 ngx_int_t | |
547 | 1712 ngx_ssl_handshake(ngx_connection_t *c) |
1713 { | |
1714 int n, sslerr; | |
1715 ngx_err_t err; | |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1716 ngx_int_t rc; |
547 | 1717 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1718 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1719 if (c->ssl->try_early_data) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1720 return ngx_ssl_try_early_data(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1721 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1722 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1723 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1724 if (c->ssl->in_ocsp) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1725 return ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1726 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1727 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1728 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1729 |
547 | 1730 n = SSL_do_handshake(c->ssl->connection); |
1731 | |
577 | 1732 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
547 | 1733 |
1734 if (n == 1) { | |
1735 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1736 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1737 return NGX_ERROR; |
1738 } | |
1739 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1740 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1741 return NGX_ERROR; |
1742 } | |
1743 | |
1744 #if (NGX_DEBUG) | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1745 ngx_ssl_handshake_log(c); |
547 | 1746 #endif |
1747 | |
1748 c->recv = ngx_ssl_recv; | |
1749 c->send = ngx_ssl_write; | |
577 | 1750 c->recv_chain = ngx_ssl_recv_chain; |
1751 c->send_chain = ngx_ssl_send_chain; | |
547 | 1752 |
8565
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8519
diff
changeset
|
1753 c->read->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8519
diff
changeset
|
1754 c->write->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8519
diff
changeset
|
1755 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1756 #ifndef SSL_OP_NO_RENEGOTIATION |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1757 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1758 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1759 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1760 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
6995
eb5d119323d8
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6983
diff
changeset
|
1761 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1762 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1763 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1764 |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1765 #endif |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1766 #endif |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1767 #endif |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1768 |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1769 #ifdef BIO_get_ktls_send |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1770 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1771 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1772 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1773 "BIO_get_ktls_send(): 1"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1774 c->ssl->sendfile = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1775 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1776 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1777 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1778 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1779 rc = ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1780 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1781 if (rc == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1782 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1783 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1784 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1785 if (rc == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1786 c->read->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1787 c->write->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1788 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1789 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1790 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1791 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1792 |
547 | 1793 return NGX_OK; |
1794 } | |
1795 | |
1796 sslerr = SSL_get_error(c->ssl->connection, n); | |
1797 | |
1798 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
1799 | |
1800 if (sslerr == SSL_ERROR_WANT_READ) { | |
1801 c->read->ready = 0; | |
1802 c->read->handler = ngx_ssl_handshake_handler; | |
591 | 1803 c->write->handler = ngx_ssl_handshake_handler; |
547 | 1804 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1805 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1806 return NGX_ERROR; |
1807 } | |
1808 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1809 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1810 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1811 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1812 |
547 | 1813 return NGX_AGAIN; |
1814 } | |
1815 | |
1816 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
1817 c->write->ready = 0; | |
591 | 1818 c->read->handler = ngx_ssl_handshake_handler; |
547 | 1819 c->write->handler = ngx_ssl_handshake_handler; |
1820 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1821 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1822 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1823 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1824 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1825 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1826 return NGX_ERROR; |
1827 } | |
1828 | |
1829 return NGX_AGAIN; | |
1830 } | |
1831 | |
1832 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
1833 | |
1834 c->ssl->no_wait_shutdown = 1; | |
1835 c->ssl->no_send_shutdown = 1; | |
591 | 1836 c->read->eof = 1; |
547 | 1837 |
1838 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
5747
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1839 ngx_connection_error(c, err, |
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1840 "peer closed connection in SSL handshake"); |
547 | 1841 |
1842 return NGX_ERROR; | |
1843 } | |
1844 | |
8185
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1845 if (c->ssl->handshake_rejected) { |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1846 ngx_connection_error(c, err, "handshake rejected"); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1847 ERR_clear_error(); |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1848 |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1849 return NGX_ERROR; |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1850 } |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
1851 |
591 | 1852 c->read->error = 1; |
1853 | |
547 | 1854 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
1855 | |
1856 return NGX_ERROR; | |
1857 } | |
1858 | |
1859 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1860 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1861 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1862 static ngx_int_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1863 ngx_ssl_try_early_data(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1864 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1865 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1866 u_char buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1867 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1868 ngx_err_t err; |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1869 ngx_int_t rc; |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1870 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1871 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1872 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1873 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1874 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1875 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1876 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1877 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1878 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1879 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1880 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1881 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1882 return ngx_ssl_handshake(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1883 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1884 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1885 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1886 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1887 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1888 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1889 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1890 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1891 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1892 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1893 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1894 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1895 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1896 ngx_ssl_handshake_log(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1897 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1898 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1899 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1900 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1901 c->ssl->early_buf = buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1902 c->ssl->early_preread = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1903 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1904 c->ssl->in_early = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1905 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1906 c->recv = ngx_ssl_recv; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1907 c->send = ngx_ssl_write; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1908 c->recv_chain = ngx_ssl_recv_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1909 c->send_chain = ngx_ssl_send_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1910 |
8565
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8519
diff
changeset
|
1911 c->read->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8519
diff
changeset
|
1912 c->write->ready = 1; |
573bd30e46b4
SSL: set events ready flags after handshake.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8519
diff
changeset
|
1913 |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1914 #ifdef BIO_get_ktls_send |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1915 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1916 if (BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)) == 1) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1917 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1918 "BIO_get_ktls_send(): 1"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1919 c->ssl->sendfile = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1920 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1921 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1922 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
1923 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1924 rc = ngx_ssl_ocsp_validate(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1925 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1926 if (rc == NGX_ERROR) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1927 return NGX_ERROR; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1928 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1929 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1930 if (rc == NGX_AGAIN) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1931 c->read->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1932 c->write->handler = ngx_ssl_handshake_handler; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1933 return NGX_AGAIN; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1934 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1935 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1936 c->ssl->handshaked = 1; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
1937 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1938 return NGX_OK; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1939 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1940 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1941 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1942 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1943 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1944 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1945 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1946 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1947 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1948 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1949 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1950 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1951 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1952 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1953 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1954 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1955 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1956 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1957 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1958 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1959 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1960 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1961 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1962 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1963 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1964 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1965 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1966 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1967 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1968 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1969 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1970 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1971 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1972 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1973 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1974 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1975 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1976 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1977 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1978 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1979 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1980 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1981 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1982 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1983 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1984 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1985 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1986 ngx_connection_error(c, err, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1987 "peer closed connection in SSL handshake"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1988 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1989 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1990 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1991 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1992 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1993 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1994 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1995 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1996 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1997 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1998 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1999 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2000 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2001 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2002 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2003 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2004 static void |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2005 ngx_ssl_handshake_log(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2006 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2007 char buf[129], *s, *d; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2008 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2009 const |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2010 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2011 SSL_CIPHER *cipher; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2012 |
8330
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
2013 if (!(c->log->log_level & NGX_LOG_DEBUG_EVENT)) { |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
2014 return; |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
2015 } |
51e6a665523c
SSL: added check for debugging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8329
diff
changeset
|
2016 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2017 cipher = SSL_get_current_cipher(c->ssl->connection); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2018 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2019 if (cipher) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2020 SSL_CIPHER_description(cipher, &buf[1], 128); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2021 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2022 for (s = &buf[1], d = buf; *s; s++) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2023 if (*s == ' ' && *d == ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2024 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2025 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2026 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2027 if (*s == LF || *s == CR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2028 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2029 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2030 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2031 *++d = *s; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2032 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2033 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2034 if (*d != ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2035 d++; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2036 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2037 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2038 *d = '\0'; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2039 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2040 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2041 "SSL: %s, cipher: \"%s\"", |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2042 SSL_get_version(c->ssl->connection), &buf[1]); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2043 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2044 if (SSL_session_reused(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2045 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2046 "SSL reused session"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2047 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2048 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2049 } else { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2050 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2051 "SSL no shared ciphers"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2052 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2053 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2054 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2055 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2056 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2057 |
547 | 2058 static void |
2059 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
2060 { | |
2061 ngx_connection_t *c; | |
2062 | |
2063 c = ev->data; | |
2064 | |
549 | 2065 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
577 | 2066 "SSL handshake handler: %d", ev->write); |
547 | 2067 |
591 | 2068 if (ev->timedout) { |
2069 c->ssl->handler(c); | |
2070 return; | |
2071 } | |
2072 | |
547 | 2073 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
2074 return; | |
2075 } | |
2076 | |
2077 c->ssl->handler(c); | |
2078 } | |
2079 | |
2080 | |
489 | 2081 ssize_t |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2082 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) |
577 | 2083 { |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2084 u_char *last; |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2085 ssize_t n, bytes, size; |
577 | 2086 ngx_buf_t *b; |
2087 | |
2088 bytes = 0; | |
2089 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2090 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2091 last = b->last; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2092 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2093 for ( ;; ) { |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2094 size = b->end - last; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2095 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2096 if (limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2097 if (bytes >= limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2098 return bytes; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2099 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2100 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2101 if (bytes + size > limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2102 size = (ssize_t) (limit - bytes); |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2103 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2104 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2105 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
2106 n = ngx_ssl_recv(c, last, size); |
577 | 2107 |
2108 if (n > 0) { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2109 last += n; |
577 | 2110 bytes += n; |
2111 | |
7582
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2112 if (!c->read->ready) { |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2113 return bytes; |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2114 } |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
2115 |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2116 if (last == b->end) { |
577 | 2117 cl = cl->next; |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2118 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2119 if (cl == NULL) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2120 return bytes; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2121 } |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2122 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2123 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
2124 last = b->last; |
577 | 2125 } |
2126 | |
2127 continue; | |
2128 } | |
2129 | |
2130 if (bytes) { | |
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2131 |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2132 if (n == 0 || n == NGX_ERROR) { |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2133 c->read->ready = 1; |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2134 } |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
2135 |
577 | 2136 return bytes; |
2137 } | |
2138 | |
2139 return n; | |
2140 } | |
2141 } | |
2142 | |
2143 | |
2144 ssize_t | |
489 | 2145 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2146 { |
489 | 2147 int n, bytes; |
2148 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2149 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2150 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2151 return ngx_ssl_recv_early(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2152 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2153 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2154 |
489 | 2155 if (c->ssl->last == NGX_ERROR) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2156 c->read->error = 1; |
489 | 2157 return NGX_ERROR; |
2158 } | |
2159 | |
577 | 2160 if (c->ssl->last == NGX_DONE) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2161 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2162 c->read->eof = 1; |
577 | 2163 return 0; |
2164 } | |
2165 | |
489 | 2166 bytes = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2167 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2168 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2169 |
489 | 2170 /* |
2171 * SSL_read() may return data in parts, so try to read | |
2172 * until SSL_read() would return no data | |
2173 */ | |
2174 | |
2175 for ( ;; ) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2176 |
543 | 2177 n = SSL_read(c->ssl->connection, buf, size); |
489 | 2178 |
577 | 2179 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2180 |
489 | 2181 if (n > 0) { |
2182 bytes += n; | |
2183 } | |
2184 | |
2185 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
2186 | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2187 if (c->ssl->last == NGX_OK) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2188 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2189 size -= n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2190 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2191 if (size == 0) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2192 c->read->ready = 1; |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2193 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2194 if (c->read->available >= 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2195 c->read->available -= bytes; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2196 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2197 /* |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2198 * there can be data buffered at SSL layer, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2199 * so we post an event to continue reading on the next |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2200 * iteration of the event loop |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2201 */ |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2202 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2203 if (c->read->available < 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2204 c->read->available = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2205 c->read->ready = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2206 |
7617
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2207 if (c->read->posted) { |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2208 ngx_delete_posted_event(c->read); |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2209 } |
f1720934c45b
SSL: reworked posted next events again.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7612
diff
changeset
|
2210 |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2211 ngx_post_event(c->read, &ngx_posted_next_events); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2212 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2213 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2214 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2215 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2216 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2217 } else { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2218 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2219 #if (NGX_HAVE_FIONREAD) |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2220 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2221 if (ngx_socket_nread(c->fd, &c->read->available) == -1) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2222 c->read->error = 1; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2223 ngx_connection_error(c, ngx_socket_errno, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2224 ngx_socket_nread_n " failed"); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2225 return NGX_ERROR; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2226 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2227 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2228 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2229 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2230 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2231 #endif |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2232 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2233 |
489 | 2234 return bytes; |
577 | 2235 } |
489 | 2236 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2237 buf += n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2238 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2239 continue; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2240 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2241 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2242 if (bytes) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2243 if (c->ssl->last != NGX_AGAIN) { |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2244 c->read->ready = 1; |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2245 } |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2246 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2247 return bytes; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2248 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2249 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2250 switch (c->ssl->last) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2251 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2252 case NGX_DONE: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2253 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2254 c->read->eof = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2255 return 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2256 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2257 case NGX_ERROR: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2258 c->read->error = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2259 |
4499
778ef9c3fd2d
Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4497
diff
changeset
|
2260 /* fall through */ |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2261 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2262 case NGX_AGAIN: |
577 | 2263 return c->ssl->last; |
479 | 2264 } |
489 | 2265 } |
2266 } | |
2267 | |
2268 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2269 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2270 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2271 static ssize_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2272 ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2273 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2274 int n, bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2275 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2276 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2277 if (c->ssl->last == NGX_ERROR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2278 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2279 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2280 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2281 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2282 if (c->ssl->last == NGX_DONE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2283 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2284 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2285 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2286 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2287 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2288 bytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2289 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2290 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2291 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2292 if (c->ssl->early_preread) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2293 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2294 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2295 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2296 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2297 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2298 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2299 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2300 *buf = c->ssl->early_buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2301 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2302 c->ssl->early_preread = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2303 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2304 bytes = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2305 size -= 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2306 buf += 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2307 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2308 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2309 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2310 return NGX_AGAIN; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2311 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2312 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2313 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2314 * SSL_read_early_data() may return data in parts, so try to read |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2315 * until SSL_read_early_data() would return no data |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2316 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2317 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2318 for ( ;; ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2319 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2320 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2321 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2322 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2323 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2324 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2325 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2326 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2327 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2328 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2329 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2330 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2331 bytes += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2332 size -= readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2333 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2334 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2335 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2336 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2337 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2338 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2339 buf += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2340 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2341 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2342 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2343 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2344 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2345 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2346 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2347 c->ssl->in_early = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2348 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2349 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2350 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2351 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2352 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2353 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2354 return ngx_ssl_recv(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2355 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2356 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2357 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2358 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2359 c->ssl->last = ngx_ssl_handle_recv(c, 0); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2360 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2361 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2362 if (c->ssl->last != NGX_AGAIN) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2363 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2364 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2365 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2366 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2367 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2368 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2369 switch (c->ssl->last) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2370 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2371 case NGX_DONE: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2372 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2373 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2374 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2375 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2376 case NGX_ERROR: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2377 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2378 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2379 /* fall through */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2380 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2381 case NGX_AGAIN: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2382 return c->ssl->last; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2383 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2384 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2385 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2386 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2387 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2388 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2389 |
489 | 2390 static ngx_int_t |
2391 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
2392 { | |
547 | 2393 int sslerr; |
2394 ngx_err_t err; | |
489 | 2395 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2396 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2397 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2398 if (c->ssl->renegotiation) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2399 /* |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2400 * disable renegotiation (CVE-2009-3555): |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2401 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2402 * renegotiation gracefully, so drop connection here |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2403 */ |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2404 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2405 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2406 |
4236
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2407 while (ERR_peek_error()) { |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2408 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2409 "ignoring stale global SSL error"); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2410 } |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2411 |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2412 ERR_clear_error(); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2413 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2414 c->ssl->no_wait_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2415 c->ssl->no_send_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2416 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2417 return NGX_ERROR; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2418 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2419 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2420 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2421 |
489 | 2422 if (n > 0) { |
479 | 2423 |
473 | 2424 if (c->ssl->saved_write_handler) { |
2425 | |
509 | 2426 c->write->handler = c->ssl->saved_write_handler; |
473 | 2427 c->ssl->saved_write_handler = NULL; |
2428 c->write->ready = 1; | |
2429 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2430 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2431 return NGX_ERROR; |
2432 } | |
2433 | |
563 | 2434 ngx_post_event(c->write, &ngx_posted_events); |
473 | 2435 } |
2436 | |
489 | 2437 return NGX_OK; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2438 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2439 |
543 | 2440 sslerr = SSL_get_error(c->ssl->connection, n); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2441 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2442 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2443 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2444 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2445 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2446 if (sslerr == SSL_ERROR_WANT_READ) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2447 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2448 if (c->ssl->saved_write_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2449 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2450 c->write->handler = c->ssl->saved_write_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2451 c->ssl->saved_write_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2452 c->write->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2453 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2454 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2455 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2456 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2457 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2458 ngx_post_event(c->write, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2459 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2460 |
455 | 2461 c->read->ready = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2462 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2463 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2464 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2465 if (sslerr == SSL_ERROR_WANT_WRITE) { |
539 | 2466 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2467 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2468 "SSL_read: want write"); |
473 | 2469 |
2470 c->write->ready = 0; | |
2471 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2472 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2473 return NGX_ERROR; |
2474 } | |
2475 | |
2476 /* | |
2477 * we do not set the timer because there is already the read event timer | |
2478 */ | |
2479 | |
2480 if (c->ssl->saved_write_handler == NULL) { | |
509 | 2481 c->ssl->saved_write_handler = c->write->handler; |
2482 c->write->handler = ngx_ssl_write_handler; | |
473 | 2483 } |
2484 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2485 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2486 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2487 |
547 | 2488 c->ssl->no_wait_shutdown = 1; |
2489 c->ssl->no_send_shutdown = 1; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2490 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2491 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
577 | 2492 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
2493 "peer shutdown SSL cleanly"); | |
2494 return NGX_DONE; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2495 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2496 |
547 | 2497 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2498 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2499 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2500 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2501 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2502 |
489 | 2503 static void |
2504 ngx_ssl_write_handler(ngx_event_t *wev) | |
473 | 2505 { |
2506 ngx_connection_t *c; | |
2507 | |
2508 c = wev->data; | |
547 | 2509 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2510 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2511 |
509 | 2512 c->read->handler(c->read); |
473 | 2513 } |
2514 | |
2515 | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2516 /* |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2517 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
473 | 2518 * before the SSL_write() call to decrease a SSL overhead. |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2519 * |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2520 * Besides for protocols such as HTTP it is possible to always buffer |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2521 * the output to decrease a SSL overhead some more. |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2522 */ |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2523 |
489 | 2524 ngx_chain_t * |
2525 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2526 { |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2527 int n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2528 ngx_uint_t flush; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2529 ssize_t send, size, file_size; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2530 ngx_buf_t *buf; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2531 ngx_chain_t *cl; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2532 |
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
2533 if (!c->ssl->buffer) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2534 |
577 | 2535 while (in) { |
2536 if (ngx_buf_special(in->buf)) { | |
2537 in = in->next; | |
2538 continue; | |
2539 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2540 |
577 | 2541 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
2542 | |
2543 if (n == NGX_ERROR) { | |
2544 return NGX_CHAIN_ERROR; | |
2545 } | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2546 |
577 | 2547 if (n == NGX_AGAIN) { |
2548 return in; | |
2549 } | |
2550 | |
2551 in->buf->pos += n; | |
2552 | |
2553 if (in->buf->pos == in->buf->last) { | |
2554 in = in->next; | |
2555 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2556 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2557 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2558 return in; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2559 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2560 |
473 | 2561 |
3962
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2562 /* the maximum limit size is the maximum int32_t value - the page size */ |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2563 |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2564 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2565 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
473 | 2566 } |
2567 | |
577 | 2568 buf = c->ssl->buf; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2569 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2570 if (buf == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2571 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2572 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2573 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2574 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2575 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2576 c->ssl->buf = buf; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2577 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2578 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2579 if (buf->start == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2580 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2581 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2582 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2583 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2584 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2585 buf->pos = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2586 buf->last = buf->start; |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2587 buf->end = buf->start + c->ssl->buffer_size; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2588 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2589 |
5023
70a35b7b63ea
SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents:
5022
diff
changeset
|
2590 send = buf->last - buf->pos; |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2591 flush = (in == NULL) ? 1 : buf->flush; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2592 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2593 for ( ;; ) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2594 |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2595 while (in && buf->last < buf->end && send < limit) { |
583 | 2596 if (in->buf->last_buf || in->buf->flush) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2597 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2598 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2599 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2600 if (ngx_buf_special(in->buf)) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2601 in = in->next; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2602 continue; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2603 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2604 |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2605 if (in->buf->in_file && c->ssl->sendfile) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2606 flush = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2607 break; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2608 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2609 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2610 size = in->buf->last - in->buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2611 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2612 if (size > buf->end - buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2613 size = buf->end - buf->last; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2614 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2615 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2616 if (send + size > limit) { |
577 | 2617 size = (ssize_t) (limit - send); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2618 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2619 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2620 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6480 | 2621 "SSL buf copy: %z", size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2622 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2623 ngx_memcpy(buf->last, in->buf->pos, size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2624 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2625 buf->last += size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2626 in->buf->pos += size; |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2627 send += size; |
577 | 2628 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2629 if (in->buf->pos == in->buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2630 in = in->next; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2631 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2632 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2633 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2634 if (!flush && send < limit && buf->last < buf->end) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2635 break; |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2636 } |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2637 |
5021
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2638 size = buf->last - buf->pos; |
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2639 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2640 if (size == 0) { |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2641 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2642 if (in && in->buf->in_file && send < limit) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2643 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2644 /* coalesce the neighbouring file bufs */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2645 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2646 cl = in; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2647 file_size = (size_t) ngx_chain_coalesce_file(&cl, limit - send); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2648 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2649 n = ngx_ssl_sendfile(c, in->buf, file_size); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2650 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2651 if (n == NGX_ERROR) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2652 return NGX_CHAIN_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2653 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2654 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2655 if (n == NGX_AGAIN) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2656 break; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2657 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2658 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2659 in = ngx_chain_update_sent(in, n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2660 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2661 send += n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2662 flush = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2663 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2664 continue; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2665 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2666 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2667 buf->flush = 0; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2668 c->buffered &= ~NGX_SSL_BUFFERED; |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2669 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2670 return in; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2671 } |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2672 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2673 n = ngx_ssl_write(c, buf->pos, size); |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2674 |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2675 if (n == NGX_ERROR) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2676 return NGX_CHAIN_ERROR; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2677 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2678 |
511 | 2679 if (n == NGX_AGAIN) { |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2680 break; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2681 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2682 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2683 buf->pos += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2684 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2685 if (n < size) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2686 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2687 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2688 |
5019
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2689 flush = 0; |
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2690 |
5018
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2691 buf->pos = buf->start; |
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2692 buf->last = buf->start; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2693 |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2694 if (in == NULL || send >= limit) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2695 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2696 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2697 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2698 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2699 buf->flush = flush; |
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2700 |
597 | 2701 if (buf->pos < buf->last) { |
2702 c->buffered |= NGX_SSL_BUFFERED; | |
2703 | |
2704 } else { | |
2705 c->buffered &= ~NGX_SSL_BUFFERED; | |
2706 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2707 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
2708 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2709 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2710 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2711 |
539 | 2712 ssize_t |
489 | 2713 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2714 { |
547 | 2715 int n, sslerr; |
2716 ngx_err_t err; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2717 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2718 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2719 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2720 return ngx_ssl_write_early(c, data, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2721 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2722 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2723 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2724 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2725 |
6480 | 2726 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2727 |
543 | 2728 n = SSL_write(c->ssl->connection, data, size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2729 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2730 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2731 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2732 if (n > 0) { |
539 | 2733 |
473 | 2734 if (c->ssl->saved_read_handler) { |
2735 | |
509 | 2736 c->read->handler = c->ssl->saved_read_handler; |
473 | 2737 c->ssl->saved_read_handler = NULL; |
2738 c->read->ready = 1; | |
2739 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2740 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2741 return NGX_ERROR; |
2742 } | |
2743 | |
563 | 2744 ngx_post_event(c->read, &ngx_posted_events); |
473 | 2745 } |
2746 | |
5986
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2747 c->sent += n; |
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2748 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2749 return n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2750 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2751 |
543 | 2752 sslerr = SSL_get_error(c->ssl->connection, n); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2753 |
8109
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2754 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2755 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2756 /* |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2757 * OpenSSL 1.1.1 fails to return SSL_ERROR_SYSCALL if an error |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2758 * happens during SSL_write() after close_notify alert from the |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2759 * peer, and returns SSL_ERROR_ZERO_RETURN instead, |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2760 * https://git.openssl.org/?p=openssl.git;a=commitdiff;h=8051ab2 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2761 */ |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2762 |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2763 sslerr = SSL_ERROR_SYSCALL; |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2764 } |
61011bfcdb49
SSL: workaround for incorrect SSL_write() errors in OpenSSL 1.1.1.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8039
diff
changeset
|
2765 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2766 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2767 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2768 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2769 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2770 if (sslerr == SSL_ERROR_WANT_WRITE) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2771 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2772 if (c->ssl->saved_read_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2773 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2774 c->read->handler = c->ssl->saved_read_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2775 c->ssl->saved_read_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2776 c->read->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2777 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2778 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2779 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2780 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2781 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2782 ngx_post_event(c->read, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2783 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2784 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2785 c->write->ready = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2786 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2787 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2788 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2789 if (sslerr == SSL_ERROR_WANT_READ) { |
452 | 2790 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2791 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2792 "SSL_write: want read"); |
473 | 2793 |
2794 c->read->ready = 0; | |
2795 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2796 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2797 return NGX_ERROR; |
2798 } | |
2799 | |
2800 /* | |
2801 * we do not set the timer because there is already | |
2802 * the write event timer | |
2803 */ | |
2804 | |
2805 if (c->ssl->saved_read_handler == NULL) { | |
509 | 2806 c->ssl->saved_read_handler = c->read->handler; |
2807 c->read->handler = ngx_ssl_read_handler; | |
473 | 2808 } |
2809 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2810 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2811 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2812 |
547 | 2813 c->ssl->no_wait_shutdown = 1; |
2814 c->ssl->no_send_shutdown = 1; | |
591 | 2815 c->write->error = 1; |
543 | 2816 |
547 | 2817 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2818 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2819 return NGX_ERROR; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2820 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2821 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2822 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2823 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2824 |
8664
46a02ed7c966
Style: added missing "static" specifiers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8660
diff
changeset
|
2825 static ssize_t |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2826 ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2827 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2828 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2829 size_t written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2830 ngx_err_t err; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2831 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2832 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2833 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2834 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2835 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2836 written = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2837 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2838 n = SSL_write_early_data(c->ssl->connection, data, size, &written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2839 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2840 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2841 "SSL_write_early_data: %d, %uz", n, written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2842 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2843 if (n > 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2844 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2845 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2846 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2847 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2848 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2849 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2850 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2851 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2852 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2853 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2854 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2855 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2856 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2857 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2858 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2859 c->ssl->write_blocked = 0; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2860 ngx_post_event(c->read, &ngx_posted_events); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2861 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2862 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2863 c->sent += written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2864 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2865 return written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2866 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2867 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2868 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2869 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2870 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2871 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2872 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2873 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2874 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2875 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2876 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2877 "SSL_write_early_data: want write"); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2878 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2879 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2880 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2881 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2882 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2883 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2884 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2885 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2886 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2887 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2888 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2889 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2890 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2891 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2892 /* |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2893 * OpenSSL 1.1.1a fails to handle SSL_read_early_data() |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2894 * if an SSL_write_early_data() call blocked on writing, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2895 * see https://github.com/openssl/openssl/issues/7757 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2896 */ |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2897 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2898 c->ssl->write_blocked = 1; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2899 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2900 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2901 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2902 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2903 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2904 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2905 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2906 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2907 "SSL_write_early_data: want read"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2908 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2909 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2910 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2911 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2912 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2913 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2914 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2915 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2916 * we do not set the timer because there is already |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2917 * the write event timer |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2918 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2919 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2920 if (c->ssl->saved_read_handler == NULL) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2921 c->ssl->saved_read_handler = c->read->handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2922 c->read->handler = ngx_ssl_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2923 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2924 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2925 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2926 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2927 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2928 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2929 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2930 c->write->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2931 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2932 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2933 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2934 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2935 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2936 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2937 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2938 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2939 |
8665
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2940 static ssize_t |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2941 ngx_ssl_sendfile(ngx_connection_t *c, ngx_buf_t *file, size_t size) |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2942 { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2943 #ifdef BIO_get_ktls_send |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2944 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2945 int sslerr; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2946 ssize_t n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2947 ngx_err_t err; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2948 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2949 ngx_ssl_clear_error(c->log); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2950 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2951 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2952 "SSL to sendfile: @%O %uz", |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2953 file->file_pos, size); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2954 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2955 ngx_set_errno(0); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2956 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2957 n = SSL_sendfile(c->ssl->connection, file->file->fd, file->file_pos, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2958 size, 0); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2959 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2960 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2961 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2962 if (n > 0) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2963 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2964 if (c->ssl->saved_read_handler) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2965 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2966 c->read->handler = c->ssl->saved_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2967 c->ssl->saved_read_handler = NULL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2968 c->read->ready = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2969 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2970 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2971 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2972 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2973 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2974 ngx_post_event(c->read, &ngx_posted_events); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2975 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2976 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2977 c->sent += n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2978 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2979 return n; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2980 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2981 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2982 if (n == 0) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2983 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2984 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2985 * if sendfile returns zero, then someone has truncated the file, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2986 * so the offset became beyond the end of the file |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2987 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2988 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2989 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2990 "SSL_sendfile() reported that \"%s\" was truncated at %O", |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2991 file->file->name.data, file->file_pos); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2992 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2993 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2994 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2995 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2996 sslerr = SSL_get_error(c->ssl->connection, n); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2997 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2998 if (sslerr == SSL_ERROR_ZERO_RETURN) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
2999 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3000 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3001 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3002 * happens during writing after close_notify alert from the |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3003 * peer, and returns SSL_ERROR_ZERO_RETURN instead |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3004 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3005 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3006 sslerr = SSL_ERROR_SYSCALL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3007 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3008 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3009 if (sslerr == SSL_ERROR_SSL |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3010 && ERR_GET_REASON(ERR_peek_error()) == SSL_R_UNINITIALIZED |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3011 && ngx_errno != 0) |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3012 { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3013 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3014 * OpenSSL fails to return SSL_ERROR_SYSCALL if an error |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3015 * happens in sendfile(), and returns SSL_ERROR_SSL with |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3016 * SSL_R_UNINITIALIZED reason instead |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3017 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3018 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3019 sslerr = SSL_ERROR_SYSCALL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3020 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3021 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3022 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3023 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3024 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3025 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3026 if (sslerr == SSL_ERROR_WANT_WRITE) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3027 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3028 if (c->ssl->saved_read_handler) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3029 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3030 c->read->handler = c->ssl->saved_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3031 c->ssl->saved_read_handler = NULL; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3032 c->read->ready = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3033 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3034 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3035 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3036 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3037 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3038 ngx_post_event(c->read, &ngx_posted_events); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3039 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3040 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3041 c->write->ready = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3042 return NGX_AGAIN; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3043 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3044 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3045 if (sslerr == SSL_ERROR_WANT_READ) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3046 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3047 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3048 "SSL_sendfile: want read"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3049 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3050 c->read->ready = 0; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3051 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3052 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3053 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3054 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3055 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3056 /* |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3057 * we do not set the timer because there is already |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3058 * the write event timer |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3059 */ |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3060 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3061 if (c->ssl->saved_read_handler == NULL) { |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3062 c->ssl->saved_read_handler = c->read->handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3063 c->read->handler = ngx_ssl_read_handler; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3064 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3065 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3066 return NGX_AGAIN; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3067 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3068 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3069 c->ssl->no_wait_shutdown = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3070 c->ssl->no_send_shutdown = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3071 c->write->error = 1; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3072 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3073 ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3074 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3075 #else |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3076 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3077 "SSL_sendfile() not available"); |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3078 #endif |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3079 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3080 return NGX_ERROR; |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3081 } |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3082 |
65946a191197
SSL: SSL_sendfile() support with kernel TLS.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8664
diff
changeset
|
3083 |
489 | 3084 static void |
3085 ngx_ssl_read_handler(ngx_event_t *rev) | |
473 | 3086 { |
3087 ngx_connection_t *c; | |
3088 | |
3089 c = rev->data; | |
547 | 3090 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3091 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
3092 |
509 | 3093 c->write->handler(c->write); |
473 | 3094 } |
3095 | |
3096 | |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3097 void |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3098 ngx_ssl_free_buffer(ngx_connection_t *c) |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3099 { |
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3100 if (c->ssl->buf && c->ssl->buf->start) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3101 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3102 c->ssl->buf->start = NULL; |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
3103 } |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3104 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3105 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3106 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
3107 |
489 | 3108 ngx_int_t |
3109 ngx_ssl_shutdown(ngx_connection_t *c) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3110 { |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3111 int n, sslerr, mode; |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3112 ngx_int_t rc; |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3113 ngx_err_t err; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3114 ngx_uint_t tries; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3115 |
8003
b0953b020be7
SSL: fixed compilation without QUIC after 0d2b2664b41c.
Roman Arutyunyan <arut@nginx.com>
parents:
7986
diff
changeset
|
3116 #if (NGX_QUIC) |
8200
279ad36f2f4b
QUIC: renamed c->qs to c->quic.
Roman Arutyunyan <arut@nginx.com>
parents:
8188
diff
changeset
|
3117 if (c->quic) { |
7738
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7698
diff
changeset
|
3118 /* QUIC streams inherit SSL object */ |
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7698
diff
changeset
|
3119 return NGX_OK; |
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7698
diff
changeset
|
3120 } |
8003
b0953b020be7
SSL: fixed compilation without QUIC after 0d2b2664b41c.
Roman Arutyunyan <arut@nginx.com>
parents:
7986
diff
changeset
|
3121 #endif |
7738
7f0981be07c4
Fixed client certificate verification.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7698
diff
changeset
|
3122 |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3123 rc = NGX_OK; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3124 |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3125 ngx_ssl_ocsp_cleanup(c); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
3126 |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3127 if (SSL_in_init(c->ssl->connection)) { |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3128 /* |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3129 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3130 * an SSL handshake, while previous versions always return 0. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3131 * Avoid calling SSL_shutdown() if handshake wasn't completed. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3132 */ |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3133 |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3134 goto done; |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3135 } |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
3136 |
8112
052ecc68d350
SSL: disabled shutdown when there are buffered data.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8111
diff
changeset
|
3137 if (c->timedout || c->error || c->buffered) { |
547 | 3138 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3139 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3140 |
547 | 3141 } else { |
3142 mode = SSL_get_shutdown(c->ssl->connection); | |
473 | 3143 |
547 | 3144 if (c->ssl->no_wait_shutdown) { |
3145 mode |= SSL_RECEIVED_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3146 } |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3147 |
547 | 3148 if (c->ssl->no_send_shutdown) { |
3149 mode |= SSL_SENT_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3150 } |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3151 |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3152 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3153 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
3154 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3155 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3156 |
547 | 3157 SSL_set_shutdown(c->ssl->connection, mode); |
3158 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3159 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3160 |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3161 tries = 2; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3162 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3163 for ( ;; ) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3164 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3165 /* |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3166 * For bidirectional shutdown, SSL_shutdown() needs to be called |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3167 * twice: first call sends the "close notify" alert and returns 0, |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3168 * second call waits for the peer's "close notify" alert. |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3169 */ |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3170 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3171 n = SSL_shutdown(c->ssl->connection); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3172 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3173 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3174 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3175 if (n == 1) { |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3176 goto done; |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3177 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3178 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3179 if (n == 0 && tries-- > 1) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3180 continue; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3181 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3182 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3183 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3184 |
543 | 3185 sslerr = SSL_get_error(c->ssl->connection, n); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3186 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3187 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
3188 "SSL_get_error: %d", sslerr); |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3189 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3190 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3191 c->read->handler = ngx_ssl_shutdown_handler; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3192 c->write->handler = ngx_ssl_shutdown_handler; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3193 |
8110
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3194 if (sslerr == SSL_ERROR_WANT_READ) { |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3195 c->read->ready = 0; |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3196 |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3197 } else { |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3198 c->write->ready = 0; |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3199 } |
adaec579a967
SSL: fixed event handling during shutdown.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8109
diff
changeset
|
3200 |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3201 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3202 goto failed; |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3203 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3204 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3205 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3206 goto failed; |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3207 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3208 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3209 ngx_add_timer(c->read, 3000); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3210 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3211 return NGX_AGAIN; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3212 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3213 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3214 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3215 goto done; |
8039
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3216 } |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3217 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3218 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3219 |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3220 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); |
09fb2135a589
SSL: fixed shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7975
diff
changeset
|
3221 |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3222 break; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3223 } |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3224 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3225 failed: |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3226 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3227 rc = NGX_ERROR; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3228 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3229 done: |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3230 |
8519
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8518
diff
changeset
|
3231 if (c->ssl->shutdown_without_free) { |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8518
diff
changeset
|
3232 c->ssl->shutdown_without_free = 0; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8518
diff
changeset
|
3233 c->recv = ngx_recv; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8518
diff
changeset
|
3234 return rc; |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8518
diff
changeset
|
3235 } |
5f765427c17a
Fixed SSL logging with lingering close.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8518
diff
changeset
|
3236 |
8518
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3237 SSL_free(c->ssl->connection); |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3238 c->ssl = NULL; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3239 c->recv = ngx_recv; |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3240 |
fecf645ff2f8
SSL: ngx_ssl_shutdown() rework.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8330
diff
changeset
|
3241 return rc; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3242 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3243 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
3244 |
547 | 3245 static void |
577 | 3246 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
3247 { | |
3248 ngx_connection_t *c; | |
3249 ngx_connection_handler_pt handler; | |
3250 | |
3251 c = ev->data; | |
3252 handler = c->ssl->handler; | |
3253 | |
3254 if (ev->timedout) { | |
3255 c->timedout = 1; | |
3256 } | |
3257 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3258 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
577 | 3259 |
3260 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
3261 return; | |
3262 } | |
3263 | |
3264 handler(c); | |
3265 } | |
3266 | |
3267 | |
3268 static void | |
547 | 3269 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
3270 char *text) | |
3271 { | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3272 int n; |
547 | 3273 ngx_uint_t level; |
3274 | |
3275 level = NGX_LOG_CRIT; | |
3276 | |
3277 if (sslerr == SSL_ERROR_SYSCALL) { | |
3278 | |
3279 if (err == NGX_ECONNRESET | |
7560
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3280 #if (NGX_WIN32) |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3281 || err == NGX_ECONNABORTED |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
3282 #endif |
547 | 3283 || err == NGX_EPIPE |
3284 || err == NGX_ENOTCONN | |
589 | 3285 || err == NGX_ETIMEDOUT |
547 | 3286 || err == NGX_ECONNREFUSED |
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3287 || err == NGX_ENETDOWN |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3288 || err == NGX_ENETUNREACH |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
3289 || err == NGX_EHOSTDOWN |
547 | 3290 || err == NGX_EHOSTUNREACH) |
3291 { | |
3292 switch (c->log_error) { | |
3293 | |
3294 case NGX_ERROR_IGNORE_ECONNRESET: | |
3295 case NGX_ERROR_INFO: | |
3296 level = NGX_LOG_INFO; | |
3297 break; | |
3298 | |
3299 case NGX_ERROR_ERR: | |
3300 level = NGX_LOG_ERR; | |
3301 break; | |
3302 | |
3303 default: | |
3304 break; | |
3305 } | |
3306 } | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3307 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3308 } else if (sslerr == SSL_ERROR_SSL) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3309 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3310 n = ERR_GET_REASON(ERR_peek_error()); |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3311 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3312 /* handshake failures */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3313 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3314 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3315 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3316 #endif |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3317 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3318 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3319 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3320 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
3718
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
3321 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3322 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3323 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ |
7311
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3324 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ |
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
3325 || n == SSL_R_HTTP_REQUEST /* 156 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3326 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3327 #ifdef SSL_R_NO_CIPHERS_PASSED |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3328 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
3329 #endif |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3330 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3331 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3332 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3333 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3334 #ifdef SSL_R_CLIENTHELLO_TLSEXT |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3335 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3336 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3337 #ifdef SSL_R_PARSE_TLSEXT |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3338 || n == SSL_R_PARSE_TLSEXT /* 227 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3339 #endif |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3340 #ifdef SSL_R_CALLBACK_FAILED |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3341 || n == SSL_R_CALLBACK_FAILED /* 234 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
3342 #endif |
8660
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
3343 #ifdef SSL_R_NO_APPLICATION_PROTOCOL |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
3344 || n == SSL_R_NO_APPLICATION_PROTOCOL /* 235 */ |
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
8659
diff
changeset
|
3345 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3346 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3347 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
3348 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
3357
fc735aa50b8b
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
3349 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3350 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3351 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
3352 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3353 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3354 #ifdef SSL_R_NO_SHARED_GROUP |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3355 || n == SSL_R_NO_SHARED_GROUP /* 266 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
3356 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3357 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3358 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3359 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3360 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3361 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3362 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3363 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3364 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3365 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3366 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3367 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3368 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
3369 #endif |
5902
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3370 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3371 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
3372 #endif |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3373 #ifdef SSL_R_CERT_CB_ERROR |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3374 || n == SSL_R_CERT_CB_ERROR /* 377 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
3375 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3376 #ifdef SSL_R_VERSION_TOO_LOW |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3377 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
3378 #endif |
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
3379 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3380 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3381 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3382 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3383 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3384 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3385 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3386 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3387 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3388 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3389 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3390 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3391 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3392 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3393 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3394 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3395 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3396 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3397 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3398 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3399 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3400 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3401 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3402 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3403 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3404 #endif |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3405 ) |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3406 { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3407 switch (c->log_error) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3408 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3409 case NGX_ERROR_IGNORE_ECONNRESET: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3410 case NGX_ERROR_INFO: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3411 level = NGX_LOG_INFO; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3412 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3413 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3414 case NGX_ERROR_ERR: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3415 level = NGX_LOG_ERR; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3416 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3417 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3418 default: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3419 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3420 } |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3421 } |
547 | 3422 } |
3423 | |
3424 ngx_ssl_error(level, c->log, err, text); | |
3425 } | |
3426 | |
3427 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3428 static void |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3429 ngx_ssl_clear_error(ngx_log_t *log) |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3430 { |
1868 | 3431 while (ERR_peek_error()) { |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3432 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3433 } |
1868 | 3434 |
3435 ERR_clear_error(); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3436 } |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3437 |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3438 |
583 | 3439 void ngx_cdecl |
489 | 3440 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
577 | 3441 { |
4877
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3442 int flags; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3443 u_long n; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3444 va_list args; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3445 u_char *p, *last; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3446 u_char errstr[NGX_MAX_CONF_ERRSTR]; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3447 const char *data; |
461 | 3448 |
3449 last = errstr + NGX_MAX_CONF_ERRSTR; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3450 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3451 va_start(args, fmt); |
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
3452 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3453 va_end(args); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3454 |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3455 if (ERR_peek_error()) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3456 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3457 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3458 for ( ;; ) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3459 |
8571
4195a6f0c61c
SSL: ERR_peek_error_line_data() compatibility with OpenSSL 3.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
8570
diff
changeset
|
3460 n = ERR_peek_error_data(&data, &flags); |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3461 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3462 if (n == 0) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3463 break; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3464 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3465 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3466 /* ERR_error_string_n() requires at least one byte */ |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3467 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3468 if (p >= last - 1) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3469 goto next; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3470 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3471 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3472 *p++ = ' '; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3473 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3474 ERR_error_string_n(n, (char *) p, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3475 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3476 while (p < last && *p) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3477 p++; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3478 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3479 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3480 if (p < last && *data && (flags & ERR_TXT_STRING)) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3481 *p++ = ':'; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3482 p = ngx_cpystrn(p, (u_char *) data, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3483 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3484 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3485 next: |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3486 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3487 (void) ERR_get_error(); |
1861 | 3488 } |
3489 | |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3490 if (p < last) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3491 *p++ = ')'; |
547 | 3492 } |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3493 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3494 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3495 ngx_log_error(level, log, err, "%*s", p - errstr, errstr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3496 } |
509 | 3497 |
3498 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3499 ngx_int_t |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3500 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3501 ngx_array_t *certificates, ssize_t builtin_session_cache, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3502 ngx_shm_zone_t *shm_zone, time_t timeout) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3503 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3504 long cache_mode; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3505 |
5424
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3506 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3507 |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3508 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3509 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3510 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3511 |
1778 | 3512 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
3513 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
3514 return NGX_OK; | |
3515 } | |
3516 | |
2032 | 3517 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
3518 | |
3519 /* | |
3520 * If the server explicitly says that it does not support | |
3521 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
3522 * Outlook Express fails to upload a sent email to | |
3523 * the Sent Items folder on the IMAP server via a separate IMAP | |
6552 | 3524 * connection in the background. Therefore we have a special |
2032 | 3525 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) |
3526 * where the server pretends that it supports session reuse, | |
3527 * but it does not actually store any session. | |
3528 */ | |
3529 | |
3530 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
3531 SSL_SESS_CACHE_SERVER | |
3532 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
3533 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
3534 | |
3535 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
3536 | |
3537 return NGX_OK; | |
3538 } | |
3539 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3540 cache_mode = SSL_SESS_CACHE_SERVER; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3541 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3542 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3543 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3544 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3545 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3546 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3547 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3548 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3549 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3550 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3551 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3552 } |
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
3553 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3554 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3555 if (shm_zone) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3556 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3557 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3558 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3559 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3560 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3561 == 0) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3562 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3563 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3564 "SSL_CTX_set_ex_data() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3565 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3566 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3567 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3568 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3569 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3570 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3571 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3572 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3573 static ngx_int_t |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3574 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3575 ngx_array_t *certificates) |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3576 { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3577 int n, i; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3578 X509 *cert; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3579 X509_NAME *name; |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3580 ngx_str_t *certs; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3581 ngx_uint_t k; |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3582 EVP_MD_CTX *md; |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3583 unsigned int len; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3584 STACK_OF(X509_NAME) *list; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3585 u_char buf[EVP_MAX_MD_SIZE]; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3586 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3587 /* |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3588 * Session ID context is set based on the string provided, |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3589 * the server certificates, and the client CA list. |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3590 */ |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3591 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3592 md = EVP_MD_CTX_create(); |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3593 if (md == NULL) { |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3594 return NGX_ERROR; |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3595 } |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3596 |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3597 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3598 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3599 "EVP_DigestInit_ex() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3600 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3601 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3602 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3603 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3604 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3605 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3606 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3607 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3608 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3609 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3610 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3611 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3612 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3613 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3614 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3615 "X509_digest() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3616 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3617 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3618 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3619 if (EVP_DigestUpdate(md, buf, len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3620 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3621 "EVP_DigestUpdate() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3622 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3623 } |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3624 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3625 |
8185
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
3626 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
3627 && certificates != NULL) |
59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
Maxim Dounin <mdounin@mdounin.ru>
parents:
8182
diff
changeset
|
3628 { |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3629 /* |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3630 * If certificates are loaded dynamically, we use certificate |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3631 * names as specified in the configuration (with variables). |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3632 */ |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3633 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3634 certs = certificates->elts; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3635 for (k = 0; k < certificates->nelts; k++) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3636 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3637 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3638 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3639 "EVP_DigestUpdate() failed"); |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3640 goto failed; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3641 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3642 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3643 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3644 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3645 list = SSL_CTX_get_client_CA_list(ssl->ctx); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3646 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3647 if (list != NULL) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3648 n = sk_X509_NAME_num(list); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3649 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3650 for (i = 0; i < n; i++) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3651 name = sk_X509_NAME_value(list, i); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3652 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3653 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3654 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3655 "X509_NAME_digest() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3656 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3657 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3658 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3659 if (EVP_DigestUpdate(md, buf, len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3660 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3661 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3662 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3663 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3664 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3665 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3666 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3667 if (EVP_DigestFinal_ex(md, buf, &len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3668 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7455
992bf7540a98
SSL: fixed EVP_DigestFinal_ex() error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7454
diff
changeset
|
3669 "EVP_DigestFinal_ex() failed"); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3670 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3671 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3672 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3673 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3674 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3675 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3676 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3677 "SSL_CTX_set_session_id_context() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3678 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3679 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3680 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3681 return NGX_OK; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3682 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3683 failed: |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3684 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3685 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3686 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3687 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3688 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3689 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3690 |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
3691 ngx_int_t |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3692 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3693 { |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3694 size_t len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3695 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3696 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3697 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3698 if (data) { |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3699 shm_zone->data = data; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3700 return NGX_OK; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3701 } |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3702 |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3703 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3704 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3705 if (shm_zone->shm.exists) { |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3706 shm_zone->data = shpool->data; |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3707 return NGX_OK; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3708 } |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3709 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3710 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3711 if (cache == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3712 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3713 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3714 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3715 shpool->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3716 shm_zone->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3717 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3718 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3719 ngx_ssl_session_rbtree_insert_value); |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3720 |
1760 | 3721 ngx_queue_init(&cache->expire_queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3722 |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3723 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3724 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3725 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3726 if (shpool->log_ctx == NULL) { |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3727 return NGX_ERROR; |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3728 } |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3729 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3730 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3731 &shm_zone->shm.name); |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3732 |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3733 shpool->log_nomem = 0; |
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3734 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3735 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3736 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3737 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3738 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3739 /* |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3740 * The length of the session id is 16 bytes for SSLv2 sessions and |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3741 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3742 * It seems that the typical length of the external ASN1 representation |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3743 * of a session is 118 or 119 bytes for SSLv3/TSLv1. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3744 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3745 * Thus on 32-bit platforms we allocate separately an rbtree node, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3746 * a session id, and an ASN1 representation, they take accordingly |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3747 * 64, 32, and 128 bytes. |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3748 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3749 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3750 * and an ASN1 representation, they take accordingly 128 and 128 bytes. |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3751 * |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3752 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3753 * so they are outside the code locked by shared pool mutex |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3754 */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3755 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3756 static int |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3757 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3758 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3759 int len; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3760 u_char *p, *id, *cached_sess, *session_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3761 uint32_t hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3762 SSL_CTX *ssl_ctx; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3763 unsigned int session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3764 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3765 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3766 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3767 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3768 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3769 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3770 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3771 len = i2d_SSL_SESSION(sess, NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3772 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3773 /* do not cache too big session */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3774 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3775 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3776 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3777 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3778 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3779 p = buf; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3780 i2d_SSL_SESSION(sess, &p); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3781 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3782 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3783 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3784 ssl_ctx = c->ssl->session_ctx; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3785 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3786 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3787 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3788 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3789 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3790 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3791 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3792 /* drop one or two expired sessions */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3793 ngx_ssl_expire_sessions(cache, shpool, 1); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3794 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3795 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3796 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3797 if (cached_sess == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3798 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3799 /* drop the oldest non-expired session and try once more */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3800 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3801 ngx_ssl_expire_sessions(cache, shpool, 0); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3802 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3803 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3804 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3805 if (cached_sess == NULL) { |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3806 sess_id = NULL; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3807 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3808 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3809 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3810 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3811 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3812 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3813 if (sess_id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3814 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3815 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3816 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3817 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3818 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3819 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3820 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3821 if (sess_id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3822 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3823 } |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3824 } |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3825 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3826 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3827 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3828 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3829 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3830 id = sess_id->sess_id; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3831 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3832 #else |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3833 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3834 id = ngx_slab_alloc_locked(shpool, session_id_length); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3835 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3836 if (id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3837 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3838 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3839 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3840 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3841 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3842 id = ngx_slab_alloc_locked(shpool, session_id_length); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3843 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3844 if (id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3845 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3846 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3847 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3848 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3849 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3850 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3851 ngx_memcpy(cached_sess, buf, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3852 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3853 ngx_memcpy(id, session_id, session_id_length); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3854 |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3855 hash = ngx_crc32_short(session_id, session_id_length); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3856 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3857 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3858 "ssl new session: %08XD:%ud:%d", |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3859 hash, session_id_length, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3860 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3861 sess_id->node.key = hash; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3862 sess_id->node.data = (u_char) session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3863 sess_id->id = id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3864 sess_id->len = len; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3865 sess_id->session = cached_sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3866 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3867 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3868 |
1760 | 3869 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3870 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3871 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3872 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3873 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3874 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3875 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3876 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3877 failed: |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3878 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3879 if (cached_sess) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3880 ngx_slab_free_locked(shpool, cached_sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3881 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3882 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3883 if (sess_id) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3884 ngx_slab_free_locked(shpool, sess_id); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3885 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3886 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3887 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3888 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3889 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3890 "could not allocate new session%s", shpool->log_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3891 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3892 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3893 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3894 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3895 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3896 static ngx_ssl_session_t * |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3897 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3898 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3899 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3900 #endif |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3901 u_char *id, int len, int *copy) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3902 { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3903 size_t slen; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3904 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3905 ngx_int_t rc; |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
3906 const u_char *p; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3907 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3908 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3909 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3910 ngx_ssl_session_t *sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3911 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3912 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3913 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3914 ngx_connection_t *c; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3915 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3916 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3917 *copy = 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3918 |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3919 c = ngx_ssl_get_connection(ssl_conn); |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3920 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3921 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3155 | 3922 "ssl get session: %08XD:%d", hash, len); |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3923 |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3924 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3925 ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3926 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3927 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3928 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3929 sess = NULL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3930 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3931 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3932 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3933 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3934 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3935 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3936 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3937 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3938 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3939 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3940 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3941 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3942 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3943 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3944 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3945 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3946 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3947 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3948 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3949 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3950 /* hash == node->key */ |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3951 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3952 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3953 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3954 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3955 (size_t) len, (size_t) node->data); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3956 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3957 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3958 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3959 if (sess_id->expire > ngx_time()) { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3960 slen = sess_id->len; |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3961 |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3962 ngx_memcpy(buf, sess_id->session, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3963 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3964 ngx_shmtx_unlock(&shpool->mutex); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3965 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3966 p = buf; |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3967 sess = d2i_SSL_SESSION(NULL, &p, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3968 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3969 return sess; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3970 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3971 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3972 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3973 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3974 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3975 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3976 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3977 #if (NGX_PTR_SIZE == 4) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3978 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3979 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3980 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3981 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3982 sess = NULL; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3983 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3984 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3985 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3986 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3987 node = (rc < 0) ? node->left : node->right; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3988 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3989 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3990 done: |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3991 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3992 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3993 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3994 return sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3995 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3996 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3997 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3998 void |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3999 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4000 { |
6474 | 4001 SSL_CTX_remove_session(ssl, sess); |
4002 | |
4003 ngx_ssl_remove_session(ssl, sess); | |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4004 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4005 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4006 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4007 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4008 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4009 { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4010 u_char *id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4011 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4012 ngx_int_t rc; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4013 unsigned int len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4014 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4015 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4016 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4017 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4018 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4019 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4020 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4021 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4022 if (shm_zone == NULL) { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4023 return; |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4024 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
4025 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4026 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4027 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4028 id = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4029 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4030 hash = ngx_crc32_short(id, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4031 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4032 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4033 "ssl remove session: %08XD:%ud", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4034 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4035 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4036 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4037 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4038 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4039 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
4040 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4041 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4042 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4043 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4044 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4045 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4046 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4047 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4048 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4049 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4050 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4051 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4052 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4053 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4054 /* hash == node->key */ |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4055 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4056 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4057 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4058 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4059 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4060 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4061 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4062 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4063 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4064 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4065 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4066 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4067 #if (NGX_PTR_SIZE == 4) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4068 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4069 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4070 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4071 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4072 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4073 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4074 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
4075 node = (rc < 0) ? node->left : node->right; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4076 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4077 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4078 done: |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
4079 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4080 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4081 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4082 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4083 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4084 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4085 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4086 ngx_slab_pool_t *shpool, ngx_uint_t n) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4087 { |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4088 time_t now; |
1760 | 4089 ngx_queue_t *q; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4090 ngx_ssl_sess_id_t *sess_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4091 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4092 now = ngx_time(); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4093 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4094 while (n < 3) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4095 |
1760 | 4096 if (ngx_queue_empty(&cache->expire_queue)) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4097 return; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4098 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4099 |
1760 | 4100 q = ngx_queue_last(&cache->expire_queue); |
4101 | |
4102 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
4103 | |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
4104 if (n++ != 0 && sess_id->expire > now) { |
1439 | 4105 return; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4106 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4107 |
1760 | 4108 ngx_queue_remove(q); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4109 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4110 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4111 "expire session: %08Xi", sess_id->node.key); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4112 |
1760 | 4113 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
4114 | |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
4115 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4116 #if (NGX_PTR_SIZE == 4) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4117 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
4118 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4119 ngx_slab_free_locked(shpool, sess_id); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4120 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4121 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4122 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
4123 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4124 static void |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4125 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4126 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4127 { |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4128 ngx_rbtree_node_t **p; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4129 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4130 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4131 for ( ;; ) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4132 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4133 if (node->key < temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4134 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4135 p = &temp->left; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4136 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4137 } else if (node->key > temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4138 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4139 p = &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4140 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4141 } else { /* node->key == temp->key */ |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4142 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4143 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4144 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4145 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4146 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4147 (size_t) node->data, (size_t) temp->data) |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4148 < 0) ? &temp->left : &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4149 } |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4150 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4151 if (*p == sentinel) { |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4152 break; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4153 } |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4154 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4155 temp = *p; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4156 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4157 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
4158 *p = node; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4159 node->parent = temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4160 node->left = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4161 node->right = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4162 ngx_rbt_red(node); |
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
4163 } |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4164 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
4165 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4166 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4167 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4168 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4169 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4170 { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4171 u_char buf[80]; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4172 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4173 ssize_t n; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4174 ngx_str_t *path; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4175 ngx_file_t file; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4176 ngx_uint_t i; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4177 ngx_array_t *keys; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4178 ngx_file_info_t fi; |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4179 ngx_pool_cleanup_t *cln; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4180 ngx_ssl_session_ticket_key_t *key; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4181 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4182 if (paths == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4183 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4184 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4185 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4186 keys = ngx_array_create(cf->pool, paths->nelts, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4187 sizeof(ngx_ssl_session_ticket_key_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4188 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4189 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4190 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4191 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4192 cln = ngx_pool_cleanup_add(cf->pool, 0); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4193 if (cln == NULL) { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4194 return NGX_ERROR; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4195 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4196 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4197 cln->handler = ngx_ssl_session_ticket_keys_cleanup; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4198 cln->data = keys; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4199 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4200 path = paths->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4201 for (i = 0; i < paths->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4202 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4203 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4204 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4205 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4206 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4207 ngx_memzero(&file, sizeof(ngx_file_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4208 file.name = path[i]; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4209 file.log = cf->log; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4210 |
7087
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4211 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, |
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
4212 NGX_FILE_OPEN, 0); |
7086 | 4213 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4214 if (file.fd == NGX_INVALID_FILE) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4215 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4216 ngx_open_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4217 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4218 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4219 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4220 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4221 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4222 ngx_fd_info_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4223 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4224 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4225 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4226 size = ngx_file_size(&fi); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4227 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4228 if (size != 48 && size != 80) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4229 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4230 "\"%V\" must be 48 or 80 bytes", &file.name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4231 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4232 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4233 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4234 n = ngx_read_file(&file, buf, size, 0); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4235 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4236 if (n == NGX_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4237 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4238 ngx_read_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4239 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4240 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4241 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4242 if ((size_t) n != size) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4243 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4244 ngx_read_file_n " \"%V\" returned only " |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4245 "%z bytes instead of %uz", &file.name, n, size); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4246 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4247 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4248 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4249 key = ngx_array_push(keys); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4250 if (key == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4251 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4252 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4253 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4254 if (size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4255 key->size = 48; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4256 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4257 ngx_memcpy(key->aes_key, buf + 16, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4258 ngx_memcpy(key->hmac_key, buf + 32, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4259 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4260 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4261 key->size = 80; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4262 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4263 ngx_memcpy(key->hmac_key, buf + 16, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4264 ngx_memcpy(key->aes_key, buf + 48, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4265 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4266 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4267 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4268 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4269 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4270 } |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4271 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4272 ngx_explicit_memzero(&buf, 80); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4273 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4274 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4275 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4276 == 0) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4277 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4278 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4279 "SSL_CTX_set_ex_data() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4280 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4281 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4282 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4283 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4284 ngx_ssl_session_ticket_key_callback) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4285 == 0) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4286 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4287 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4288 "nginx was built with Session Tickets support, however, " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4289 "now it is linked dynamically to an OpenSSL library " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4290 "which has no tlsext support, therefore Session Tickets " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4291 "are not available"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4292 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4293 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4294 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4295 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4296 failed: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4297 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4298 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4299 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4300 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4301 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4302 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4303 ngx_explicit_memzero(&buf, 80); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4304 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4305 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4306 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4307 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4308 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4309 static int |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4310 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4311 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4312 HMAC_CTX *hctx, int enc) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4313 { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4314 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4315 SSL_CTX *ssl_ctx; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4316 ngx_uint_t i; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4317 ngx_array_t *keys; |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4318 ngx_connection_t *c; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4319 ngx_ssl_session_ticket_key_t *key; |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4320 const EVP_MD *digest; |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4321 const EVP_CIPHER *cipher; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4322 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4323 c = ngx_ssl_get_connection(ssl_conn); |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
4324 ssl_ctx = c->ssl->session_ctx; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4325 |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4326 #ifdef OPENSSL_NO_SHA256 |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4327 digest = EVP_sha1(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4328 #else |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4329 digest = EVP_sha256(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4330 #endif |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
4331 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4332 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4333 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4334 return -1; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4335 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4336 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4337 key = keys->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4338 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4339 if (enc == 1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4340 /* encrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4341 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4342 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8218
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
8185
diff
changeset
|
4343 "ssl session ticket encrypt, key: \"%*xs\" (%s session)", |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
8185
diff
changeset
|
4344 (size_t) 16, key[0].name, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4345 SSL_session_reused(ssl_conn) ? "reused" : "new"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4346 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4347 if (key[0].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4348 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4349 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4350 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4351 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4352 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4353 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4354 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4355 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4356 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4357 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4358 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4359 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4360 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4361 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4362 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4363 "EVP_EncryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4364 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4365 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4366 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4367 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4368 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4369 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4370 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4371 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4372 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4373 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4374 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4375 |
5760
4b668378ad8b
Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents:
5756
diff
changeset
|
4376 ngx_memcpy(name, key[0].name, 16); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4377 |
6660
3eb1a92a2f05
SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6659
diff
changeset
|
4378 return 1; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4379 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4380 } else { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4381 /* decrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4382 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4383 for (i = 0; i < keys->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4384 if (ngx_memcmp(name, key[i].name, 16) == 0) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4385 goto found; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4386 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4387 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4388 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4389 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8218
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
8185
diff
changeset
|
4390 "ssl session ticket decrypt, key: \"%*xs\" not found", |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
8185
diff
changeset
|
4391 (size_t) 16, name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4392 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4393 return 0; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4394 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4395 found: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4396 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4397 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
8218
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
8185
diff
changeset
|
4398 "ssl session ticket decrypt, key: \"%*xs\"%s", |
a46fcf101cfc
Core: added format specifiers to output binary data as hex.
Vladimir Homutov <vl@nginx.com>
parents:
8185
diff
changeset
|
4399 (size_t) 16, key[i].name, (i == 0) ? " (default)" : ""); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4400 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4401 if (key[i].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4402 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4403 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4404 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4405 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4406 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4407 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4408 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4409 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4410 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4411 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4412 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4413 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4414 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4415 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4416 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4417 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4418 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4419 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4420 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4421 "EVP_DecryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4422 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4423 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4424 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4425 return (i == 0) ? 1 : 2 /* renew */; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4426 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4427 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4428 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4429 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4430 static void |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4431 ngx_ssl_session_ticket_keys_cleanup(void *data) |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4432 { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4433 ngx_array_t *keys = data; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4434 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4435 ngx_explicit_memzero(keys->elts, |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4436 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4437 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4438 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4439 #else |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4440 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4441 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4442 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4443 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4444 if (paths) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4445 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
7074
07a49cce21ca
SSL: fixed typo in the error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6995
diff
changeset
|
4446 "\"ssl_session_ticket_key\" ignored, not supported"); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4447 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4448 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4449 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4450 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4451 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4452 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4453 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4454 |
509 | 4455 void |
4456 ngx_ssl_cleanup_ctx(void *data) | |
4457 { | |
589 | 4458 ngx_ssl_t *ssl = data; |
509 | 4459 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4460 X509 *cert, *next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4461 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4462 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4463 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4464 while (cert) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4465 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4466 X509_free(cert); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4467 cert = next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4468 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4469 |
589 | 4470 SSL_CTX_free(ssl->ctx); |
509 | 4471 } |
541 | 4472 |
4473 | |
671 | 4474 ngx_int_t |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4475 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4476 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4477 X509 *cert; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4478 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4479 cert = SSL_get_peer_certificate(c->ssl->connection); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4480 if (cert == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4481 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4482 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4483 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4484 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4485 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4486 /* X509_check_host() is only available in OpenSSL 1.0.2+ */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4487 |
5669
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4488 if (name->len == 0) { |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4489 goto failed; |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4490 } |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4491 |
5767
abd460ece11e
SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5760
diff
changeset
|
4492 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4493 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4494 "X509_check_host(): no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4495 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4496 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4497 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4498 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4499 "X509_check_host(): match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4500 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4501 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4502 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4503 #else |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4504 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4505 int n, i; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4506 X509_NAME *sname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4507 ASN1_STRING *str; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4508 X509_NAME_ENTRY *entry; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4509 GENERAL_NAME *altname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4510 STACK_OF(GENERAL_NAME) *altnames; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4511 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4512 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4513 * As per RFC6125 and RFC2818, we check subjectAltName extension, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4514 * and if it's not present - commonName in Subject is checked. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4515 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4516 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4517 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4518 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4519 if (altnames) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4520 n = sk_GENERAL_NAME_num(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4521 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4522 for (i = 0; i < n; i++) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4523 altname = sk_GENERAL_NAME_value(altnames, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4524 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4525 if (altname->type != GEN_DNS) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4526 continue; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4527 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4528 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4529 str = altname->d.dNSName; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4530 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4531 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4532 "SSL subjectAltName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4533 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4534 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4535 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4536 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4537 "SSL subjectAltName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4538 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4539 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4540 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4541 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4542 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4543 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4544 "SSL subjectAltName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4545 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4546 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4547 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4548 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4549 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4550 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4551 * If there is no subjectAltName extension, check commonName |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4552 * in Subject. While RFC2818 requires to only check "most specific" |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4553 * CN, both Apache and OpenSSL check all CNs, and so do we. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4554 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4555 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4556 sname = X509_get_subject_name(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4557 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4558 if (sname == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4559 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4560 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4561 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4562 i = -1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4563 for ( ;; ) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4564 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4565 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4566 if (i < 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4567 break; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4568 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4569 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4570 entry = X509_NAME_get_entry(sname, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4571 str = X509_NAME_ENTRY_get_data(entry); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4572 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4573 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4574 "SSL commonName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4575 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4576 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4577 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4578 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4579 "SSL commonName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4580 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4581 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4582 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4583 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4584 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4585 "SSL commonName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4586 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4587 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4588 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4589 failed: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4590 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4591 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4592 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4593 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4594 found: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4595 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4596 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4597 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4598 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4599 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4600 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4601 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4602 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4603 static ngx_int_t |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4604 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4605 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4606 u_char *s, *p, *end; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4607 size_t slen, plen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4608 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4609 s = name->data; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4610 slen = name->len; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4611 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4612 p = ASN1_STRING_data(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4613 plen = ASN1_STRING_length(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4614 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4615 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4616 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4617 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4618 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4619 if (plen > 2 && p[0] == '*' && p[1] == '.') { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4620 plen -= 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4621 p += 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4622 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4623 end = s + slen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4624 s = ngx_strlchr(s, end, '.'); |
5666
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4625 |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4626 if (s == NULL) { |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4627 return NGX_ERROR; |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4628 } |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4629 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4630 slen = end - s; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4631 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4632 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4633 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4634 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4635 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4636 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4637 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4638 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4639 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4640 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4641 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4642 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4643 ngx_int_t |
671 | 4644 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
611 | 4645 { |
671 | 4646 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
4647 return NGX_OK; | |
611 | 4648 } |
4649 | |
4650 | |
671 | 4651 ngx_int_t |
4652 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 4653 { |
671 | 4654 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
4655 return NGX_OK; | |
611 | 4656 } |
4657 | |
4658 | |
647 | 4659 ngx_int_t |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4660 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4661 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4662 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4663 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4664 int n, i, bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4665 size_t len; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4666 u_char *ciphers, *p; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4667 const SSL_CIPHER *cipher; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4668 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4669 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4670 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4671 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4672 if (n <= 0) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4673 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4674 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4675 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4676 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4677 len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4678 n /= bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4679 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4680 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4681 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4682 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4683 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4684 len += ngx_strlen(SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4685 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4686 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4687 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4688 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4689 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4690 len += sizeof(":") - 1; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4691 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4692 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4693 s->data = ngx_pnalloc(pool, len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4694 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4695 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4696 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4697 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4698 p = s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4699 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4700 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4701 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4702 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4703 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4704 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4705 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4706 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4707 p = ngx_sprintf(p, "0x"); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4708 p = ngx_hex_dump(p, ciphers + i * bytes, bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4709 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4710 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4711 *p++ = ':'; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4712 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4713 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4714 p--; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4715 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4716 s->len = p - s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4717 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4718 #else |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4719 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4720 u_char buf[4096]; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4721 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4722 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4723 == NULL) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4724 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4725 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4726 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4727 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4728 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4729 s->len = ngx_strlen(buf); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4730 s->data = ngx_pnalloc(pool, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4731 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4732 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4733 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4734 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4735 ngx_memcpy(s->data, buf, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4736 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4737 #endif |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4738 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4739 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4740 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4741 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4742 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4743 ngx_int_t |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4744 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4745 { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4746 #ifdef SSL_CTRL_GET_CURVES |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4747 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4748 int *curves, n, i, nid; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4749 u_char *p; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4750 size_t len; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4751 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4752 n = SSL_get1_curves(c->ssl->connection, NULL); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4753 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4754 if (n <= 0) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4755 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4756 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4757 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4758 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4759 curves = ngx_palloc(pool, n * sizeof(int)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4760 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4761 n = SSL_get1_curves(c->ssl->connection, curves); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4762 len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4763 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4764 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4765 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4766 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4767 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4768 len += sizeof("0x0000") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4769 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4770 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4771 len += ngx_strlen(OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4772 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4773 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4774 len += sizeof(":") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4775 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4776 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4777 s->data = ngx_pnalloc(pool, len); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4778 if (s->data == NULL) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4779 return NGX_ERROR; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4780 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4781 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4782 p = s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4783 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4784 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4785 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4786 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4787 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4788 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4789 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4790 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4791 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4792 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4793 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4794 *p++ = ':'; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4795 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4796 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4797 p--; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4798 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4799 s->len = p - s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4800 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4801 #else |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4802 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4803 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4804 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4805 #endif |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4806 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4807 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4808 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4809 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4810 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4811 ngx_int_t |
3154 | 4812 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4813 { | |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4814 u_char *buf; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4815 SSL_SESSION *sess; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4816 unsigned int len; |
3154 | 4817 |
4818 sess = SSL_get0_session(c->ssl->connection); | |
5537
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4819 if (sess == NULL) { |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4820 s->len = 0; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4821 return NGX_OK; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4822 } |
3154 | 4823 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4824 buf = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4825 |
3154 | 4826 s->len = 2 * len; |
4827 s->data = ngx_pnalloc(pool, 2 * len); | |
4828 if (s->data == NULL) { | |
4829 return NGX_ERROR; | |
4830 } | |
4831 | |
4832 ngx_hex_dump(s->data, buf, len); | |
4833 | |
4834 return NGX_OK; | |
4835 } | |
4836 | |
4837 | |
4838 ngx_int_t | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4839 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4840 { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4841 if (SSL_session_reused(c->ssl->connection)) { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4842 ngx_str_set(s, "r"); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4843 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4844 } else { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4845 ngx_str_set(s, "."); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4846 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4847 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4848 return NGX_OK; |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4849 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4850 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4851 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4852 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4853 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4854 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4855 s->len = 0; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4856 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4857 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4858 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4859 /* BoringSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4860 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4861 if (SSL_in_early_data(c->ssl->connection)) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4862 ngx_str_set(s, "1"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4863 } |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4864 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4865 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4866 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4867 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4868 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4869 if (!SSL_is_init_finished(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4870 ngx_str_set(s, "1"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4871 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4872 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4873 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4874 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4875 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4876 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4877 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4878 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4879 ngx_int_t |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4880 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4881 { |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4882 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4883 |
7092
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4884 size_t len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4885 const char *name; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4886 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4887 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4888 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4889 if (name) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4890 len = ngx_strlen(name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4891 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4892 s->len = len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4893 s->data = ngx_pnalloc(pool, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4894 if (s->data == NULL) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4895 return NGX_ERROR; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4896 } |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4897 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4898 ngx_memcpy(s->data, name, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4899 |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4900 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4901 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4902 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4903 #endif |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4904 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4905 s->len = 0; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4906 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4907 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4908 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4909 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4910 ngx_int_t |
8659
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4911 ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4912 { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4913 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4914 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4915 unsigned int len; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4916 const unsigned char *data; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4917 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4918 SSL_get0_alpn_selected(c->ssl->connection, &data, &len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4919 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4920 if (len > 0) { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4921 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4922 s->data = ngx_pnalloc(pool, len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4923 if (s->data == NULL) { |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4924 return NGX_ERROR; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4925 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4926 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4927 ngx_memcpy(s->data, data, len); |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4928 s->len = len; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4929 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4930 return NGX_OK; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4931 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4932 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4933 #endif |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4934 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4935 s->len = 0; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4936 return NGX_OK; |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4937 } |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4938 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4939 |
eb6c77e6d55d
SSL: added $ssl_alpn_protocol variable.
Vladimir Homutov <vl@nginx.com>
parents:
8575
diff
changeset
|
4940 ngx_int_t |
2123 | 4941 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2045 | 4942 { |
4943 size_t len; | |
4944 BIO *bio; | |
4945 X509 *cert; | |
4946 | |
4947 s->len = 0; | |
4948 | |
4949 cert = SSL_get_peer_certificate(c->ssl->connection); | |
4950 if (cert == NULL) { | |
4951 return NGX_OK; | |
4952 } | |
4953 | |
4954 bio = BIO_new(BIO_s_mem()); | |
4955 if (bio == NULL) { | |
4956 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
4957 X509_free(cert); | |
4958 return NGX_ERROR; | |
4959 } | |
4960 | |
4961 if (PEM_write_bio_X509(bio, cert) == 0) { | |
4962 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
4963 goto failed; | |
4964 } | |
4965 | |
4966 len = BIO_pending(bio); | |
4967 s->len = len; | |
4968 | |
2049 | 4969 s->data = ngx_pnalloc(pool, len); |
2045 | 4970 if (s->data == NULL) { |
4971 goto failed; | |
4972 } | |
4973 | |
4974 BIO_read(bio, s->data, len); | |
4975 | |
4976 BIO_free(bio); | |
4977 X509_free(cert); | |
4978 | |
4979 return NGX_OK; | |
4980 | |
4981 failed: | |
4982 | |
4983 BIO_free(bio); | |
4984 X509_free(cert); | |
4985 | |
4986 return NGX_ERROR; | |
4987 } | |
4988 | |
4989 | |
4990 ngx_int_t | |
2123 | 4991 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4992 { | |
4993 u_char *p; | |
4994 size_t len; | |
4995 ngx_uint_t i; | |
4996 ngx_str_t cert; | |
4997 | |
4998 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
4999 return NGX_ERROR; | |
5000 } | |
5001 | |
5002 if (cert.len == 0) { | |
5003 s->len = 0; | |
5004 return NGX_OK; | |
5005 } | |
5006 | |
5007 len = cert.len - 1; | |
5008 | |
5009 for (i = 0; i < cert.len - 1; i++) { | |
5010 if (cert.data[i] == LF) { | |
5011 len++; | |
5012 } | |
5013 } | |
5014 | |
5015 s->len = len; | |
5016 s->data = ngx_pnalloc(pool, len); | |
5017 if (s->data == NULL) { | |
5018 return NGX_ERROR; | |
5019 } | |
5020 | |
5021 p = s->data; | |
5022 | |
3002
bf0c7e58e016
fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents:
2997
diff
changeset
|
5023 for (i = 0; i < cert.len - 1; i++) { |
2123 | 5024 *p++ = cert.data[i]; |
5025 if (cert.data[i] == LF) { | |
5026 *p++ = '\t'; | |
5027 } | |
5028 } | |
5029 | |
5030 return NGX_OK; | |
5031 } | |
5032 | |
5033 | |
5034 ngx_int_t | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5035 ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5036 ngx_str_t *s) |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5037 { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5038 ngx_str_t cert; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5039 uintptr_t n; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5040 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5041 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5042 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5043 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5044 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5045 if (cert.len == 0) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5046 s->len = 0; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5047 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5048 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5049 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5050 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5051 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5052 s->len = cert.len + n * 2; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5053 s->data = ngx_pnalloc(pool, s->len); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5054 if (s->data == NULL) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5055 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5056 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5057 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5058 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5059 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5060 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5061 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5062 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5063 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
5064 ngx_int_t |
647 | 5065 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5066 { | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5067 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5068 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5069 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5070 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5071 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5072 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5073 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5074 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5075 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5076 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5077 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5078 name = X509_get_subject_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5079 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5080 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5081 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5082 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5083 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5084 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5085 if (bio == NULL) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5086 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5087 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5088 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5089 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5090 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5091 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5092 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5093 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5094 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5095 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5096 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5097 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5098 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5099 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5100 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5101 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5102 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5103 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5104 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5105 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5106 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5107 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5108 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5109 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5110 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5111 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5112 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5113 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5114 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5115 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5116 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5117 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5118 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5119 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5120 { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5121 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5122 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5123 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5124 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5125 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5126 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5127 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5128 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5129 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5130 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5131 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5132 name = X509_get_issuer_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5133 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
5134 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5135 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5136 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5137 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5138 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5139 if (bio == NULL) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5140 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5141 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5142 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5143 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5144 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5145 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5146 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_print_ex() failed"); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5147 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5148 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5149 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5150 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5151 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5152 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5153 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5154 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5155 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5156 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5157 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5158 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5159 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5160 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5161 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5162 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5163 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5164 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5165 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5166 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5167 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5168 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5169 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5170 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5171 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5172 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5173 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5174 ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5175 { |
647 | 5176 char *p; |
5177 size_t len; | |
5178 X509 *cert; | |
5179 X509_NAME *name; | |
5180 | |
5181 s->len = 0; | |
5182 | |
5183 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5184 if (cert == NULL) { | |
5185 return NGX_OK; | |
5186 } | |
5187 | |
5188 name = X509_get_subject_name(cert); | |
5189 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5190 X509_free(cert); |
647 | 5191 return NGX_ERROR; |
5192 } | |
5193 | |
5194 p = X509_NAME_oneline(name, NULL, 0); | |
8328
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5195 if (p == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5196 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5197 X509_free(cert); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5198 return NGX_ERROR; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5199 } |
647 | 5200 |
5201 for (len = 0; p[len]; len++) { /* void */ } | |
5202 | |
5203 s->len = len; | |
2049 | 5204 s->data = ngx_pnalloc(pool, len); |
647 | 5205 if (s->data == NULL) { |
5206 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5207 X509_free(cert); |
647 | 5208 return NGX_ERROR; |
5209 } | |
5210 | |
5211 ngx_memcpy(s->data, p, len); | |
5212 | |
5213 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5214 X509_free(cert); |
647 | 5215 |
5216 return NGX_OK; | |
5217 } | |
5218 | |
5219 | |
5220 ngx_int_t | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5221 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
5222 ngx_str_t *s) |
647 | 5223 { |
5224 char *p; | |
5225 size_t len; | |
5226 X509 *cert; | |
5227 X509_NAME *name; | |
5228 | |
5229 s->len = 0; | |
5230 | |
5231 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5232 if (cert == NULL) { | |
5233 return NGX_OK; | |
5234 } | |
5235 | |
5236 name = X509_get_issuer_name(cert); | |
5237 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5238 X509_free(cert); |
647 | 5239 return NGX_ERROR; |
5240 } | |
5241 | |
5242 p = X509_NAME_oneline(name, NULL, 0); | |
8328
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5243 if (p == NULL) { |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5244 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_NAME_oneline() failed"); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5245 X509_free(cert); |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5246 return NGX_ERROR; |
018a09b766ef
SSL: X509_NAME_oneline() error handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8250
diff
changeset
|
5247 } |
647 | 5248 |
5249 for (len = 0; p[len]; len++) { /* void */ } | |
5250 | |
5251 s->len = len; | |
2049 | 5252 s->data = ngx_pnalloc(pool, len); |
647 | 5253 if (s->data == NULL) { |
5254 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5255 X509_free(cert); |
647 | 5256 return NGX_ERROR; |
5257 } | |
5258 | |
5259 ngx_memcpy(s->data, p, len); | |
5260 | |
5261 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5262 X509_free(cert); |
647 | 5263 |
5264 return NGX_OK; | |
5265 } | |
5266 | |
5267 | |
671 | 5268 ngx_int_t |
5269 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
5270 { | |
5271 size_t len; | |
5272 X509 *cert; | |
5273 BIO *bio; | |
5274 | |
5275 s->len = 0; | |
5276 | |
5277 cert = SSL_get_peer_certificate(c->ssl->connection); | |
5278 if (cert == NULL) { | |
5279 return NGX_OK; | |
5280 } | |
5281 | |
5282 bio = BIO_new(BIO_s_mem()); | |
5283 if (bio == NULL) { | |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5284 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5285 X509_free(cert); |
671 | 5286 return NGX_ERROR; |
5287 } | |
5288 | |
5289 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
5290 len = BIO_pending(bio); | |
5291 | |
5292 s->len = len; | |
2049 | 5293 s->data = ngx_pnalloc(pool, len); |
671 | 5294 if (s->data == NULL) { |
5295 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5296 X509_free(cert); |
671 | 5297 return NGX_ERROR; |
5298 } | |
5299 | |
5300 BIO_read(bio, s->data, len); | |
5301 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
5302 X509_free(cert); |
671 | 5303 |
5304 return NGX_OK; | |
5305 } | |
5306 | |
5307 | |
2994 | 5308 ngx_int_t |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5309 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5310 { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5311 X509 *cert; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5312 unsigned int len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5313 u_char buf[EVP_MAX_MD_SIZE]; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5314 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5315 s->len = 0; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5316 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5317 cert = SSL_get_peer_certificate(c->ssl->connection); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5318 if (cert == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5319 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5320 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5321 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5322 if (!X509_digest(cert, EVP_sha1(), buf, &len)) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5323 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_digest() failed"); |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5324 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5325 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5326 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5327 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5328 s->len = 2 * len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5329 s->data = ngx_pnalloc(pool, 2 * len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5330 if (s->data == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5331 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5332 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5333 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5334 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5335 ngx_hex_dump(s->data, buf, len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5336 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5337 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5338 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5339 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5340 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5341 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5342 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
5343 ngx_int_t |
2994 | 5344 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5345 { | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5346 X509 *cert; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5347 long rc; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5348 const char *str; |
2994 | 5349 |
5350 cert = SSL_get_peer_certificate(c->ssl->connection); | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5351 if (cert == NULL) { |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
5352 ngx_str_set(s, "NONE"); |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5353 return NGX_OK; |
2994 | 5354 } |
5355 | |
5356 X509_free(cert); | |
5357 | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5358 rc = SSL_get_verify_result(c->ssl->connection); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5359 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5360 if (rc == X509_V_OK) { |
7899
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5361 if (ngx_ssl_ocsp_get_status(c, &str) == NGX_OK) { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5362 ngx_str_set(s, "SUCCESS"); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5363 return NGX_OK; |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5364 } |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5365 |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5366 } else { |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5367 str = X509_verify_cert_error_string(rc); |
8409f9df6219
SSL: client certificate validation with OCSP (ticket #1534).
Roman Arutyunyan <arut@nginx.com>
parents:
7617
diff
changeset
|
5368 } |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5369 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5370 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5371 if (s->data == NULL) { |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5372 return NGX_ERROR; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5373 } |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5374 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5375 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
5376 |
2994 | 5377 return NGX_OK; |
5378 } | |
5379 | |
5380 | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5381 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5382 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5383 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5384 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5385 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5386 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5387 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5388 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5389 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5390 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5391 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5392 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5393 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5394 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5395 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5396 if (bio == NULL) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5397 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5398 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5399 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5400 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5401 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5402 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5403 ASN1_TIME_print(bio, X509_get0_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5404 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5405 ASN1_TIME_print(bio, X509_get_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5406 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5407 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5408 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5409 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5410 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5411 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5412 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5413 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5414 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5415 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5416 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5417 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5418 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5419 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5420 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5421 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5422 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5423 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5424 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5425 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5426 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5427 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5428 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5429 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5430 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5431 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5432 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5433 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5434 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5435 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5436 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5437 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5438 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5439 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5440 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5441 if (bio == NULL) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5442 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5443 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5444 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5445 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5446 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5447 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5448 ASN1_TIME_print(bio, X509_get0_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5449 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5450 ASN1_TIME_print(bio, X509_get_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5451 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5452 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5453 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5454 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5455 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5456 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5457 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5458 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5459 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5460 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5461 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5462 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5463 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5464 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5465 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5466 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5467 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5468 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5469 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5470 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5471 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5472 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5473 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5474 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5475 time_t now, end; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5476 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5477 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5478 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5479 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5480 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5481 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5482 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5483 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5484 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5485 end = ngx_ssl_parse_time(X509_get0_notAfter(cert), c->log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5486 #else |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5487 end = ngx_ssl_parse_time(X509_get_notAfter(cert), c->log); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5488 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5489 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5490 if (end == (time_t) NGX_ERROR) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5491 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5492 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5493 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5494 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5495 now = ngx_time(); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5496 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5497 if (end < now + 86400) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5498 ngx_str_set(s, "0"); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5499 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5500 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5501 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5502 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5503 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5504 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5505 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5506 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5507 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5508 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5509 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5510 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5511 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5512 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5513 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5514 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5515 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5516 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5517 static time_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5518 ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5519 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5520 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5521 #endif |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5522 ASN1_TIME *asn1time, ngx_log_t *log) |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5523 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5524 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5525 char *value; |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5526 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5527 time_t time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5528 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5529 /* |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5530 * OpenSSL doesn't provide a way to convert ASN1_TIME |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5531 * into time_t. To do this, we use ASN1_TIME_print(), |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5532 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5533 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5534 */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5535 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5536 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5537 if (bio == NULL) { |
8329
3bed5797a1b7
SSL: added missed error reporting during variables evaluation.
Maxim Dounin <mdounin@mdounin.ru>
parents:
8328
diff
changeset
|
5538 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "BIO_new() failed"); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5539 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5540 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5541 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5542 /* fake weekday prepended to match C asctime() format */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5543 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5544 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5545 ASN1_TIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5546 len = BIO_get_mem_data(bio, &value); |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5547 |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5548 time = ngx_parse_http_time((u_char *) value, len); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5549 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5550 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5551 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5552 return time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5553 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5554 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5555 |
541 | 5556 static void * |
5557 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
5558 { | |
5559 ngx_openssl_conf_t *oscf; | |
577 | 5560 |
541 | 5561 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
5562 if (oscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
5563 return NULL; |
541 | 5564 } |
577 | 5565 |
541 | 5566 /* |
5567 * set by ngx_pcalloc(): | |
577 | 5568 * |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5569 * oscf->engine = 0; |
577 | 5570 */ |
541 | 5571 |
5572 return oscf; | |
5573 } | |
5574 | |
5575 | |
5576 static char * | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5577 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
541 | 5578 { |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5579 #ifndef OPENSSL_NO_ENGINE |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5580 |
541 | 5581 ngx_openssl_conf_t *oscf = conf; |
571 | 5582 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5583 ENGINE *engine; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5584 ngx_str_t *value; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5585 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5586 if (oscf->engine) { |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5587 return "is duplicate"; |
541 | 5588 } |
577 | 5589 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5590 oscf->engine = 1; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5591 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5592 value = cf->args->elts; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5593 |
6552 | 5594 engine = ENGINE_by_id((char *) value[1].data); |
541 | 5595 |
5596 if (engine == NULL) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5597 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5598 "ENGINE_by_id(\"%V\") failed", &value[1]); |
541 | 5599 return NGX_CONF_ERROR; |
5600 } | |
5601 | |
5602 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5603 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
541 | 5604 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5605 &value[1]); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5606 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5607 ENGINE_free(engine); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5608 |
541 | 5609 return NGX_CONF_ERROR; |
5610 } | |
5611 | |
5612 ENGINE_free(engine); | |
5613 | |
5614 return NGX_CONF_OK; | |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5615 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5616 #else |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5617 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5618 return "is not supported"; |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5619 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5620 #endif |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5621 } |
571 | 5622 |
5623 | |
5624 static void | |
5625 ngx_openssl_exit(ngx_cycle_t *cycle) | |
5626 { | |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5627 #if OPENSSL_VERSION_NUMBER < 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5628 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
5629 EVP_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5630 #ifndef OPENSSL_NO_ENGINE |
571 | 5631 ENGINE_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5632 #endif |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5633 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5634 #endif |
571 | 5635 } |