0
|
1
|
|
2 /*
|
|
3 * Copyright (C) Igor Sysoev
|
|
4 */
|
|
5
|
|
6
|
|
7 #include <ngx_config.h>
|
|
8 #include <ngx_core.h>
|
|
9 #include <ngx_event.h>
|
|
10
|
90
|
11
|
|
12 typedef struct {
|
|
13 ngx_str_t engine;
|
|
14 } ngx_openssl_conf_t;
|
28
|
15
|
0
|
16
|
38
|
17 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
|
22
|
18 static void ngx_ssl_write_handler(ngx_event_t *wev);
|
|
19 static void ngx_ssl_read_handler(ngx_event_t *rev);
|
90
|
20 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle);
|
|
21 static char *ngx_openssl_init_conf(ngx_cycle_t *cycle, void *conf);
|
|
22
|
|
23 #if !(NGX_SSL_ENGINE)
|
|
24 static char *ngx_openssl_noengine(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
25 void *conf);
|
|
26 #endif
|
|
27
|
|
28
|
|
29 static ngx_command_t ngx_openssl_commands[] = {
|
|
30
|
|
31 { ngx_string("ssl_engine"),
|
|
32 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1,
|
|
33 #if (NGX_SSL_ENGINE)
|
|
34 ngx_conf_set_str_slot,
|
|
35 #else
|
|
36 ngx_openssl_noengine,
|
|
37 #endif
|
|
38 0,
|
|
39 offsetof(ngx_openssl_conf_t, engine),
|
|
40 NULL },
|
|
41
|
|
42 ngx_null_command
|
|
43 };
|
|
44
|
|
45
|
|
46 static ngx_core_module_t ngx_openssl_module_ctx = {
|
|
47 ngx_string("openssl"),
|
|
48 ngx_openssl_create_conf,
|
|
49 ngx_openssl_init_conf
|
|
50 };
|
|
51
|
|
52
|
|
53 ngx_module_t ngx_openssl_module = {
|
|
54 NGX_MODULE_V1,
|
|
55 &ngx_openssl_module_ctx, /* module context */
|
|
56 ngx_openssl_commands, /* module directives */
|
|
57 NGX_CORE_MODULE, /* module type */
|
|
58 NULL, /* init master */
|
|
59 NULL, /* init module */
|
|
60 NULL, /* init process */
|
|
61 NULL, /* init thread */
|
|
62 NULL, /* exit thread */
|
|
63 NULL, /* exit process */
|
|
64 NULL, /* exit master */
|
|
65 NGX_MODULE_V1_PADDING
|
|
66 };
|
0
|
67
|
|
68
|
38
|
69 ngx_int_t
|
|
70 ngx_ssl_init(ngx_log_t *log)
|
0
|
71 {
|
|
72 SSL_library_init();
|
|
73 SSL_load_error_strings();
|
90
|
74
|
|
75 #if (NGX_SSL_ENGINE)
|
28
|
76 ENGINE_load_builtin_engines();
|
90
|
77 #endif
|
0
|
78
|
|
79 return NGX_OK;
|
|
80 }
|
|
81
|
|
82
|
38
|
83 ngx_int_t
|
92
|
84 ngx_ssl_create_connection(ngx_ssl_ctx_t *ssl_ctx, ngx_connection_t *c,
|
38
|
85 ngx_uint_t flags)
|
0
|
86 {
|
|
87 ngx_ssl_t *ssl;
|
|
88
|
50
|
89 ssl = ngx_pcalloc(c->pool, sizeof(ngx_ssl_t));
|
|
90 if (ssl == NULL) {
|
0
|
91 return NGX_ERROR;
|
|
92 }
|
|
93
|
92
|
94 if (flags & NGX_SSL_BUFFER) {
|
|
95 ssl->buffer = 1;
|
|
96
|
|
97 ssl->buf = ngx_create_temp_buf(c->pool, NGX_SSL_BUFSIZE);
|
|
98 if (ssl->buf == NULL) {
|
|
99 return NGX_ERROR;
|
|
100 }
|
0
|
101 }
|
|
102
|
92
|
103 ssl->connection = SSL_new(ssl_ctx);
|
0
|
104
|
92
|
105 if (ssl->connection == NULL) {
|
0
|
106 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
|
|
107 return NGX_ERROR;
|
|
108 }
|
|
109
|
92
|
110 if (SSL_set_fd(ssl->connection, c->fd) == 0) {
|
0
|
111 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
|
|
112 return NGX_ERROR;
|
|
113 }
|
|
114
|
92
|
115 SSL_set_accept_state(ssl->connection);
|
0
|
116
|
|
117 c->ssl = ssl;
|
|
118
|
|
119 return NGX_OK;
|
|
120 }
|
|
121
|
|
122
|
38
|
123 ssize_t
|
|
124 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
|
0
|
125 {
|
38
|
126 int n, bytes;
|
|
127
|
|
128 if (c->ssl->last == NGX_ERROR) {
|
|
129 return NGX_ERROR;
|
|
130 }
|
|
131
|
|
132 bytes = 0;
|
0
|
133
|
38
|
134 /*
|
|
135 * SSL_read() may return data in parts, so try to read
|
|
136 * until SSL_read() would return no data
|
|
137 */
|
|
138
|
|
139 for ( ;; ) {
|
0
|
140
|
92
|
141 n = SSL_read(c->ssl->connection, buf, size);
|
38
|
142
|
|
143 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
|
0
|
144
|
38
|
145 if (n > 0) {
|
|
146
|
|
147 bytes += n;
|
28
|
148
|
|
149 #if (NGX_DEBUG)
|
|
150
|
92
|
151 if (!c->ssl->handshaked && SSL_is_init_finished(c->ssl->connection))
|
|
152 {
|
38
|
153 char buf[129], *s, *d;
|
|
154 SSL_CIPHER *cipher;
|
28
|
155
|
38
|
156 c->ssl->handshaked = 1;
|
|
157
|
92
|
158 cipher = SSL_get_current_cipher(c->ssl->connection);
|
38
|
159
|
|
160 if (cipher) {
|
|
161 SSL_CIPHER_description(cipher, &buf[1], 128);
|
28
|
162
|
38
|
163 for (s = &buf[1], d = buf; *s; s++) {
|
|
164 if (*s == ' ' && *d == ' ') {
|
|
165 continue;
|
|
166 }
|
28
|
167
|
40
|
168 if (*s == LF || *s == CR) {
|
38
|
169 continue;
|
|
170 }
|
28
|
171
|
38
|
172 *++d = *s;
|
28
|
173 }
|
|
174
|
38
|
175 if (*d != ' ') {
|
|
176 d++;
|
28
|
177 }
|
|
178
|
38
|
179 *d = '\0';
|
28
|
180
|
38
|
181 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
182 "SSL cipher: \"%s\"", &buf[1]);
|
92
|
183
|
|
184 if (SSL_session_reused(c->ssl->connection)) {
|
|
185 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
186 "SSL reused session");
|
|
187 }
|
|
188
|
38
|
189 } else {
|
|
190 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
191 "SSL no shared ciphers");
|
28
|
192 }
|
38
|
193 }
|
|
194 #endif
|
28
|
195
|
38
|
196 }
|
|
197
|
|
198 c->ssl->last = ngx_ssl_handle_recv(c, n);
|
|
199
|
|
200 if (c->ssl->last != NGX_OK) {
|
28
|
201
|
38
|
202 if (bytes) {
|
|
203 return bytes;
|
|
204
|
28
|
205 } else {
|
38
|
206 return c->ssl->last;
|
28
|
207 }
|
|
208 }
|
|
209
|
38
|
210 size -= n;
|
|
211
|
|
212 if (size == 0) {
|
|
213 return bytes;
|
|
214 }
|
|
215
|
|
216 buf += n;
|
|
217 }
|
|
218 }
|
|
219
|
|
220
|
|
221 static ngx_int_t
|
|
222 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
|
|
223 {
|
92
|
224 int sslerr;
|
|
225 char *handshake;
|
|
226 ngx_err_t err;
|
|
227 ngx_uint_t level;
|
38
|
228
|
|
229 if (n > 0) {
|
28
|
230
|
22
|
231 if (c->ssl->saved_write_handler) {
|
|
232
|
58
|
233 c->write->handler = c->ssl->saved_write_handler;
|
22
|
234 c->ssl->saved_write_handler = NULL;
|
|
235 c->write->ready = 1;
|
|
236
|
|
237 if (ngx_handle_write_event(c->write, 0) == NGX_ERROR) {
|
|
238 return NGX_ERROR;
|
|
239 }
|
|
240
|
|
241 if (ngx_mutex_lock(ngx_posted_events_mutex) == NGX_ERROR) {
|
|
242 return NGX_ERROR;
|
|
243 }
|
|
244
|
|
245 ngx_post_event(c->write);
|
|
246
|
|
247 ngx_mutex_unlock(ngx_posted_events_mutex);
|
|
248 }
|
|
249
|
38
|
250 return NGX_OK;
|
0
|
251 }
|
|
252
|
92
|
253 if (!SSL_is_init_finished(c->ssl->connection)) {
|
10
|
254 handshake = " in SSL handshake";
|
2
|
255
|
|
256 } else {
|
|
257 handshake = "";
|
|
258 }
|
|
259
|
92
|
260 sslerr = SSL_get_error(c->ssl->connection, n);
|
0
|
261
|
|
262 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
|
|
263
|
|
264 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
|
|
265
|
|
266 if (sslerr == SSL_ERROR_WANT_READ) {
|
4
|
267 c->read->ready = 0;
|
0
|
268 return NGX_AGAIN;
|
|
269 }
|
|
270
|
|
271 if (sslerr == SSL_ERROR_WANT_WRITE) {
|
88
|
272
|
|
273 ngx_log_error(NGX_LOG_INFO, c->log, err,
|
|
274 "client does SSL %shandshake",
|
92
|
275 SSL_is_init_finished(c->ssl->connection) ? "re" : "");
|
22
|
276
|
|
277 c->write->ready = 0;
|
|
278
|
|
279 if (ngx_handle_write_event(c->write, 0) == NGX_ERROR) {
|
|
280 return NGX_ERROR;
|
|
281 }
|
|
282
|
|
283 /*
|
|
284 * we do not set the timer because there is already the read event timer
|
|
285 */
|
|
286
|
|
287 if (c->ssl->saved_write_handler == NULL) {
|
58
|
288 c->ssl->saved_write_handler = c->write->handler;
|
|
289 c->write->handler = ngx_ssl_write_handler;
|
22
|
290 }
|
|
291
|
0
|
292 return NGX_AGAIN;
|
|
293 }
|
|
294
|
|
295 c->ssl->no_rcv_shut = 1;
|
22
|
296 c->ssl->no_send_shut = 1;
|
0
|
297
|
|
298 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) {
|
|
299 ngx_log_error(NGX_LOG_INFO, c->log, err,
|
|
300 "client closed connection%s", handshake);
|
|
301
|
|
302 return NGX_ERROR;
|
|
303 }
|
|
304
|
92
|
305 level = NGX_LOG_CRIT;
|
|
306
|
|
307 if (sslerr == SSL_ERROR_SYSCALL) {
|
|
308
|
|
309 if (err == NGX_ECONNRESET
|
|
310 || err == NGX_EPIPE
|
|
311 || err == NGX_ENOTCONN
|
|
312 || err == NGX_ECONNREFUSED
|
|
313 || err == NGX_EHOSTUNREACH)
|
|
314 {
|
|
315 switch (c->log_error) {
|
|
316
|
|
317 case NGX_ERROR_IGNORE_ECONNRESET:
|
|
318 case NGX_ERROR_INFO:
|
|
319 level = NGX_LOG_INFO;
|
|
320 break;
|
|
321
|
|
322 case NGX_ERROR_ERR:
|
|
323 level = NGX_LOG_ERR;
|
|
324 break;
|
|
325
|
|
326 default:
|
|
327 break;
|
|
328 }
|
|
329 }
|
|
330 }
|
|
331
|
|
332 ngx_ssl_error(level, c->log, err, "SSL_read() failed%s", handshake);
|
0
|
333
|
|
334 return NGX_ERROR;
|
|
335 }
|
|
336
|
|
337
|
38
|
338 static void
|
|
339 ngx_ssl_write_handler(ngx_event_t *wev)
|
22
|
340 {
|
|
341 ngx_connection_t *c;
|
|
342
|
|
343 c = wev->data;
|
58
|
344 c->read->handler(c->read);
|
22
|
345 }
|
|
346
|
|
347
|
0
|
348 /*
|
|
349 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
|
22
|
350 * before the SSL_write() call to decrease a SSL overhead.
|
0
|
351 *
|
|
352 * Besides for protocols such as HTTP it is possible to always buffer
|
|
353 * the output to decrease a SSL overhead some more.
|
|
354 */
|
|
355
|
38
|
356 ngx_chain_t *
|
|
357 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit)
|
0
|
358 {
|
|
359 int n;
|
|
360 ngx_uint_t flush;
|
|
361 ssize_t send, size;
|
|
362 ngx_buf_t *buf;
|
|
363
|
|
364 buf = c->ssl->buf;
|
|
365
|
|
366 if (in && in->next == NULL && !c->buffered && !c->ssl->buffer) {
|
|
367
|
|
368 /*
|
|
369 * we avoid a buffer copy if the incoming buf is a single,
|
|
370 * our buffer is empty, and we do not need to buffer the output
|
|
371 */
|
|
372
|
|
373 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
|
|
374
|
|
375 if (n == NGX_ERROR) {
|
|
376 return NGX_CHAIN_ERROR;
|
|
377 }
|
|
378
|
62
|
379 if (n == NGX_AGAIN) {
|
|
380 c->buffered = 1;
|
|
381 return in;
|
0
|
382 }
|
|
383
|
|
384 in->buf->pos += n;
|
|
385
|
|
386 return in;
|
|
387 }
|
|
388
|
22
|
389
|
|
390 /* the maximum limit size is the maximum uint32_t value - the page size */
|
|
391
|
|
392 if (limit == 0 || limit > NGX_MAX_UINT32_VALUE - ngx_pagesize) {
|
|
393 limit = NGX_MAX_UINT32_VALUE - ngx_pagesize;
|
|
394 }
|
|
395
|
|
396
|
0
|
397 send = 0;
|
|
398 flush = (in == NULL) ? 1 : 0;
|
|
399
|
|
400 for ( ;; ) {
|
|
401
|
|
402 while (in && buf->last < buf->end) {
|
|
403 if (in->buf->last_buf) {
|
|
404 flush = 1;
|
|
405 }
|
|
406
|
|
407 if (ngx_buf_special(in->buf)) {
|
|
408 in = in->next;
|
|
409 continue;
|
|
410 }
|
|
411
|
|
412 size = in->buf->last - in->buf->pos;
|
|
413
|
|
414 if (size > buf->end - buf->last) {
|
|
415 size = buf->end - buf->last;
|
|
416 }
|
|
417
|
|
418 /*
|
|
419 * TODO: the taking in->buf->flush into account can be
|
|
420 * implemented using the limit on the higher level
|
|
421 */
|
|
422
|
|
423 if (send + size > limit) {
|
|
424 size = limit - send;
|
|
425 flush = 1;
|
|
426 }
|
|
427
|
|
428 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
429 "SSL buf copy: %d", size);
|
|
430
|
|
431 ngx_memcpy(buf->last, in->buf->pos, size);
|
|
432
|
|
433 buf->last += size;
|
|
434
|
|
435 in->buf->pos += size;
|
|
436 if (in->buf->pos == in->buf->last) {
|
|
437 in = in->next;
|
|
438 }
|
|
439 }
|
|
440
|
|
441 size = buf->last - buf->pos;
|
|
442
|
|
443 if (!flush && buf->last < buf->end && c->ssl->buffer) {
|
|
444 break;
|
|
445 }
|
|
446
|
|
447 n = ngx_ssl_write(c, buf->pos, size);
|
|
448
|
|
449 if (n == NGX_ERROR) {
|
|
450 return NGX_CHAIN_ERROR;
|
|
451 }
|
|
452
|
60
|
453 if (n == NGX_AGAIN) {
|
|
454 c->buffered = 1;
|
|
455 return in;
|
0
|
456 }
|
|
457
|
|
458 buf->pos += n;
|
|
459 send += n;
|
|
460 c->sent += n;
|
|
461
|
|
462 if (n < size) {
|
|
463 break;
|
|
464 }
|
|
465
|
|
466 if (buf->pos == buf->last) {
|
|
467 buf->pos = buf->start;
|
|
468 buf->last = buf->start;
|
|
469 }
|
|
470
|
|
471 if (in == NULL || send == limit) {
|
|
472 break;
|
|
473 }
|
|
474 }
|
|
475
|
|
476 c->buffered = (buf->pos < buf->last) ? 1 : 0;
|
|
477
|
|
478 return in;
|
|
479 }
|
|
480
|
|
481
|
88
|
482 ssize_t
|
38
|
483 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size)
|
0
|
484 {
|
92
|
485 int n, sslerr;
|
|
486 ngx_err_t err;
|
|
487 ngx_uint_t level;
|
0
|
488
|
|
489 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %d", size);
|
|
490
|
92
|
491 n = SSL_write(c->ssl->connection, data, size);
|
0
|
492
|
|
493 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
|
|
494
|
|
495 if (n > 0) {
|
88
|
496
|
|
497 #if (NGX_DEBUG)
|
|
498
|
92
|
499 if (!c->ssl->handshaked && SSL_is_init_finished(c->ssl->connection)) {
|
88
|
500 char buf[129], *s, *d;
|
|
501 SSL_CIPHER *cipher;
|
|
502
|
|
503 c->ssl->handshaked = 1;
|
|
504
|
92
|
505 cipher = SSL_get_current_cipher(c->ssl->connection);
|
88
|
506
|
|
507 if (cipher) {
|
|
508 SSL_CIPHER_description(cipher, &buf[1], 128);
|
|
509
|
|
510 for (s = &buf[1], d = buf; *s; s++) {
|
|
511 if (*s == ' ' && *d == ' ') {
|
|
512 continue;
|
|
513 }
|
|
514
|
|
515 if (*s == LF || *s == CR) {
|
|
516 continue;
|
|
517 }
|
|
518
|
|
519 *++d = *s;
|
|
520 }
|
|
521
|
|
522 if (*d != ' ') {
|
|
523 d++;
|
|
524 }
|
|
525
|
|
526 *d = '\0';
|
|
527
|
|
528 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
529 "SSL cipher: \"%s\"", &buf[1]);
|
92
|
530
|
|
531 if (SSL_session_reused(c->ssl->connection)) {
|
|
532 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
533 "SSL reused session");
|
|
534 }
|
|
535
|
88
|
536 } else {
|
|
537 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
538 "SSL no shared ciphers");
|
|
539 }
|
|
540 }
|
|
541 #endif
|
|
542
|
22
|
543 if (c->ssl->saved_read_handler) {
|
|
544
|
58
|
545 c->read->handler = c->ssl->saved_read_handler;
|
22
|
546 c->ssl->saved_read_handler = NULL;
|
|
547 c->read->ready = 1;
|
|
548
|
|
549 if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) {
|
|
550 return NGX_ERROR;
|
|
551 }
|
|
552
|
|
553 if (ngx_mutex_lock(ngx_posted_events_mutex) == NGX_ERROR) {
|
|
554 return NGX_ERROR;
|
|
555 }
|
|
556
|
|
557 ngx_post_event(c->read);
|
|
558
|
|
559 ngx_mutex_unlock(ngx_posted_events_mutex);
|
|
560 }
|
|
561
|
0
|
562 return n;
|
|
563 }
|
|
564
|
92
|
565 sslerr = SSL_get_error(c->ssl->connection, n);
|
0
|
566
|
|
567 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
|
|
568
|
|
569 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
|
|
570
|
|
571 if (sslerr == SSL_ERROR_WANT_WRITE) {
|
|
572 c->write->ready = 0;
|
|
573 return NGX_AGAIN;
|
|
574 }
|
|
575
|
|
576 if (sslerr == SSL_ERROR_WANT_READ) {
|
2
|
577
|
88
|
578 ngx_log_error(NGX_LOG_INFO, c->log, err,
|
|
579 "client does SSL %shandshake",
|
92
|
580 SSL_is_init_finished(c->ssl->connection) ? "re" : "");
|
22
|
581
|
|
582 c->read->ready = 0;
|
|
583
|
|
584 if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) {
|
|
585 return NGX_ERROR;
|
|
586 }
|
|
587
|
|
588 /*
|
|
589 * we do not set the timer because there is already
|
|
590 * the write event timer
|
|
591 */
|
|
592
|
|
593 if (c->ssl->saved_read_handler == NULL) {
|
58
|
594 c->ssl->saved_read_handler = c->read->handler;
|
|
595 c->read->handler = ngx_ssl_read_handler;
|
22
|
596 }
|
|
597
|
0
|
598 return NGX_AGAIN;
|
|
599 }
|
|
600
|
|
601 c->ssl->no_rcv_shut = 1;
|
22
|
602 c->ssl->no_send_shut = 1;
|
0
|
603
|
92
|
604 level = NGX_LOG_CRIT;
|
|
605
|
|
606 if (sslerr == SSL_ERROR_SYSCALL) {
|
|
607
|
|
608 if (err == NGX_ECONNRESET
|
|
609 || err == NGX_EPIPE
|
|
610 || err == NGX_ENOTCONN
|
|
611 || err == NGX_ECONNREFUSED
|
|
612 || err == NGX_EHOSTUNREACH)
|
|
613 {
|
|
614 switch (c->log_error) {
|
|
615
|
|
616 case NGX_ERROR_IGNORE_ECONNRESET:
|
|
617 case NGX_ERROR_INFO:
|
|
618 level = NGX_LOG_INFO;
|
|
619 break;
|
|
620
|
|
621 case NGX_ERROR_ERR:
|
|
622 level = NGX_LOG_ERR;
|
|
623 break;
|
|
624
|
|
625 default:
|
|
626 break;
|
|
627 }
|
|
628 }
|
|
629 }
|
|
630
|
|
631 ngx_ssl_error(level, c->log, err, "SSL_write() failed");
|
0
|
632
|
|
633 return NGX_ERROR;
|
|
634 }
|
|
635
|
|
636
|
38
|
637 static void
|
|
638 ngx_ssl_read_handler(ngx_event_t *rev)
|
22
|
639 {
|
|
640 ngx_connection_t *c;
|
|
641
|
|
642 c = rev->data;
|
58
|
643 c->write->handler(c->write);
|
22
|
644 }
|
|
645
|
|
646
|
38
|
647 ngx_int_t
|
|
648 ngx_ssl_shutdown(ngx_connection_t *c)
|
0
|
649 {
|
22
|
650 int n, sslerr, mode;
|
0
|
651 ngx_uint_t again;
|
|
652
|
22
|
653 if (!c->ssl->shutdown_set) {
|
|
654
|
|
655 /* it seems that SSL_set_shutdown() could be called once only */
|
|
656
|
|
657 if (c->read->timedout) {
|
|
658 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN;
|
0
|
659
|
22
|
660 } else {
|
|
661 mode = 0;
|
|
662
|
|
663 if (c->ssl->no_rcv_shut) {
|
|
664 mode = SSL_RECEIVED_SHUTDOWN;
|
|
665 }
|
|
666
|
|
667 if (c->ssl->no_send_shut) {
|
|
668 mode |= SSL_SENT_SHUTDOWN;
|
|
669 }
|
0
|
670 }
|
|
671
|
22
|
672 if (mode) {
|
92
|
673 SSL_set_shutdown(c->ssl->connection, mode);
|
22
|
674 c->ssl->shutdown_set = 1;
|
0
|
675 }
|
|
676 }
|
|
677
|
|
678 again = 0;
|
10
|
679 #if (NGX_SUPPRESS_WARN)
|
|
680 sslerr = 0;
|
|
681 #endif
|
0
|
682
|
|
683 for ( ;; ) {
|
92
|
684 n = SSL_shutdown(c->ssl->connection);
|
0
|
685
|
|
686 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
|
|
687
|
22
|
688 if (n == 1 || (n == 0 && c->read->timedout)) {
|
92
|
689 SSL_free(c->ssl->connection);
|
22
|
690 c->ssl = NULL;
|
92
|
691
|
22
|
692 return NGX_OK;
|
|
693 }
|
|
694
|
0
|
695 if (n == 0) {
|
|
696 again = 1;
|
|
697 break;
|
|
698 }
|
|
699
|
|
700 break;
|
|
701 }
|
|
702
|
|
703 if (!again) {
|
92
|
704 sslerr = SSL_get_error(c->ssl->connection, n);
|
0
|
705
|
|
706 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
|
|
707 "SSL_get_error: %d", sslerr);
|
|
708 }
|
|
709
|
|
710 if (again || sslerr == SSL_ERROR_WANT_READ) {
|
|
711
|
22
|
712 ngx_add_timer(c->read, 30000);
|
0
|
713
|
|
714 if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) {
|
|
715 return NGX_ERROR;
|
|
716 }
|
|
717
|
|
718 return NGX_AGAIN;
|
|
719 }
|
|
720
|
|
721 if (sslerr == SSL_ERROR_WANT_WRITE) {
|
|
722
|
|
723 if (ngx_handle_write_event(c->write, 0) == NGX_ERROR) {
|
|
724 return NGX_ERROR;
|
|
725 }
|
|
726
|
|
727 return NGX_AGAIN;
|
|
728 }
|
|
729
|
|
730 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_shutdown() failed");
|
|
731
|
92
|
732 SSL_free(c->ssl->connection);
|
|
733 c->ssl = NULL;
|
|
734
|
0
|
735 return NGX_ERROR;
|
|
736 }
|
|
737
|
|
738
|
38
|
739 void
|
|
740 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...)
|
0
|
741 {
|
10
|
742 u_char errstr[NGX_MAX_CONF_ERRSTR], *p, *last;
|
|
743 va_list args;
|
|
744
|
|
745 last = errstr + NGX_MAX_CONF_ERRSTR;
|
0
|
746
|
|
747 va_start(args, fmt);
|
10
|
748 p = ngx_vsnprintf(errstr, sizeof(errstr) - 1, fmt, args);
|
0
|
749 va_end(args);
|
|
750
|
50
|
751 p = ngx_cpystrn(p, (u_char *) " (SSL: ", last - p);
|
0
|
752
|
10
|
753 ERR_error_string_n(ERR_get_error(), (char *) p, last - p);
|
0
|
754
|
|
755 ngx_log_error(level, log, err, "%s)", errstr);
|
|
756 }
|
58
|
757
|
|
758
|
|
759 void
|
|
760 ngx_ssl_cleanup_ctx(void *data)
|
|
761 {
|
|
762 SSL_CTX *ctx = data;
|
|
763
|
|
764 SSL_CTX_free(ctx);
|
|
765 }
|
90
|
766
|
|
767
|
|
768 static void *
|
|
769 ngx_openssl_create_conf(ngx_cycle_t *cycle)
|
|
770 {
|
|
771 ngx_openssl_conf_t *oscf;
|
|
772
|
|
773 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
|
|
774 if (oscf == NULL) {
|
|
775 return NGX_CONF_ERROR;
|
|
776 }
|
|
777
|
|
778 /*
|
|
779 * set by ngx_pcalloc():
|
|
780 *
|
|
781 * oscf->engine.len = 0;
|
|
782 * oscf->engine.data = NULL;
|
|
783 */
|
|
784
|
|
785 return oscf;
|
|
786 }
|
|
787
|
|
788
|
|
789 static char *
|
|
790 ngx_openssl_init_conf(ngx_cycle_t *cycle, void *conf)
|
|
791 {
|
|
792 #if (NGX_SSL_ENGINE)
|
|
793 ngx_openssl_conf_t *oscf = conf;
|
|
794
|
|
795 ENGINE *engine;
|
|
796
|
|
797 if (oscf->engine.len == 0) {
|
|
798 return NGX_CONF_OK;
|
|
799 }
|
|
800
|
|
801 engine = ENGINE_by_id((const char *) oscf->engine.data);
|
|
802
|
|
803 if (engine == NULL) {
|
|
804 ngx_ssl_error(NGX_LOG_WARN, cycle->log, 0,
|
|
805 "ENGINE_by_id(\"%V\") failed", &oscf->engine);
|
|
806 return NGX_CONF_ERROR;
|
|
807 }
|
|
808
|
|
809 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
|
|
810 ngx_ssl_error(NGX_LOG_WARN, cycle->log, 0,
|
|
811 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
|
|
812 &oscf->engine);
|
|
813 return NGX_CONF_ERROR;
|
|
814 }
|
|
815
|
|
816 ENGINE_free(engine);
|
|
817
|
|
818 #endif
|
|
819
|
|
820 return NGX_CONF_OK;
|
|
821 }
|
|
822
|
|
823
|
|
824 #if !(NGX_SSL_ENGINE)
|
|
825
|
|
826 static char *
|
|
827 ngx_openssl_noengine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
828 {
|
|
829 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
|
830 "\"ssl_engine\" is not supported: " NGX_SSL_NAME
|
|
831 " library does not support crypto accelerators");
|
|
832
|
|
833 return NGX_CONF_ERROR;
|
|
834 }
|
|
835
|
|
836 #endif
|