Mercurial > hg > nginx
annotate src/event/ngx_event_openssl.c @ 7586:4f6e315eef15
Win32: silenced -Wcast-function-type GCC warning (ticket #1865).
With MinGW-w64, building 64-bit nginx binary with GCC 8 and above
results in warning due to cast of GetProcAddress() result to ngx_wsapoll_pt,
which GCC thinks is incorrect. Added intermediate cast to "void *" to
silence the warning.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 21 Oct 2019 19:07:03 +0300 |
parents | 9d2ad2fb4423 |
children | 1ce3f01a4355 |
rev | line source |
---|---|
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
1 |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
2 /* |
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
441
diff
changeset
|
3 * Copyright (C) Igor Sysoev |
4412 | 4 * Copyright (C) Nginx, Inc. |
441
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
5 */ |
da8c5707af39
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files
Igor Sysoev <igor@sysoev.ru>
parents:
399
diff
changeset
|
6 |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
7 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 #include <ngx_config.h> |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 #include <ngx_core.h> |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
10 #include <ngx_event.h> |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
541 | 12 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
14 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
15 |
541 | 16 typedef struct { |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
17 ngx_uint_t engine; /* unsigned engine:1; */ |
541 | 18 } ngx_openssl_conf_t; |
479 | 19 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
20 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
21 static X509 *ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
22 ngx_str_t *cert, STACK_OF(X509) **chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
23 static EVP_PKEY *ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
24 ngx_str_t *key, ngx_array_t *passwords); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
25 static int ngx_ssl_password_callback(char *buf, int size, int rwflag, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
26 void *userdata); |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
27 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
28 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
29 int ret); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
30 static void ngx_ssl_passwords_cleanup(void *data); |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
31 static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
32 ngx_ssl_session_t *sess); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
33 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
34 static ngx_int_t ngx_ssl_try_early_data(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
35 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
36 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
37 static void ngx_ssl_handshake_log(ngx_connection_t *c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
38 #endif |
547 | 39 static void ngx_ssl_handshake_handler(ngx_event_t *ev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
40 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
41 static ssize_t ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
42 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
43 #endif |
489 | 44 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); |
473 | 45 static void ngx_ssl_write_handler(ngx_event_t *wev); |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
46 static void ngx_ssl_next_read_handler(ngx_event_t *rev); |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
47 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
48 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
49 size_t size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
50 #endif |
473 | 51 static void ngx_ssl_read_handler(ngx_event_t *rev); |
577 | 52 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); |
547 | 53 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, |
54 ngx_err_t err, char *text); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
55 static void ngx_ssl_clear_error(ngx_log_t *log); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
56 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
57 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
58 ngx_str_t *sess_ctx, ngx_array_t *certificates); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
59 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
60 ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
61 static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
62 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
63 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
64 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
65 u_char *id, int len, int *copy); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
66 static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
67 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
68 ngx_slab_pool_t *shpool, ngx_uint_t n); |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
69 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
70 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
71 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
72 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
73 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
74 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
75 HMAC_CTX *hctx, int enc); |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
76 static void ngx_ssl_session_ticket_keys_cleanup(void *data); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
77 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
78 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
79 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
80 static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
81 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
82 |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
83 static time_t ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
84 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
85 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
86 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
87 ASN1_TIME *asn1time); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
88 |
541 | 89 static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
90 static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); |
571 | 91 static void ngx_openssl_exit(ngx_cycle_t *cycle); |
541 | 92 |
93 | |
94 static ngx_command_t ngx_openssl_commands[] = { | |
95 | |
96 { ngx_string("ssl_engine"), | |
97 NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
98 ngx_openssl_engine, |
541 | 99 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
100 0, |
541 | 101 NULL }, |
102 | |
103 ngx_null_command | |
104 }; | |
105 | |
106 | |
107 static ngx_core_module_t ngx_openssl_module_ctx = { | |
108 ngx_string("openssl"), | |
109 ngx_openssl_create_conf, | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
110 NULL |
577 | 111 }; |
541 | 112 |
113 | |
114 ngx_module_t ngx_openssl_module = { | |
115 NGX_MODULE_V1, | |
116 &ngx_openssl_module_ctx, /* module context */ | |
117 ngx_openssl_commands, /* module directives */ | |
118 NGX_CORE_MODULE, /* module type */ | |
119 NULL, /* init master */ | |
120 NULL, /* init module */ | |
121 NULL, /* init process */ | |
122 NULL, /* init thread */ | |
123 NULL, /* exit thread */ | |
124 NULL, /* exit process */ | |
571 | 125 ngx_openssl_exit, /* exit master */ |
541 | 126 NGX_MODULE_V1_PADDING |
547 | 127 }; |
128 | |
129 | |
969 | 130 int ngx_ssl_connection_index; |
131 int ngx_ssl_server_conf_index; | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
132 int ngx_ssl_session_cache_index; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
133 int ngx_ssl_session_ticket_keys_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
134 int ngx_ssl_certificate_index; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
135 int ngx_ssl_next_certificate_index; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
136 int ngx_ssl_certificate_name_index; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
137 int ngx_ssl_stapling_index; |
671 | 138 |
139 | |
489 | 140 ngx_int_t |
141 ngx_ssl_init(ngx_log_t *log) | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
142 { |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
143 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
144 |
6902
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
145 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) { |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
146 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed"); |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
147 return NGX_ERROR; |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
148 } |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
149 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
150 /* |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
151 * OPENSSL_init_ssl() may leave errors in the error queue |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
152 * while returning success |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
153 */ |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
154 |
5cb85b0ee00b
SSL: clear error queue after OPENSSL_init_ssl().
Sergey Kandaurov <pluknet@nginx.com>
parents:
6854
diff
changeset
|
155 ERR_clear_error(); |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
156 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
157 #else |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
158 |
968 | 159 OPENSSL_config(NULL); |
160 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
161 SSL_library_init(); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
162 SSL_load_error_strings(); |
541 | 163 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
164 OpenSSL_add_all_algorithms(); |
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
165 |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
166 #endif |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
167 |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
168 #ifndef SSL_OP_NO_COMPRESSION |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
169 { |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
170 /* |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
171 * Disable gzip compression in OpenSSL prior to 1.0.0 version, |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
172 * this saves about 522K per connection. |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
173 */ |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
174 int n; |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
175 STACK_OF(SSL_COMP) *ssl_comp_methods; |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
176 |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
177 ssl_comp_methods = SSL_COMP_get_compression_methods(); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
178 n = sk_SSL_COMP_num(ssl_comp_methods); |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
179 |
4867
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
180 while (n--) { |
90bbf2adb2c9
SSL: fixed compression workaround to remove all methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4696
diff
changeset
|
181 (void) sk_SSL_COMP_pop(ssl_comp_methods); |
4696
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
182 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
183 } |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
184 #endif |
b43fe2deb053
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
Igor Sysoev <igor@sysoev.ru>
parents:
4651
diff
changeset
|
185 |
969 | 186 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
671 | 187 |
969 | 188 if (ngx_ssl_connection_index == -1) { |
671 | 189 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); |
190 return NGX_ERROR; | |
191 } | |
192 | |
969 | 193 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
194 NULL); | |
195 if (ngx_ssl_server_conf_index == -1) { | |
196 ngx_ssl_error(NGX_LOG_ALERT, log, 0, | |
197 "SSL_CTX_get_ex_new_index() failed"); | |
198 return NGX_ERROR; | |
199 } | |
200 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
201 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
202 NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
203 if (ngx_ssl_session_cache_index == -1) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
204 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
205 "SSL_CTX_get_ex_new_index() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
206 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
207 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
208 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
209 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
210 NULL, NULL); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
211 if (ngx_ssl_session_ticket_keys_index == -1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
212 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
213 "SSL_CTX_get_ex_new_index() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
214 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
215 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
216 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
217 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
218 NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
219 if (ngx_ssl_certificate_index == -1) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
220 ngx_ssl_error(NGX_LOG_ALERT, log, 0, |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
221 "SSL_CTX_get_ex_new_index() failed"); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
222 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
223 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
224 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
225 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
226 NULL); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
227 if (ngx_ssl_next_certificate_index == -1) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
228 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
229 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
230 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
231 |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
232 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL, |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
233 NULL); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
234 |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
235 if (ngx_ssl_certificate_name_index == -1) { |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
236 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
237 return NGX_ERROR; |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
238 } |
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
239 |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
240 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); |
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
241 |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
242 if (ngx_ssl_stapling_index == -1) { |
6545
a873b4d9cd80
OCSP stapling: staple now stored in certificate, not SSL context.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6490
diff
changeset
|
243 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
244 return NGX_ERROR; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
245 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
246 |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
247 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
248 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
249 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
250 |
489 | 251 ngx_int_t |
969 | 252 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) |
547 | 253 { |
577 | 254 ssl->ctx = SSL_CTX_new(SSLv23_method()); |
547 | 255 |
256 if (ssl->ctx == NULL) { | |
257 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); | |
258 return NGX_ERROR; | |
259 } | |
260 | |
969 | 261 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { |
262 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
263 "SSL_CTX_set_ex_data() failed"); | |
264 return NGX_ERROR; | |
265 } | |
266 | |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
267 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
268 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
269 "SSL_CTX_set_ex_data() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
270 return NGX_ERROR; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
271 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
272 |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
273 ssl->buffer_size = NGX_SSL_BUFSIZE; |
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
274 |
577 | 275 /* client side options */ |
276 | |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
277 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG |
577 | 278 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
279 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
280 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
281 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG |
577 | 282 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
283 #endif |
577 | 284 |
285 /* server side options */ | |
563 | 286 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
287 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG |
563 | 288 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
289 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
290 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
291 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER |
563 | 292 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
293 #endif |
563 | 294 |
5378
a73678f5f96f
SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
Piotr Sikora <piotr@cloudflare.com>
parents:
5365
diff
changeset
|
295 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING |
563 | 296 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ |
297 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); | |
5378
a73678f5f96f
SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
Piotr Sikora <piotr@cloudflare.com>
parents:
5365
diff
changeset
|
298 #endif |
563 | 299 |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
300 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG |
563 | 301 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); |
5778
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
302 #endif |
45ed2f1f0a6a
SSL: let it build against BoringSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5777
diff
changeset
|
303 |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
304 #ifdef SSL_OP_TLS_D5_BUG |
563 | 305 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
306 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
307 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
308 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG |
563 | 309 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
310 #endif |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
311 |
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
312 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS |
563 | 313 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
5823
275e35d54626
SSL: guard use of all SSL options for bug workarounds.
Piotr Sikora <piotr@cloudflare.com>
parents:
5779
diff
changeset
|
314 #endif |
563 | 315 |
2044 | 316 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); |
547 | 317 |
7318
3443fe40bdc7
SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7317
diff
changeset
|
318 #if OPENSSL_VERSION_NUMBER >= 0x009080dfL |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
319 /* only in 0.9.8m+ */ |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
320 SSL_CTX_clear_options(ssl->ctx, |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
321 SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
322 #endif |
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
323 |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
324 if (!(protocols & NGX_SSL_SSLv2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
325 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
326 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
327 if (!(protocols & NGX_SSL_SSLv3)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
328 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
329 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
330 if (!(protocols & NGX_SSL_TLSv1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
331 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); |
547 | 332 } |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
333 #ifdef SSL_OP_NO_TLSv1_1 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
334 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
335 if (!(protocols & NGX_SSL_TLSv1_1)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
336 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
337 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
338 #endif |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
339 #ifdef SSL_OP_NO_TLSv1_2 |
6034
3e847964ab55
SSL: clear protocol options.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5986
diff
changeset
|
340 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
4400
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
341 if (!(protocols & NGX_SSL_TLSv1_2)) { |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
342 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
343 } |
a0505851e70c
Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4236
diff
changeset
|
344 #endif |
6981
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
345 #ifdef SSL_OP_NO_TLSv1_3 |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
346 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
347 if (!(protocols & NGX_SSL_TLSv1_3)) { |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
348 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3); |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
349 } |
08dc60979133
SSL: added support for TLSv1.3 in ssl_protocols directive.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6902
diff
changeset
|
350 #endif |
547 | 351 |
7372
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
352 #ifdef SSL_CTX_set_min_proto_version |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
353 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
354 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
355 #endif |
ed8738b1c7c4
SSL: explicitly set maximum version (ticket #1654).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7365
diff
changeset
|
356 |
7332
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
357 #ifdef TLS1_3_VERSION |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
358 SSL_CTX_set_min_proto_version(ssl->ctx, 0); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
359 SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
360 #endif |
7ad0f4ace359
SSL: enabled TLSv1.3 with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7320
diff
changeset
|
361 |
4185
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
362 #ifdef SSL_OP_NO_COMPRESSION |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
363 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
364 #endif |
6af5959a2ace
Disabling SSL compression. This saves about 300K per SSL connection.
Igor Sysoev <igor@sysoev.ru>
parents:
4064
diff
changeset
|
365 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
366 #ifdef SSL_OP_NO_ANTI_REPLAY |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
367 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_ANTI_REPLAY); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
368 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
369 |
7474
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
370 #ifdef SSL_OP_NO_CLIENT_RENEGOTIATION |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
371 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_CLIENT_RENEGOTIATION); |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
372 #endif |
3f1db95d758a
SSL: use of the SSL_OP_NO_CLIENT_RENEGOTIATION option.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7472
diff
changeset
|
373 |
4186
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
374 #ifdef SSL_MODE_RELEASE_BUFFERS |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
375 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
376 #endif |
cce2fd0acc0f
Releasing memory of idle SSL connection. This saves about 34K per SSL
Igor Sysoev <igor@sysoev.ru>
parents:
4185
diff
changeset
|
377 |
6036
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
378 #ifdef SSL_MODE_NO_AUTO_CHAIN |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
379 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
380 #endif |
4e3f87c02cb4
SSL: use of SSL_MODE_NO_AUTO_CHAIN.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6034
diff
changeset
|
381 |
547 | 382 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
383 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
384 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
385 |
547 | 386 return NGX_OK; |
387 } | |
388 | |
389 | |
390 ngx_int_t | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
391 ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
392 ngx_array_t *keys, ngx_array_t *passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
393 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
394 ngx_str_t *cert, *key; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
395 ngx_uint_t i; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
396 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
397 cert = certs->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
398 key = keys->elts; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
399 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
400 for (i = 0; i < certs->nelts; i++) { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
401 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
402 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
403 != NGX_OK) |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
404 { |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
405 return NGX_ERROR; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
406 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
407 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
408 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
409 return NGX_OK; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
410 } |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
411 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
412 |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6549
diff
changeset
|
413 ngx_int_t |
563 | 414 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
415 ngx_str_t *key, ngx_array_t *passwords) |
547 | 416 { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
417 char *err; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
418 X509 *x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
419 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
420 STACK_OF(X509) *chain; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
421 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
422 x509 = ngx_ssl_load_certificate(cf->pool, &err, cert, &chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
423 if (x509 == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
424 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
425 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
426 "cannot load certificate \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
427 cert->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
428 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
429 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
430 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
431 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
432 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
433 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
434 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
435 "SSL_CTX_use_certificate(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
436 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
437 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
438 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
439 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
440 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
441 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
442 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
443 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
444 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
445 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
446 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
447 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
448 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
449 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
450 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
451 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
452 == 0) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
453 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
454 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
455 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
456 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
457 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
458 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
459 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
460 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
461 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
462 "SSL_CTX_set_ex_data() failed"); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
463 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
464 sk_X509_pop_free(chain, X509_free); |
547 | 465 return NGX_ERROR; |
466 } | |
467 | |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
468 /* |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
469 * Note that x509 is not freed here, but will be instead freed in |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
470 * ngx_ssl_cleanup_ctx(). This is because we need to preserve all |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
471 * certificates to be able to iterate all of them through exdata |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
472 * (ngx_ssl_certificate_index, ngx_ssl_next_certificate_index), |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
473 * while OpenSSL can free a certificate if it is replaced with another |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
474 * certificate of the same type. |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
475 */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
476 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
477 #ifdef SSL_CTX_set0_chain |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
478 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
479 if (SSL_CTX_set0_chain(ssl->ctx, chain) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
480 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
481 "SSL_CTX_set0_chain(\"%s\") failed", cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
482 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
483 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
484 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
485 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
486 #else |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
487 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
488 int n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
489 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
490 /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
491 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
492 n = sk_X509_num(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
493 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
494 while (n--) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
495 x509 = sk_X509_shift(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
496 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
497 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
498 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
499 "SSL_CTX_add_extra_chain_cert(\"%s\") failed", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
500 cert->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
501 sk_X509_pop_free(chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
502 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
503 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
504 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
505 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
506 sk_X509_free(chain); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
507 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
508 #endif |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
509 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
510 pkey = ngx_ssl_load_certificate_key(cf->pool, &err, key, passwords); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
511 if (pkey == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
512 if (err != NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
513 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
514 "cannot load certificate key \"%s\": %s", |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
515 key->data, err); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
516 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
517 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
518 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
519 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
520 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
521 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
522 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
523 "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
524 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
525 return NGX_ERROR; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
526 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
527 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
528 EVP_PKEY_free(pkey); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
529 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
530 return NGX_OK; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
531 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
532 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
533 |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
534 ngx_int_t |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
535 ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
536 ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords) |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
537 { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
538 char *err; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
539 X509 *x509; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
540 EVP_PKEY *pkey; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
541 STACK_OF(X509) *chain; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
542 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
543 x509 = ngx_ssl_load_certificate(pool, &err, cert, &chain); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
544 if (x509 == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
545 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
546 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
547 "cannot load certificate \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
548 cert->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
549 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
550 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
551 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
552 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
553 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
554 if (SSL_use_certificate(c->ssl->connection, x509) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
555 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
556 "SSL_use_certificate(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
557 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
558 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
559 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
560 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
561 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
562 X509_free(x509); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
563 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
564 #ifdef SSL_set0_chain |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
565 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
566 /* |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
567 * SSL_set0_chain() is only available in OpenSSL 1.0.2+, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
568 * but this function is only called via certificate callback, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
569 * which is only available in OpenSSL 1.0.2+ as well |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
570 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
571 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
572 if (SSL_set0_chain(c->ssl->connection, chain) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
573 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
574 "SSL_set0_chain(\"%s\") failed", cert->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
575 sk_X509_pop_free(chain, X509_free); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
576 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
577 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
578 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
579 #endif |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
580 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
581 pkey = ngx_ssl_load_certificate_key(pool, &err, key, passwords); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
582 if (pkey == NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
583 if (err != NULL) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
584 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
585 "cannot load certificate key \"%s\": %s", |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
586 key->data, err); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
587 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
588 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
589 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
590 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
591 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
592 if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) { |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
593 ngx_ssl_error(NGX_LOG_ERR, c->log, 0, |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
594 "SSL_use_PrivateKey(\"%s\") failed", key->data); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
595 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
596 return NGX_ERROR; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
597 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
598 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
599 EVP_PKEY_free(pkey); |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
600 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
601 return NGX_OK; |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
602 } |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
603 |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
604 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
605 static X509 * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
606 ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
607 STACK_OF(X509) **chain) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
608 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
609 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
610 X509 *x509, *temp; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
611 u_long n; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
612 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
613 if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
614 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
615 bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
616 cert->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
617 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
618 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
619 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
620 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
621 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
622 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
623 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
624 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
625 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
626 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
627 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
628 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
629 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
630 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
631 bio = BIO_new_file((char *) cert->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
632 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
633 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
634 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
635 } |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
636 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
637 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
638 /* certificate itself */ |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
639 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
640 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
641 if (x509 == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
642 *err = "PEM_read_bio_X509_AUX() failed"; |
6812
a7ec59df0c4d
OCSP stapling: added certificate name to warnings.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6780
diff
changeset
|
643 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
644 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
645 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
646 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
647 /* rest of the chain */ |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
648 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
649 *chain = sk_X509_new_null(); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
650 if (*chain == NULL) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
651 *err = "sk_X509_new_null() failed"; |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
652 BIO_free(bio); |
5384
cfbf1d1cc233
SSL: fixed possible memory and file descriptor leak on HUP signal.
Piotr Sikora <piotr@cloudflare.com>
parents:
5378
diff
changeset
|
653 X509_free(x509); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
654 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
655 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
656 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
657 for ( ;; ) { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
658 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
659 temp = PEM_read_bio_X509(bio, NULL, NULL, NULL); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
660 if (temp == NULL) { |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
661 n = ERR_peek_last_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
662 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
663 if (ERR_GET_LIB(n) == ERR_LIB_PEM |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
664 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
665 { |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
666 /* end of file */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
667 ERR_clear_error(); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
668 break; |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
669 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
670 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
671 /* some real error */ |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
672 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
673 *err = "PEM_read_bio_X509() failed"; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
674 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
675 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
676 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
677 return NULL; |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
678 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
679 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
680 if (sk_X509_push(*chain, temp) == 0) { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
681 *err = "sk_X509_push() failed"; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
682 BIO_free(bio); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
683 X509_free(x509); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
684 sk_X509_pop_free(*chain, X509_free); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
685 return NULL; |
6549
d3302eb87a0c
SSL: support for per-certificate chains.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6548
diff
changeset
|
686 } |
4875
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
687 } |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
688 |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
689 BIO_free(bio); |
386a06a22c40
OCSP stapling: loading OCSP responses.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4872
diff
changeset
|
690 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
691 return x509; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
692 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
693 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
694 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
695 static EVP_PKEY * |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
696 ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
697 ngx_str_t *key, ngx_array_t *passwords) |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
698 { |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
699 BIO *bio; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
700 EVP_PKEY *pkey; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
701 ngx_str_t *pwd; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
702 ngx_uint_t tries; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
703 pem_password_cb *cb; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
704 |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
705 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
706 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
707 #ifndef OPENSSL_NO_ENGINE |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
708 |
7476
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
709 u_char *p, *last; |
b6dc8a12c07a
SSL: removed redundant "pkey" variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7474
diff
changeset
|
710 ENGINE *engine; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
711 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
712 p = key->data + sizeof("engine:") - 1; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
713 last = (u_char *) ngx_strchr(p, ':'); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
714 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
715 if (last == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
716 *err = "invalid syntax"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
717 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
718 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
719 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
720 *last = '\0'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
721 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
722 engine = ENGINE_by_id((char *) p); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
723 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
724 if (engine == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
725 *err = "ENGINE_by_id() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
726 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
727 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
728 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
729 *last++ = ':'; |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
730 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
731 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
732 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
733 if (pkey == NULL) { |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
734 *err = "ENGINE_load_private_key() failed"; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
735 ENGINE_free(engine); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
736 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
737 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
738 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
739 ENGINE_free(engine); |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
740 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
741 return pkey; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
742 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
743 #else |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
744 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
745 *err = "loading \"engine:...\" certificate keys is not supported"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
746 return NULL; |
5934
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
747 |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
748 #endif |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
749 } |
2c33ed82cde1
SSL: loading certificate keys via ENGINE_load_private_key().
Dmitrii Pichulin
parents:
5902
diff
changeset
|
750 |
7477
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
751 if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
752 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
753 bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
754 key->len - (sizeof("data:") - 1)); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
755 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
756 *err = "BIO_new_mem_buf() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
757 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
758 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
759 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
760 } else { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
761 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
762 if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
763 != NGX_OK) |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
764 { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
765 *err = NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
766 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
767 } |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
768 |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
769 bio = BIO_new_file((char *) key->data, "r"); |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
770 if (bio == NULL) { |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
771 *err = "BIO_new_file() failed"; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
772 return NULL; |
c74904a17021
SSL: support for parsing PEM certificates from memory.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7476
diff
changeset
|
773 } |
563 | 774 } |
775 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
776 if (passwords) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
777 tries = passwords->nelts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
778 pwd = passwords->elts; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
779 cb = ngx_ssl_password_callback; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
780 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
781 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
782 tries = 1; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
783 pwd = NULL; |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
784 cb = NULL; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
785 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
786 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
787 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
788 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
789 pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
790 if (pkey != NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
791 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
792 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
793 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
794 if (tries-- > 1) { |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
795 ERR_clear_error(); |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
796 (void) BIO_reset(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
797 pwd++; |
5892
42520df85ebb
SSL: simplified ssl_password_file error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
5882
diff
changeset
|
798 continue; |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
799 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
800 |
7460
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
801 *err = "PEM_read_bio_PrivateKey() failed"; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
802 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
803 return NULL; |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
804 } |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
805 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
806 BIO_free(bio); |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
807 |
77436d9951a1
SSL: reworked ngx_ssl_certificate().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7459
diff
changeset
|
808 return pkey; |
547 | 809 } |
810 | |
811 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
812 static int |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
813 ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
814 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
815 ngx_str_t *pwd = userdata; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
816 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
817 if (rwflag) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
818 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
819 "ngx_ssl_password_callback() is called for encryption"); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
820 return 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
821 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
822 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
823 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
824 return 0; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
825 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
826 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
827 if (pwd->len > (size_t) size) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
828 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
829 "password is truncated to %d bytes", size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
830 } else { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
831 size = pwd->len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
832 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
833 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
834 ngx_memcpy(buf, pwd->data, size); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
835 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
836 return size; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
837 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
838 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
839 |
547 | 840 ngx_int_t |
6591
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
841 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
842 ngx_uint_t prefer_server_ciphers) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
843 { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
844 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
845 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
846 "SSL_CTX_set_cipher_list(\"%V\") failed", |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
847 ciphers); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
848 return NGX_ERROR; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
849 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
850 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
851 if (prefer_server_ciphers) { |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
852 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
853 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
854 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
855 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
856 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
857 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
858 #endif |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
859 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
860 return NGX_OK; |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
861 } |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
862 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
863 |
04d8d1f85649
SSL: ngx_ssl_ciphers() to set list of ciphers.
Tim Taubert <tim@timtaubert.de>
parents:
6554
diff
changeset
|
864 ngx_int_t |
671 | 865 ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
866 ngx_int_t depth) | |
647 | 867 { |
671 | 868 STACK_OF(X509_NAME) *list; |
869 | |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
870 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); |
671 | 871 |
872 SSL_CTX_set_verify_depth(ssl->ctx, depth); | |
873 | |
874 if (cert->len == 0) { | |
875 return NGX_OK; | |
876 } | |
877 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
878 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
647 | 879 return NGX_ERROR; |
880 } | |
881 | |
882 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) | |
883 == 0) | |
884 { | |
885 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
886 "SSL_CTX_load_verify_locations(\"%s\") failed", | |
887 cert->data); | |
888 return NGX_ERROR; | |
889 } | |
890 | |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
891 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
892 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
893 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
894 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
895 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
896 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
897 |
671 | 898 list = SSL_load_client_CA_file((char *) cert->data); |
899 | |
900 if (list == NULL) { | |
901 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
902 "SSL_load_client_CA_file(\"%s\") failed", cert->data); | |
903 return NGX_ERROR; | |
904 } | |
905 | |
906 SSL_CTX_set_client_CA_list(ssl->ctx, list); | |
907 | |
647 | 908 return NGX_OK; |
909 } | |
910 | |
911 | |
2995 | 912 ngx_int_t |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
913 ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
914 ngx_int_t depth) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
915 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
916 SSL_CTX_set_verify_depth(ssl->ctx, depth); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
917 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
918 if (cert->len == 0) { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
919 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
920 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
921 |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
922 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
923 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
924 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
925 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
926 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
927 == 0) |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
928 { |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
929 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
930 "SSL_CTX_load_verify_locations(\"%s\") failed", |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
931 cert->data); |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
932 return NGX_ERROR; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
933 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
934 |
5365
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
935 /* |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
936 * SSL_CTX_load_verify_locations() may leave errors in the error queue |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
937 * while returning success |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
938 */ |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
939 |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
940 ERR_clear_error(); |
6c35a1f428f2
SSL: clear error queue after SSL_CTX_load_verify_locations().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5330
diff
changeset
|
941 |
4872
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
942 return NGX_OK; |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
943 } |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
944 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
945 |
7c3cca603438
OCSP stapling: ssl_trusted_certificate directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4868
diff
changeset
|
946 ngx_int_t |
2995 | 947 ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) |
948 { | |
949 X509_STORE *store; | |
950 X509_LOOKUP *lookup; | |
951 | |
952 if (crl->len == 0) { | |
953 return NGX_OK; | |
954 } | |
955 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
956 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { |
2995 | 957 return NGX_ERROR; |
958 } | |
959 | |
960 store = SSL_CTX_get_cert_store(ssl->ctx); | |
961 | |
962 if (store == NULL) { | |
963 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
964 "SSL_CTX_get_cert_store() failed"); | |
965 return NGX_ERROR; | |
966 } | |
967 | |
968 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); | |
969 | |
970 if (lookup == NULL) { | |
971 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
972 "X509_STORE_add_lookup() failed"); | |
973 return NGX_ERROR; | |
974 } | |
975 | |
976 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) | |
977 == 0) | |
978 { | |
979 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
980 "X509_LOOKUP_load_file(\"%s\") failed", crl->data); | |
981 return NGX_ERROR; | |
982 } | |
983 | |
984 X509_STORE_set_flags(store, | |
985 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); | |
986 | |
987 return NGX_OK; | |
988 } | |
989 | |
990 | |
671 | 991 static int |
5222
23a186e8ca45
Style: remove unnecessary references to HTTP from non-HTTP modules.
Piotr Sikora <piotr@cloudflare.com>
parents:
5081
diff
changeset
|
992 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) |
671 | 993 { |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
994 #if (NGX_DEBUG) |
671 | 995 char *subject, *issuer; |
996 int err, depth; | |
997 X509 *cert; | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
998 X509_NAME *sname, *iname; |
671 | 999 ngx_connection_t *c; |
1000 ngx_ssl_conn_t *ssl_conn; | |
1001 | |
1002 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, | |
1003 SSL_get_ex_data_X509_STORE_CTX_idx()); | |
1004 | |
1005 c = ngx_ssl_get_connection(ssl_conn); | |
1006 | |
1007 cert = X509_STORE_CTX_get_current_cert(x509_store); | |
1008 err = X509_STORE_CTX_get_error(x509_store); | |
1009 depth = X509_STORE_CTX_get_error_depth(x509_store); | |
1010 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1011 sname = X509_get_subject_name(cert); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1012 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)"; |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1013 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1014 iname = X509_get_issuer_name(cert); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1015 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; |
671 | 1016 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
1017 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, |
671 | 1018 "verify:%d, error:%d, depth:%d, " |
5775
294d020bbcfe
SSL: misplaced space in debug message.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5767
diff
changeset
|
1019 "subject:\"%s\", issuer:\"%s\"", |
671 | 1020 ok, err, depth, subject, issuer); |
1021 | |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1022 if (sname) { |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1023 OPENSSL_free(subject); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1024 } |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1025 |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1026 if (iname) { |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1027 OPENSSL_free(issuer); |
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1028 } |
1977
40c9cb8576bb
get certificate info only for debug build
Igor Sysoev <igor@sysoev.ru>
parents:
1976
diff
changeset
|
1029 #endif |
1976
c4d8867f0162
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1974
diff
changeset
|
1030 |
671 | 1031 return 1; |
1032 } | |
1033 | |
1034 | |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1035 static void |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1036 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1037 { |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1038 BIO *rbio, *wbio; |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1039 ngx_connection_t *c; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1040 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1041 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1042 |
6982
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1043 if ((where & SSL_CB_HANDSHAKE_START) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1044 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn)) |
ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6981
diff
changeset
|
1045 { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1046 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1047 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1048 if (c->ssl->handshaked) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1049 c->ssl->renegotiation = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1050 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1051 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1052 } |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1053 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1054 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1055 |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1056 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1057 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1058 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1059 if (!c->ssl->handshake_buffer_set) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1060 /* |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1061 * By default OpenSSL uses 4k buffer during a handshake, |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1062 * which is too low for long certificate chains and might |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1063 * result in extra round-trips. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1064 * |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1065 * To adjust a buffer size we detect that buffering was added |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1066 * to write side of the connection by comparing rbio and wbio. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1067 * If they are different, we assume that it's due to buffering |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1068 * added to wbio, and set buffer size. |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1069 */ |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1070 |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1071 rbio = SSL_get_rbio(ssl_conn); |
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
1072 wbio = SSL_get_wbio(ssl_conn); |
5395
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1073 |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1074 if (rbio != wbio) { |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1075 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1076 c->ssl->handshake_buffer_set = 1; |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1077 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1078 } |
a720f0b0e083
SSL: adjust buffer used by OpenSSL during handshake (ticket #413).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5384
diff
changeset
|
1079 } |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1080 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1081 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1082 |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
1083 RSA * |
5223
71d85de7b53b
Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
1084 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, |
71d85de7b53b
Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
Piotr Sikora <piotr@cloudflare.com>
parents:
5222
diff
changeset
|
1085 int key_length) |
547 | 1086 { |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
1087 static RSA *key; |
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
1088 |
5754
c7ecd097b883
SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents:
5747
diff
changeset
|
1089 if (key_length != 512) { |
c7ecd097b883
SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents:
5747
diff
changeset
|
1090 return NULL; |
c7ecd097b883
SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents:
5747
diff
changeset
|
1091 } |
c7ecd097b883
SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents:
5747
diff
changeset
|
1092 |
6489
c256dfdd469d
SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6488
diff
changeset
|
1093 #if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED) |
5755
8df08465fcfd
SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5754
diff
changeset
|
1094 |
5754
c7ecd097b883
SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents:
5747
diff
changeset
|
1095 if (key == NULL) { |
c7ecd097b883
SSL: return temporary RSA key only when the key length matches.
Piotr Sikora <piotr@cloudflare.com>
parents:
5747
diff
changeset
|
1096 key = RSA_generate_key(512, RSA_F4, NULL, NULL); |
559 | 1097 } |
1098 | |
5755
8df08465fcfd
SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5754
diff
changeset
|
1099 #endif |
8df08465fcfd
SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5754
diff
changeset
|
1100 |
3959
b1f48fa31e6c
MSIE export versions are rare now, so RSA 512 key is generated on demand
Igor Sysoev <igor@sysoev.ru>
parents:
3851
diff
changeset
|
1101 return key; |
547 | 1102 } |
1103 | |
1104 | |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1105 ngx_array_t * |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1106 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1107 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1108 u_char *p, *last, *end; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1109 size_t len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1110 ssize_t n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1111 ngx_fd_t fd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1112 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1113 ngx_array_t *passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1114 ngx_pool_cleanup_t *cln; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1115 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1116 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1117 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1118 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1119 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1120 |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1121 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1122 if (passwords == NULL) { |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1123 return NULL; |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1124 } |
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1125 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1126 cln = ngx_pool_cleanup_add(cf->temp_pool, 0); |
7454
e72c8a8a8b10
SSL: separate checks for errors in ngx_ssl_read_password_file().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7453
diff
changeset
|
1127 if (cln == NULL) { |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1128 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1129 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1130 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1131 cln->handler = ngx_ssl_passwords_cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1132 cln->data = passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1133 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1134 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); |
7086 | 1135 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1136 if (fd == NGX_INVALID_FILE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1137 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1138 ngx_open_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1139 return NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1140 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1141 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1142 len = 0; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1143 last = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1144 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1145 do { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1146 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1147 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1148 if (n == -1) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1149 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1150 ngx_read_fd_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1151 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1152 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1153 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1154 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1155 end = last + n; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1156 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1157 if (len && n == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1158 *end++ = LF; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1159 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1160 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1161 p = buf; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1162 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1163 for ( ;; ) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1164 last = ngx_strlchr(last, end, LF); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1165 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1166 if (last == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1167 break; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1168 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1169 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1170 len = last++ - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1171 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1172 if (len && p[len - 1] == CR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1173 len--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1174 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1175 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1176 if (len) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1177 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1178 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1179 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1180 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1181 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1182 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1183 pwd->len = len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1184 pwd->data = ngx_pnalloc(cf->temp_pool, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1185 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1186 if (pwd->data == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1187 passwords->nelts--; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1188 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1189 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1190 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1191 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1192 ngx_memcpy(pwd->data, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1193 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1194 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1195 p = last; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1196 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1197 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1198 len = end - p; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1199 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1200 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1201 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1202 "too long line in \"%s\"", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1203 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1204 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1205 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1206 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1207 ngx_memmove(buf, p, len); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1208 last = buf + len; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1209 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1210 } while (n != 0); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1211 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1212 if (passwords->nelts == 0) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1213 pwd = ngx_array_push(passwords); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1214 if (pwd == NULL) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1215 passwords = NULL; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1216 goto cleanup; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1217 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1218 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1219 ngx_memzero(pwd, sizeof(ngx_str_t)); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1220 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1221 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1222 cleanup: |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1223 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1224 if (ngx_close_file(fd) == NGX_FILE_ERROR) { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1225 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1226 ngx_close_file_n " \"%s\" failed", file->data); |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1227 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1228 |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1229 ngx_explicit_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1230 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1231 return passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1232 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1233 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1234 |
7463
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1235 ngx_array_t * |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1236 ngx_ssl_preserve_passwords(ngx_conf_t *cf, ngx_array_t *passwords) |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1237 { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1238 ngx_str_t *opwd, *pwd; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1239 ngx_uint_t i; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1240 ngx_array_t *pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1241 ngx_pool_cleanup_t *cln; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1242 static ngx_array_t empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1243 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1244 if (passwords == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1245 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1246 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1247 * If there are no passwords, an empty array is used |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1248 * to make sure OpenSSL's default password callback |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1249 * won't block on reading from stdin. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1250 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1251 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1252 return &empty_passwords; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1253 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1254 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1255 /* |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1256 * Passwords are normally allocated from the temporary pool |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1257 * and cleared after parsing configuration. To be used at |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1258 * runtime they have to be copied to the configuration pool. |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1259 */ |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1260 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1261 pwds = ngx_array_create(cf->pool, passwords->nelts, sizeof(ngx_str_t)); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1262 if (pwds == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1263 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1264 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1265 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1266 cln = ngx_pool_cleanup_add(cf->pool, 0); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1267 if (cln == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1268 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1269 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1270 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1271 cln->handler = ngx_ssl_passwords_cleanup; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1272 cln->data = pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1273 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1274 opwd = passwords->elts; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1275 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1276 for (i = 0; i < passwords->nelts; i++) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1277 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1278 pwd = ngx_array_push(pwds); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1279 if (pwd == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1280 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1281 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1282 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1283 pwd->len = opwd[i].len; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1284 pwd->data = ngx_pnalloc(cf->pool, pwd->len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1285 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1286 if (pwd->data == NULL) { |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1287 pwds->nelts--; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1288 return NULL; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1289 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1290 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1291 ngx_memcpy(pwd->data, opwd[i].data, opwd[i].len); |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1292 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1293 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1294 return pwds; |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1295 } |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1296 |
180df83473a4
SSL: passwords support for dynamic certificate loading.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7461
diff
changeset
|
1297 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1298 static void |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1299 ngx_ssl_passwords_cleanup(void *data) |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1300 { |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1301 ngx_array_t *passwords = data; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1302 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1303 ngx_str_t *pwd; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1304 ngx_uint_t i; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1305 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1306 pwd = passwords->elts; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1307 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1308 for (i = 0; i < passwords->nelts; i++) { |
7395
9ca82f273967
Core: ngx_explicit_memzero().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7372
diff
changeset
|
1309 ngx_explicit_memzero(pwd[i].data, pwd[i].len); |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1310 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1311 } |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1312 |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5700
diff
changeset
|
1313 |
547 | 1314 ngx_int_t |
2044 | 1315 ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) |
1316 { | |
1317 DH *dh; | |
1318 BIO *bio; | |
1319 | |
1320 if (file->len == 0) { | |
1321 return NGX_OK; | |
1322 } | |
1323 | |
5330
314c3d7cc3a5
Backed out f1a91825730a and 7094bd12c1ff.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5317
diff
changeset
|
1324 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { |
2044 | 1325 return NGX_ERROR; |
1326 } | |
1327 | |
1328 bio = BIO_new_file((char *) file->data, "r"); | |
1329 if (bio == NULL) { | |
1330 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1331 "BIO_new_file(\"%s\") failed", file->data); | |
1332 return NGX_ERROR; | |
1333 } | |
1334 | |
1335 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); | |
1336 if (dh == NULL) { | |
1337 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
1338 "PEM_read_bio_DHparams(\"%s\") failed", file->data); | |
1339 BIO_free(bio); | |
1340 return NGX_ERROR; | |
1341 } | |
1342 | |
1343 SSL_CTX_set_tmp_dh(ssl->ctx, dh); | |
1344 | |
1345 DH_free(dh); | |
1346 BIO_free(bio); | |
1347 | |
1348 return NGX_OK; | |
1349 } | |
1350 | |
4522 | 1351 |
3960 | 1352 ngx_int_t |
1353 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) | |
1354 { | |
1355 #ifndef OPENSSL_NO_ECDH | |
1356 | |
1357 /* | |
1358 * Elliptic-Curve Diffie-Hellman parameters are either "named curves" | |
4572
67653855682e
Fixed spelling in multiline C comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4522
diff
changeset
|
1359 * from RFC 4492 section 5.1.1, or explicitly described curves over |
6552 | 1360 * binary fields. OpenSSL only supports the "named curves", which provide |
3960 | 1361 * maximum interoperability. |
1362 */ | |
1363 | |
6983
3518287d995e
SSL: compatibility with OpenSSL master branch.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6982
diff
changeset
|
1364 #if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1365 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1366 /* |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1367 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1368 * curve previously supported. By default an internal list is used, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1369 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1370 * and X25519 in OpenSSL 1.1.0+. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1371 * |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1372 * By default a curve preferred by the client will be used for |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1373 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1374 * be used to prefer server curves instead, similar to what it |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1375 * does for ciphers. |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1376 */ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1377 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1378 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1379 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1380 #if SSL_CTRL_SET_ECDH_AUTO |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1381 /* not needed in OpenSSL 1.1.0+ */ |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1382 SSL_CTX_set_ecdh_auto(ssl->ctx, 1); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1383 #endif |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1384 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1385 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1386 return NGX_OK; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1387 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1388 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1389 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1390 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1391 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1392 return NGX_ERROR; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1393 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1394 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1395 #else |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1396 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1397 int nid; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1398 char *curve; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1399 EC_KEY *ecdh; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1400 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1401 if (ngx_strcmp(name->data, "auto") == 0) { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1402 curve = "prime256v1"; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1403 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1404 } else { |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1405 curve = (char *) name->data; |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1406 } |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1407 |
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1408 nid = OBJ_sn2nid(curve); |
3960 | 1409 if (nid == 0) { |
1410 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1411 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); |
3960 | 1412 return NGX_ERROR; |
1413 } | |
1414 | |
1415 ecdh = EC_KEY_new_by_curve_name(nid); | |
1416 if (ecdh == NULL) { | |
1417 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, | |
6553
2014ed60f17f
SSL: support for multiple curves (ticket #885).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6552
diff
changeset
|
1418 "EC_KEY_new_by_curve_name(\"%s\") failed", curve); |
3960 | 1419 return NGX_ERROR; |
1420 } | |
1421 | |
5003
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1422 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); |
82234f3f5ca2
SSL: speedup loading of configs with many ssl servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4877
diff
changeset
|
1423 |
3960 | 1424 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); |
1425 | |
1426 EC_KEY_free(ecdh); | |
1427 #endif | |
1428 #endif | |
1429 | |
1430 return NGX_OK; | |
1431 } | |
2044 | 1432 |
4522 | 1433 |
2044 | 1434 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1435 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1436 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1437 if (!enable) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1438 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1439 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1440 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1441 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1442 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1443 /* BoringSSL */ |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1444 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1445 SSL_CTX_set_early_data_enabled(ssl->ctx, 1); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1446 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1447 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1448 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1449 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1450 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1451 SSL_CTX_set_max_early_data(ssl->ctx, NGX_SSL_BUFSIZE); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1452 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1453 #else |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1454 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1455 "\"ssl_early_data\" is not supported on this platform, " |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1456 "ignored"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1457 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1458 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1459 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1460 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1461 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1462 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
1463 ngx_int_t |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1464 ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1465 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1466 if (!enable) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1467 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1468 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1469 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1470 SSL_CTX_set_session_cache_mode(ssl->ctx, |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1471 SSL_SESS_CACHE_CLIENT |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1472 |SSL_SESS_CACHE_NO_INTERNAL); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1473 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1474 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1475 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1476 return NGX_OK; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1477 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1478 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1479 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1480 static int |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1481 ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1482 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1483 ngx_connection_t *c; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1484 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1485 c = ngx_ssl_get_connection(ssl_conn); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1486 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1487 if (c->ssl->save_session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1488 c->ssl->session = sess; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1489 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1490 c->ssl->save_session(c); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1491 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1492 c->ssl->session = NULL; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1493 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1494 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1495 return 0; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1496 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1497 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1498 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1499 ngx_int_t |
547 | 1500 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) |
577 | 1501 { |
547 | 1502 ngx_ssl_connection_t *sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1503 |
547 | 1504 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); |
1505 if (sc == NULL) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1506 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1507 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1508 |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
1509 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
1510 sc->buffer_size = ssl->buffer_size; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
1511 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1512 sc->session_ctx = ssl->ctx; |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
1513 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1514 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1515 if (SSL_CTX_get_max_early_data(ssl->ctx)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1516 sc->try_early_data = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1517 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1518 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1519 |
547 | 1520 sc->connection = SSL_new(ssl->ctx); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1521 |
547 | 1522 if (sc->connection == NULL) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1523 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1524 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1525 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1526 |
547 | 1527 if (SSL_set_fd(sc->connection, c->fd) == 0) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1528 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1529 return NGX_ERROR; |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1530 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
1531 |
577 | 1532 if (flags & NGX_SSL_CLIENT) { |
1533 SSL_set_connect_state(sc->connection); | |
1534 | |
1535 } else { | |
1536 SSL_set_accept_state(sc->connection); | |
7319
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1537 |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1538 #ifdef SSL_OP_NO_RENEGOTIATION |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1539 SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION); |
dcab86115261
SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7318
diff
changeset
|
1540 #endif |
577 | 1541 } |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1542 |
969 | 1543 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { |
671 | 1544 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); |
1545 return NGX_ERROR; | |
1546 } | |
1547 | |
547 | 1548 c->ssl = sc; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1549 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1550 return NGX_OK; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1551 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1552 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1553 |
7320
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1554 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1555 ngx_ssl_get_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1556 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1557 #ifdef TLS1_3_VERSION |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1558 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1559 SSL_SESSION_up_ref(c->ssl->session); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1560 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1561 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1562 #endif |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1563 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1564 return SSL_get1_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1565 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1566 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1567 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1568 ngx_ssl_session_t * |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1569 ngx_ssl_get0_session(ngx_connection_t *c) |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1570 { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1571 if (c->ssl->session) { |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1572 return c->ssl->session; |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1573 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1574 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1575 return SSL_get0_session(c->ssl->connection); |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1576 } |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1577 |
696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7319
diff
changeset
|
1578 |
547 | 1579 ngx_int_t |
577 | 1580 ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) |
1581 { | |
1582 if (session) { | |
1583 if (SSL_set_session(c->ssl->connection, session) == 0) { | |
1584 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); | |
1585 return NGX_ERROR; | |
1586 } | |
1587 } | |
1588 | |
1589 return NGX_OK; | |
1590 } | |
1591 | |
1592 | |
1593 ngx_int_t | |
547 | 1594 ngx_ssl_handshake(ngx_connection_t *c) |
1595 { | |
1596 int n, sslerr; | |
1597 ngx_err_t err; | |
1598 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1599 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1600 if (c->ssl->try_early_data) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1601 return ngx_ssl_try_early_data(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1602 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1603 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1604 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1605 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1606 |
547 | 1607 n = SSL_do_handshake(c->ssl->connection); |
1608 | |
577 | 1609 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); |
547 | 1610 |
1611 if (n == 1) { | |
1612 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1613 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1614 return NGX_ERROR; |
1615 } | |
1616 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1617 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1618 return NGX_ERROR; |
1619 } | |
1620 | |
1621 #if (NGX_DEBUG) | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1622 ngx_ssl_handshake_log(c); |
547 | 1623 #endif |
1624 | |
1625 c->ssl->handshaked = 1; | |
1626 | |
1627 c->recv = ngx_ssl_recv; | |
1628 c->send = ngx_ssl_write; | |
577 | 1629 c->recv_chain = ngx_ssl_recv_chain; |
1630 c->send_chain = ngx_ssl_send_chain; | |
547 | 1631 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1632 #ifndef SSL_OP_NO_RENEGOTIATION |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1633 #if OPENSSL_VERSION_NUMBER < 0x10100000L |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1634 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS |
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1635 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1636 /* initial handshake done, disable renegotiation (CVE-2009-3555) */ |
6995
eb5d119323d8
SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6983
diff
changeset
|
1637 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) { |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1638 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1639 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
1640 |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1641 #endif |
6255
b40af2fd1c16
SSL: compatibility with OpenSSL master branch.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6036
diff
changeset
|
1642 #endif |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
1643 #endif |
5946
ee941e49bd88
SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
Lukas Tribus <luky-37@hotmail.com>
parents:
5934
diff
changeset
|
1644 |
547 | 1645 return NGX_OK; |
1646 } | |
1647 | |
1648 sslerr = SSL_get_error(c->ssl->connection, n); | |
1649 | |
1650 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); | |
1651 | |
1652 if (sslerr == SSL_ERROR_WANT_READ) { | |
1653 c->read->ready = 0; | |
1654 c->read->handler = ngx_ssl_handshake_handler; | |
591 | 1655 c->write->handler = ngx_ssl_handshake_handler; |
547 | 1656 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1657 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
547 | 1658 return NGX_ERROR; |
1659 } | |
1660 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1661 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1662 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1663 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1664 |
547 | 1665 return NGX_AGAIN; |
1666 } | |
1667 | |
1668 if (sslerr == SSL_ERROR_WANT_WRITE) { | |
1669 c->write->ready = 0; | |
591 | 1670 c->read->handler = ngx_ssl_handshake_handler; |
547 | 1671 c->write->handler = ngx_ssl_handshake_handler; |
1672 | |
5024
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1673 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1674 return NGX_ERROR; |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1675 } |
03513220b83b
SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5023
diff
changeset
|
1676 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
1677 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
547 | 1678 return NGX_ERROR; |
1679 } | |
1680 | |
1681 return NGX_AGAIN; | |
1682 } | |
1683 | |
1684 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; | |
1685 | |
1686 c->ssl->no_wait_shutdown = 1; | |
1687 c->ssl->no_send_shutdown = 1; | |
591 | 1688 c->read->eof = 1; |
547 | 1689 |
1690 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { | |
5747
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1691 ngx_connection_error(c, err, |
57c05ff57980
SSL: logging level of "peer closed connection in SSL handshake".
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
1692 "peer closed connection in SSL handshake"); |
547 | 1693 |
1694 return NGX_ERROR; | |
1695 } | |
1696 | |
591 | 1697 c->read->error = 1; |
1698 | |
547 | 1699 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); |
1700 | |
1701 return NGX_ERROR; | |
1702 } | |
1703 | |
1704 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1705 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1706 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1707 static ngx_int_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1708 ngx_ssl_try_early_data(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1709 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1710 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1711 u_char buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1712 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1713 ngx_err_t err; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1714 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1715 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1716 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1717 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1718 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1719 n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1720 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1721 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1722 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1723 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1724 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1725 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1726 return ngx_ssl_handshake(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1727 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1728 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1729 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1730 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1731 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1732 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1733 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1734 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1735 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1736 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1737 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1738 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1739 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1740 ngx_ssl_handshake_log(c); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1741 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1742 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1743 c->ssl->try_early_data = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1744 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1745 c->ssl->early_buf = buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1746 c->ssl->early_preread = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1747 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1748 c->ssl->handshaked = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1749 c->ssl->in_early = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1750 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1751 c->recv = ngx_ssl_recv; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1752 c->send = ngx_ssl_write; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1753 c->recv_chain = ngx_ssl_recv_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1754 c->send_chain = ngx_ssl_send_chain; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1755 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1756 return NGX_OK; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1757 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1758 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1759 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1760 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1761 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1762 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1763 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1764 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1765 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1766 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1767 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1768 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1769 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1770 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1771 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1772 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1773 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1774 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1775 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1776 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1777 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1778 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1779 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1780 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1781 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1782 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1783 c->read->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1784 c->write->handler = ngx_ssl_handshake_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1785 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1786 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1787 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1788 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1789 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1790 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1791 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1792 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1793 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1794 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1795 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1796 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1797 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1798 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1799 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1800 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1801 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1802 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1803 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1804 ngx_connection_error(c, err, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1805 "peer closed connection in SSL handshake"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1806 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1807 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1808 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1809 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1810 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1811 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1812 ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1813 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1814 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1815 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1816 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1817 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1818 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1819 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1820 #if (NGX_DEBUG) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1821 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1822 static void |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1823 ngx_ssl_handshake_log(ngx_connection_t *c) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1824 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1825 char buf[129], *s, *d; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1826 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1827 const |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1828 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1829 SSL_CIPHER *cipher; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1830 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1831 cipher = SSL_get_current_cipher(c->ssl->connection); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1832 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1833 if (cipher) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1834 SSL_CIPHER_description(cipher, &buf[1], 128); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1835 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1836 for (s = &buf[1], d = buf; *s; s++) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1837 if (*s == ' ' && *d == ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1838 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1839 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1840 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1841 if (*s == LF || *s == CR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1842 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1843 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1844 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1845 *++d = *s; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1846 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1847 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1848 if (*d != ' ') { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1849 d++; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1850 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1851 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1852 *d = '\0'; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1853 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1854 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1855 "SSL: %s, cipher: \"%s\"", |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1856 SSL_get_version(c->ssl->connection), &buf[1]); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1857 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1858 if (SSL_session_reused(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1859 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1860 "SSL reused session"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1861 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1862 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1863 } else { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1864 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1865 "SSL no shared ciphers"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1866 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1867 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1868 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1869 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1870 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1871 |
547 | 1872 static void |
1873 ngx_ssl_handshake_handler(ngx_event_t *ev) | |
1874 { | |
1875 ngx_connection_t *c; | |
1876 | |
1877 c = ev->data; | |
1878 | |
549 | 1879 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
577 | 1880 "SSL handshake handler: %d", ev->write); |
547 | 1881 |
591 | 1882 if (ev->timedout) { |
1883 c->ssl->handler(c); | |
1884 return; | |
1885 } | |
1886 | |
547 | 1887 if (ngx_ssl_handshake(c) == NGX_AGAIN) { |
1888 return; | |
1889 } | |
1890 | |
1891 c->ssl->handler(c); | |
1892 } | |
1893 | |
1894 | |
489 | 1895 ssize_t |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1896 ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) |
577 | 1897 { |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1898 u_char *last; |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1899 ssize_t n, bytes, size; |
577 | 1900 ngx_buf_t *b; |
1901 | |
1902 bytes = 0; | |
1903 | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1904 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1905 last = b->last; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1906 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1907 for ( ;; ) { |
5882
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1908 size = b->end - last; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1909 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1910 if (limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1911 if (bytes >= limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1912 return bytes; |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1913 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1914 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1915 if (bytes + size > limit) { |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1916 size = (ssize_t) (limit - bytes); |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1917 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1918 } |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1919 |
ec81934727a1
Core: added limit to recv_chain().
Roman Arutyunyan <arut@nginx.com>
parents:
5834
diff
changeset
|
1920 n = ngx_ssl_recv(c, last, size); |
577 | 1921 |
1922 if (n > 0) { | |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1923 last += n; |
577 | 1924 bytes += n; |
1925 | |
7582
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
1926 if (!c->read->ready) { |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
1927 return bytes; |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
1928 } |
70749256af79
SSL: improved ngx_ssl_recv_chain() to stop if c->read->ready is 0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7560
diff
changeset
|
1929 |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1930 if (last == b->end) { |
577 | 1931 cl = cl->next; |
1154
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1932 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1933 if (cl == NULL) { |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1934 return bytes; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1935 } |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1936 |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1937 b = cl->buf; |
427de53e45c2
ngx_ssl_recv_chain() must not update buf->last,
Igor Sysoev <igor@sysoev.ru>
parents:
1043
diff
changeset
|
1938 last = b->last; |
577 | 1939 } |
1940 | |
1941 continue; | |
1942 } | |
1943 | |
1944 if (bytes) { | |
2052
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
1945 |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
1946 if (n == 0 || n == NGX_ERROR) { |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
1947 c->read->ready = 1; |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
1948 } |
b4085596a7e6
fix "proxy_pass https://..." broken in r1427
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
1949 |
577 | 1950 return bytes; |
1951 } | |
1952 | |
1953 return n; | |
1954 } | |
1955 } | |
1956 | |
1957 | |
1958 ssize_t | |
489 | 1959 ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1960 { |
489 | 1961 int n, bytes; |
1962 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1963 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1964 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1965 return ngx_ssl_recv_early(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1966 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1967 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
1968 |
489 | 1969 if (c->ssl->last == NGX_ERROR) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
1970 c->read->error = 1; |
489 | 1971 return NGX_ERROR; |
1972 } | |
1973 | |
577 | 1974 if (c->ssl->last == NGX_DONE) { |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
1975 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
1976 c->read->eof = 1; |
577 | 1977 return 0; |
1978 } | |
1979 | |
489 | 1980 bytes = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1981 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1982 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
1983 |
489 | 1984 /* |
1985 * SSL_read() may return data in parts, so try to read | |
1986 * until SSL_read() would return no data | |
1987 */ | |
1988 | |
1989 for ( ;; ) { | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1990 |
543 | 1991 n = SSL_read(c->ssl->connection, buf, size); |
489 | 1992 |
577 | 1993 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1994 |
489 | 1995 if (n > 0) { |
1996 bytes += n; | |
1997 } | |
1998 | |
1999 c->ssl->last = ngx_ssl_handle_recv(c, n); | |
2000 | |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2001 if (c->ssl->last == NGX_OK) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2002 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2003 size -= n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2004 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2005 if (size == 0) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2006 c->read->ready = 1; |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2007 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2008 if (c->read->available >= 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2009 c->read->available -= bytes; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2010 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2011 /* |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2012 * there can be data buffered at SSL layer, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2013 * so we post an event to continue reading on the next |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2014 * iteration of the event loop |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2015 */ |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2016 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2017 if (c->read->available < 0) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2018 c->read->available = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2019 c->read->ready = 0; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2020 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2021 if (c->ssl->next_read_handler == NULL) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2022 c->ssl->next_read_handler = c->read->handler; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2023 c->read->handler = ngx_ssl_next_read_handler; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2024 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2025 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2026 ngx_post_event(c->read, &ngx_posted_next_events); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2027 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2028 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2029 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2030 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2031 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2032 } else { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2033 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2034 #if (NGX_HAVE_FIONREAD) |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2035 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2036 if (ngx_socket_nread(c->fd, &c->read->available) == -1) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2037 c->read->error = 1; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2038 ngx_connection_error(c, ngx_socket_errno, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2039 ngx_socket_nread_n " failed"); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2040 return NGX_ERROR; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2041 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2042 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2044 "SSL_read: avail:%d", c->read->available); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2045 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2046 #endif |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2047 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2048 |
489 | 2049 return bytes; |
577 | 2050 } |
489 | 2051 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2052 buf += n; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2053 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2054 continue; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2055 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2056 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2057 if (bytes) { |
5450
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2058 if (c->ssl->last != NGX_AGAIN) { |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2059 c->read->ready = 1; |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2060 } |
9868c72f6f43
SSL: fixed c->read->ready handling in ngx_ssl_recv().
Maxim Dounin <mdounin@mdounin.ru>
parents:
5425
diff
changeset
|
2061 |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2062 return bytes; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2063 } |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2064 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2065 switch (c->ssl->last) { |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2066 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2067 case NGX_DONE: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2068 c->read->ready = 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2069 c->read->eof = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2070 return 0; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2071 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2072 case NGX_ERROR: |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2073 c->read->error = 1; |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2074 |
4499
778ef9c3fd2d
Fixed spelling in single-line comments.
Ruslan Ermilov <ru@nginx.com>
parents:
4497
diff
changeset
|
2075 /* fall through */ |
1426
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2076 |
adbafd129d06
do not set read->eof, ready, and error prematurely
Igor Sysoev <igor@sysoev.ru>
parents:
1421
diff
changeset
|
2077 case NGX_AGAIN: |
577 | 2078 return c->ssl->last; |
479 | 2079 } |
489 | 2080 } |
2081 } | |
2082 | |
2083 | |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2084 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2085 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2086 static ssize_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2087 ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2088 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2089 int n, bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2090 size_t readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2091 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2092 if (c->ssl->last == NGX_ERROR) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2093 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2094 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2095 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2096 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2097 if (c->ssl->last == NGX_DONE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2098 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2099 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2100 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2101 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2102 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2103 bytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2104 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2105 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2106 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2107 if (c->ssl->early_preread) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2108 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2109 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2110 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2111 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2112 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2113 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2114 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2115 *buf = c->ssl->early_buf; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2116 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2117 c->ssl->early_preread = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2118 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2119 bytes = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2120 size -= 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2121 buf += 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2122 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2123 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2124 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2125 return NGX_AGAIN; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2126 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2127 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2128 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2129 * SSL_read_early_data() may return data in parts, so try to read |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2130 * until SSL_read_early_data() would return no data |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2131 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2132 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2133 for ( ;; ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2134 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2135 readbytes = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2136 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2137 n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2138 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2139 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2140 "SSL_read_early_data: %d, %uz", n, readbytes); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2141 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2142 if (n == SSL_READ_EARLY_DATA_SUCCESS) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2143 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2144 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2145 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2146 bytes += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2147 size -= readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2148 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2149 if (size == 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2150 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2151 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2152 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2153 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2154 buf += readbytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2155 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2156 continue; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2157 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2158 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2159 if (n == SSL_READ_EARLY_DATA_FINISH) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2160 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2161 c->ssl->last = ngx_ssl_handle_recv(c, 1); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2162 c->ssl->in_early = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2163 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2164 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2165 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2166 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2167 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2168 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2169 return ngx_ssl_recv(c, buf, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2170 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2171 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2172 /* SSL_READ_EARLY_DATA_ERROR */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2173 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2174 c->ssl->last = ngx_ssl_handle_recv(c, 0); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2175 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2176 if (bytes) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2177 if (c->ssl->last != NGX_AGAIN) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2178 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2179 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2180 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2181 return bytes; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2182 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2183 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2184 switch (c->ssl->last) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2185 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2186 case NGX_DONE: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2187 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2188 c->read->eof = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2189 return 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2190 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2191 case NGX_ERROR: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2192 c->read->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2193 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2194 /* fall through */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2195 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2196 case NGX_AGAIN: |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2197 return c->ssl->last; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2198 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2199 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2200 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2201 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2202 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2203 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2204 |
489 | 2205 static ngx_int_t |
2206 ngx_ssl_handle_recv(ngx_connection_t *c, int n) | |
2207 { | |
547 | 2208 int sslerr; |
2209 ngx_err_t err; | |
489 | 2210 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2211 #ifndef SSL_OP_NO_RENEGOTIATION |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2212 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2213 if (c->ssl->renegotiation) { |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2214 /* |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2215 * disable renegotiation (CVE-2009-3555): |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2216 * OpenSSL (at least up to 0.9.8l) does not handle disabled |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2217 * renegotiation gracefully, so drop connection here |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2218 */ |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2219 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2220 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2221 |
4236
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2222 while (ERR_peek_error()) { |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2223 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2224 "ignoring stale global SSL error"); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2225 } |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2226 |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2227 ERR_clear_error(); |
2ada2a26b24c
Silently ignoring a stale global SSL error left after disabled renegotiation.
Igor Sysoev <igor@sysoev.ru>
parents:
4228
diff
changeset
|
2228 |
3300
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2229 c->ssl->no_wait_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2230 c->ssl->no_send_shutdown = 1; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2231 |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2232 return NGX_ERROR; |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2233 } |
5a08dfb8d763
disable SSL renegotiation (CVE-2009-3555)
Igor Sysoev <igor@sysoev.ru>
parents:
3283
diff
changeset
|
2234 |
7356
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2235 #endif |
e3ba4026c02d
SSL: disabled renegotiation checks with SSL_OP_NO_RENEGOTIATION.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7353
diff
changeset
|
2236 |
489 | 2237 if (n > 0) { |
479 | 2238 |
473 | 2239 if (c->ssl->saved_write_handler) { |
2240 | |
509 | 2241 c->write->handler = c->ssl->saved_write_handler; |
473 | 2242 c->ssl->saved_write_handler = NULL; |
2243 c->write->ready = 1; | |
2244 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2245 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2246 return NGX_ERROR; |
2247 } | |
2248 | |
563 | 2249 ngx_post_event(c->write, &ngx_posted_events); |
473 | 2250 } |
2251 | |
489 | 2252 return NGX_OK; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2253 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2254 |
543 | 2255 sslerr = SSL_get_error(c->ssl->connection, n); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2256 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2257 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2258 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2259 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2260 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2261 if (sslerr == SSL_ERROR_WANT_READ) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2262 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2263 if (c->ssl->saved_write_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2264 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2265 c->write->handler = c->ssl->saved_write_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2266 c->ssl->saved_write_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2267 c->write->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2268 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2269 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2270 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2271 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2272 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2273 ngx_post_event(c->write, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2274 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2275 |
455 | 2276 c->read->ready = 0; |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2277 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2278 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2279 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2280 if (sslerr == SSL_ERROR_WANT_WRITE) { |
539 | 2281 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2282 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2283 "SSL_read: want write"); |
473 | 2284 |
2285 c->write->ready = 0; | |
2286 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2287 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
473 | 2288 return NGX_ERROR; |
2289 } | |
2290 | |
2291 /* | |
2292 * we do not set the timer because there is already the read event timer | |
2293 */ | |
2294 | |
2295 if (c->ssl->saved_write_handler == NULL) { | |
509 | 2296 c->ssl->saved_write_handler = c->write->handler; |
2297 c->write->handler = ngx_ssl_write_handler; | |
473 | 2298 } |
2299 | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2300 return NGX_AGAIN; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2301 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2302 |
547 | 2303 c->ssl->no_wait_shutdown = 1; |
2304 c->ssl->no_send_shutdown = 1; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2305 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2306 if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { |
577 | 2307 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
2308 "peer shutdown SSL cleanly"); | |
2309 return NGX_DONE; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2310 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2311 |
547 | 2312 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2313 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2314 return NGX_ERROR; |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2315 } |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2316 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2317 |
489 | 2318 static void |
2319 ngx_ssl_write_handler(ngx_event_t *wev) | |
473 | 2320 { |
2321 ngx_connection_t *c; | |
2322 | |
2323 c = wev->data; | |
547 | 2324 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2325 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2326 |
509 | 2327 c->read->handler(c->read); |
473 | 2328 } |
2329 | |
2330 | |
7584
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2331 static void |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2332 ngx_ssl_next_read_handler(ngx_event_t *rev) |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2333 { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2334 ngx_connection_t *c; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2335 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2336 c = rev->data; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2337 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2338 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL next read handler"); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2339 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2340 rev->handler = c->ssl->next_read_handler; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2341 c->ssl->next_read_handler = NULL; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2342 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2343 if (!rev->ready) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2344 rev->ready = 1; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2345 rev->available = -1; |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2346 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2347 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2348 if (rev->posted) { |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2349 ngx_delete_posted_event(rev); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2350 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2351 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2352 rev->handler(rev); |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2353 } |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2354 |
9d2ad2fb4423
SSL: available bytes handling (ticket #1431).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7582
diff
changeset
|
2355 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2356 /* |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2357 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer |
473 | 2358 * before the SSL_write() call to decrease a SSL overhead. |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2359 * |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2360 * Besides for protocols such as HTTP it is possible to always buffer |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2361 * the output to decrease a SSL overhead some more. |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2362 */ |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2363 |
489 | 2364 ngx_chain_t * |
2365 ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2366 { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2367 int n; |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
2368 ngx_uint_t flush; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2369 ssize_t send, size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2370 ngx_buf_t *buf; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2371 |
2280
6453161bf53e
always use buffer, if connection is buffered,
Igor Sysoev <igor@sysoev.ru>
parents:
2165
diff
changeset
|
2372 if (!c->ssl->buffer) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2373 |
577 | 2374 while (in) { |
2375 if (ngx_buf_special(in->buf)) { | |
2376 in = in->next; | |
2377 continue; | |
2378 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2379 |
577 | 2380 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); |
2381 | |
2382 if (n == NGX_ERROR) { | |
2383 return NGX_CHAIN_ERROR; | |
2384 } | |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2385 |
577 | 2386 if (n == NGX_AGAIN) { |
2387 return in; | |
2388 } | |
2389 | |
2390 in->buf->pos += n; | |
2391 | |
2392 if (in->buf->pos == in->buf->last) { | |
2393 in = in->next; | |
2394 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2395 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2396 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2397 return in; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2398 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2399 |
473 | 2400 |
3962
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2401 /* the maximum limit size is the maximum int32_t value - the page size */ |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2402 |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2403 if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { |
df2ae4bc7415
fix SSL connection issues on platforms with 32-bit off_t
Igor Sysoev <igor@sysoev.ru>
parents:
3961
diff
changeset
|
2404 limit = NGX_MAX_INT32_VALUE - ngx_pagesize; |
473 | 2405 } |
2406 | |
577 | 2407 buf = c->ssl->buf; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2408 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2409 if (buf == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2410 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2411 if (buf == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2412 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2413 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2414 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2415 c->ssl->buf = buf; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2416 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2417 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2418 if (buf->start == NULL) { |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2419 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2420 if (buf->start == NULL) { |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2421 return NGX_CHAIN_ERROR; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2422 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2423 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2424 buf->pos = buf->start; |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2425 buf->last = buf->start; |
5487
a297b7ad6f94
SSL: ssl_buffer_size directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5450
diff
changeset
|
2426 buf->end = buf->start + c->ssl->buffer_size; |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2427 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2428 |
5023
70a35b7b63ea
SSL: take into account data in the buffer while limiting output.
Valentin Bartenev <vbart@nginx.com>
parents:
5022
diff
changeset
|
2429 send = buf->last - buf->pos; |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2430 flush = (in == NULL) ? 1 : buf->flush; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2431 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2432 for ( ;; ) { |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2433 |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2434 while (in && buf->last < buf->end && send < limit) { |
583 | 2435 if (in->buf->last_buf || in->buf->flush) { |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2436 flush = 1; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2437 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2438 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2439 if (ngx_buf_special(in->buf)) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2440 in = in->next; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2441 continue; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2442 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2443 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2444 size = in->buf->last - in->buf->pos; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2445 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2446 if (size > buf->end - buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2447 size = buf->end - buf->last; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2448 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2449 |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2450 if (send + size > limit) { |
577 | 2451 size = (ssize_t) (limit - send); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2452 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2453 |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2454 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6480 | 2455 "SSL buf copy: %z", size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2456 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2457 ngx_memcpy(buf->last, in->buf->pos, size); |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2458 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2459 buf->last += size; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2460 in->buf->pos += size; |
3283
52b1624b93c2
fix segfault in SSL if limit_rate is used
Igor Sysoev <igor@sysoev.ru>
parents:
3159
diff
changeset
|
2461 send += size; |
577 | 2462 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2463 if (in->buf->pos == in->buf->last) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2464 in = in->next; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2465 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2466 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2467 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2468 if (!flush && send < limit && buf->last < buf->end) { |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2469 break; |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2470 } |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2471 |
5021
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2472 size = buf->last - buf->pos; |
674f8739e443
SSL: calculation of buffer size moved closer to its usage.
Valentin Bartenev <vbart@nginx.com>
parents:
5020
diff
changeset
|
2473 |
5022
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2474 if (size == 0) { |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2475 buf->flush = 0; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2476 c->buffered &= ~NGX_SSL_BUFFERED; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2477 return in; |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2478 } |
1d819608ad4a
SSL: avoid calling SSL_write() with zero data size.
Valentin Bartenev <vbart@nginx.com>
parents:
5021
diff
changeset
|
2479 |
398
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2480 n = ngx_ssl_write(c, buf->pos, size); |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2481 |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2482 if (n == NGX_ERROR) { |
201b5f68b59f
nginx-0.0.7-2004-07-23-21:05:37 import
Igor Sysoev <igor@sysoev.ru>
parents:
397
diff
changeset
|
2483 return NGX_CHAIN_ERROR; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2484 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2485 |
511 | 2486 if (n == NGX_AGAIN) { |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2487 break; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2488 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2489 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2490 buf->pos += n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2491 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2492 if (n < size) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2493 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2494 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2495 |
5019
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2496 flush = 0; |
69693a098655
SSL: resetting of flush flag after the data was written.
Valentin Bartenev <vbart@nginx.com>
parents:
5018
diff
changeset
|
2497 |
5018
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2498 buf->pos = buf->start; |
0ea36741bb35
SSL: removed conditions that always hold true.
Valentin Bartenev <vbart@nginx.com>
parents:
5003
diff
changeset
|
2499 buf->last = buf->start; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2500 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2501 if (in == NULL || send == limit) { |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2502 break; |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2503 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2504 } |
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2505 |
5020
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2506 buf->flush = flush; |
587dbe2edc5f
SSL: preservation of flush flag for buffered data.
Valentin Bartenev <vbart@nginx.com>
parents:
5019
diff
changeset
|
2507 |
597 | 2508 if (buf->pos < buf->last) { |
2509 c->buffered |= NGX_SSL_BUFFERED; | |
2510 | |
2511 } else { | |
2512 c->buffered &= ~NGX_SSL_BUFFERED; | |
2513 } | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2514 |
399
4e21d1291a14
nginx-0.0.7-2004-07-25-22:34:14 import
Igor Sysoev <igor@sysoev.ru>
parents:
398
diff
changeset
|
2515 return in; |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2516 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2517 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2518 |
539 | 2519 ssize_t |
489 | 2520 ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2521 { |
547 | 2522 int n, sslerr; |
2523 ngx_err_t err; | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2524 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2525 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2526 if (c->ssl->in_early) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2527 return ngx_ssl_write_early(c, data, size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2528 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2529 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2530 |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2531 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2532 |
6480 | 2533 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2534 |
543 | 2535 n = SSL_write(c->ssl->connection, data, size); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2536 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2537 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2538 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2539 if (n > 0) { |
539 | 2540 |
473 | 2541 if (c->ssl->saved_read_handler) { |
2542 | |
509 | 2543 c->read->handler = c->ssl->saved_read_handler; |
473 | 2544 c->ssl->saved_read_handler = NULL; |
2545 c->read->ready = 1; | |
2546 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2547 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2548 return NGX_ERROR; |
2549 } | |
2550 | |
563 | 2551 ngx_post_event(c->read, &ngx_posted_events); |
473 | 2552 } |
2553 | |
5986
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2554 c->sent += n; |
c2f309fb7ad2
SSL: account sent bytes in ngx_ssl_write().
Ruslan Ermilov <ru@nginx.com>
parents:
5946
diff
changeset
|
2555 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2556 return n; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2557 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2558 |
543 | 2559 sslerr = SSL_get_error(c->ssl->connection, n); |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2560 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2561 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2562 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2563 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2564 |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2565 if (sslerr == SSL_ERROR_WANT_WRITE) { |
7353
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2566 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2567 if (c->ssl->saved_read_handler) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2568 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2569 c->read->handler = c->ssl->saved_read_handler; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2570 c->ssl->saved_read_handler = NULL; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2571 c->read->ready = 1; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2572 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2573 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2574 return NGX_ERROR; |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2575 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2576 |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2577 ngx_post_event(c->read, &ngx_posted_events); |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2578 } |
87d2ea860f38
SSL: restore handlers after blocking.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7352
diff
changeset
|
2579 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2580 c->write->ready = 0; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2581 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2582 } |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2583 |
445
f26432a1935a
nginx-0.1.0-2004-09-30-10:38:49 import
Igor Sysoev <igor@sysoev.ru>
parents:
444
diff
changeset
|
2584 if (sslerr == SSL_ERROR_WANT_READ) { |
452 | 2585 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2586 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2587 "SSL_write: want read"); |
473 | 2588 |
2589 c->read->ready = 0; | |
2590 | |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2591 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
473 | 2592 return NGX_ERROR; |
2593 } | |
2594 | |
2595 /* | |
2596 * we do not set the timer because there is already | |
2597 * the write event timer | |
2598 */ | |
2599 | |
2600 if (c->ssl->saved_read_handler == NULL) { | |
509 | 2601 c->ssl->saved_read_handler = c->read->handler; |
2602 c->read->handler = ngx_ssl_read_handler; | |
473 | 2603 } |
2604 | |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2605 return NGX_AGAIN; |
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2606 } |
395
f8f0f1834266
nginx-0.0.7-2004-07-16-21:11:43 import
Igor Sysoev <igor@sysoev.ru>
parents:
394
diff
changeset
|
2607 |
547 | 2608 c->ssl->no_wait_shutdown = 1; |
2609 c->ssl->no_send_shutdown = 1; | |
591 | 2610 c->write->error = 1; |
543 | 2611 |
547 | 2612 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2613 |
397
de797f3b4c27
nginx-0.0.7-2004-07-23-09:37:29 import
Igor Sysoev <igor@sysoev.ru>
parents:
396
diff
changeset
|
2614 return NGX_ERROR; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2615 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2616 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2617 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2618 #ifdef SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2619 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2620 ssize_t |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2621 ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2622 { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2623 int n, sslerr; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2624 size_t written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2625 ngx_err_t err; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2626 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2627 ngx_ssl_clear_error(c->log); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2628 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2629 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2630 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2631 written = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2632 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2633 n = SSL_write_early_data(c->ssl->connection, data, size, &written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2634 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2635 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2636 "SSL_write_early_data: %d, %uz", n, written); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2637 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2638 if (n > 0) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2639 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2640 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2641 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2642 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2643 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2644 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2645 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2646 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2647 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2648 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2649 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2650 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2651 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2652 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2653 if (c->ssl->write_blocked) { |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2654 c->ssl->write_blocked = 0; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2655 ngx_post_event(c->read, &ngx_posted_events); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2656 } |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2657 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2658 c->sent += written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2659 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2660 return written; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2661 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2662 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2663 sslerr = SSL_get_error(c->ssl->connection, n); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2664 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2665 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2666 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2667 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2668 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2669 if (sslerr == SSL_ERROR_WANT_WRITE) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2670 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2671 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2672 "SSL_write_early_data: want write"); |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2673 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2674 if (c->ssl->saved_read_handler) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2675 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2676 c->read->handler = c->ssl->saved_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2677 c->ssl->saved_read_handler = NULL; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2678 c->read->ready = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2679 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2680 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2681 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2682 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2683 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2684 ngx_post_event(c->read, &ngx_posted_events); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2685 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2686 |
7431
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2687 /* |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2688 * OpenSSL 1.1.1a fails to handle SSL_read_early_data() |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2689 * if an SSL_write_early_data() call blocked on writing, |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2690 * see https://github.com/openssl/openssl/issues/7757 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2691 */ |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2692 |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2693 c->ssl->write_blocked = 1; |
294162223c7c
SSL: avoid reading on pending SSL_write_early_data().
Sergey Kandaurov <pluknet@nginx.com>
parents:
7395
diff
changeset
|
2694 |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2695 c->write->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2696 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2697 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2698 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2699 if (sslerr == SSL_ERROR_WANT_READ) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2700 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2701 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2702 "SSL_write_early_data: want read"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2703 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2704 c->read->ready = 0; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2705 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2706 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2707 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2708 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2709 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2710 /* |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2711 * we do not set the timer because there is already |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2712 * the write event timer |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2713 */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2714 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2715 if (c->ssl->saved_read_handler == NULL) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2716 c->ssl->saved_read_handler = c->read->handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2717 c->read->handler = ngx_ssl_read_handler; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2718 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2719 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2720 return NGX_AGAIN; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2721 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2722 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2723 c->ssl->no_wait_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2724 c->ssl->no_send_shutdown = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2725 c->write->error = 1; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2726 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2727 ngx_ssl_connection_error(c, sslerr, err, "SSL_write_early_data() failed"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2728 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2729 return NGX_ERROR; |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2730 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2731 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2732 #endif |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2733 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
2734 |
489 | 2735 static void |
2736 ngx_ssl_read_handler(ngx_event_t *rev) | |
473 | 2737 { |
2738 ngx_connection_t *c; | |
2739 | |
2740 c = rev->data; | |
547 | 2741 |
7352
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2742 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); |
0de0b16a551c
SSL: corrected SSL_ERROR_WANT_WRITE / SSL_ERROR_WANT_READ logging.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7333
diff
changeset
|
2743 |
509 | 2744 c->write->handler(c->write); |
473 | 2745 } |
2746 | |
2747 | |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2748 void |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2749 ngx_ssl_free_buffer(ngx_connection_t *c) |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2750 { |
1795
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
2751 if (c->ssl->buf && c->ssl->buf->start) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
2752 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
2753 c->ssl->buf->start = NULL; |
3a0132e2be2c
fix segfault introduced in r1780
Igor Sysoev <igor@sysoev.ru>
parents:
1779
diff
changeset
|
2754 } |
1779
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2755 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2756 } |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2757 |
06014cfdb5b1
create ssl buffer on demand and free it before keep-alive
Igor Sysoev <igor@sysoev.ru>
parents:
1778
diff
changeset
|
2758 |
489 | 2759 ngx_int_t |
2760 ngx_ssl_shutdown(ngx_connection_t *c) | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2761 { |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2762 int n, sslerr, mode; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2763 ngx_err_t err; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2764 |
6407
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2765 if (SSL_in_init(c->ssl->connection)) { |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2766 /* |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2767 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2768 * an SSL handshake, while previous versions always return 0. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2769 * Avoid calling SSL_shutdown() if handshake wasn't completed. |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2770 */ |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2771 |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2772 SSL_free(c->ssl->connection); |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2773 c->ssl = NULL; |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2774 |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2775 return NGX_OK; |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2776 } |
062c189fee20
SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6406
diff
changeset
|
2777 |
577 | 2778 if (c->timedout) { |
547 | 2779 mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
2780 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2781 |
547 | 2782 } else { |
2783 mode = SSL_get_shutdown(c->ssl->connection); | |
473 | 2784 |
547 | 2785 if (c->ssl->no_wait_shutdown) { |
2786 mode |= SSL_RECEIVED_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2787 } |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2788 |
547 | 2789 if (c->ssl->no_send_shutdown) { |
2790 mode |= SSL_SENT_SHUTDOWN; | |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2791 } |
4064
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
2792 |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
2793 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
2794 SSL_set_quiet_shutdown(c->ssl->connection, 1); |
5b776ad53c3c
Proper SSL shutdown handling.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3992
diff
changeset
|
2795 } |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2796 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2797 |
547 | 2798 SSL_set_shutdown(c->ssl->connection, mode); |
2799 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2800 ngx_ssl_clear_error(c->log); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
2801 |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2802 n = SSL_shutdown(c->ssl->connection); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2803 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2804 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2805 |
461 | 2806 sslerr = 0; |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2807 |
6406
d194cad6dd3a
SSL: fixed SSL_shutdown() comment.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6261
diff
changeset
|
2808 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ |
543 | 2809 |
1865
4bcbb0fe5c8d
fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents:
1861
diff
changeset
|
2810 if (n != 1 && ERR_peek_error()) { |
543 | 2811 sslerr = SSL_get_error(c->ssl->connection, n); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2812 |
396
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2813 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
6f3b20c1ac50
nginx-0.0.7-2004-07-18-23:11:20 import
Igor Sysoev <igor@sysoev.ru>
parents:
395
diff
changeset
|
2814 "SSL_get_error: %d", sslerr); |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2815 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2816 |
1865
4bcbb0fe5c8d
fix bogus crit log message "SSL_shutdown() failed" introduced in r1755
Igor Sysoev <igor@sysoev.ru>
parents:
1861
diff
changeset
|
2817 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2818 SSL_free(c->ssl->connection); |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2819 c->ssl = NULL; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2820 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2821 return NGX_OK; |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2822 } |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2823 |
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2824 if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { |
577 | 2825 c->read->handler = ngx_ssl_shutdown_handler; |
589 | 2826 c->write->handler = ngx_ssl_shutdown_handler; |
577 | 2827 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2828 if (ngx_handle_read_event(c->read, 0) != NGX_OK) { |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2829 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2830 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2831 |
2388
722b5aff05ae
use "!= NGX_OK" instead of "== NGX_ERROR"
Igor Sysoev <igor@sysoev.ru>
parents:
2315
diff
changeset
|
2832 if (ngx_handle_write_event(c->write, 0) != NGX_OK) { |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2833 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2834 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2835 |
1754
427d442e1ad8
SSL_shutdown() never returns -1, on error it returns 0.
Igor Sysoev <igor@sysoev.ru>
parents:
1743
diff
changeset
|
2836 if (sslerr == SSL_ERROR_WANT_READ) { |
589 | 2837 ngx_add_timer(c->read, 30000); |
2838 } | |
2839 | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2840 return NGX_AGAIN; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2841 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2842 |
591 | 2843 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; |
2844 | |
2845 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2846 |
543 | 2847 SSL_free(c->ssl->connection); |
2848 c->ssl = NULL; | |
2849 | |
394
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2850 return NGX_ERROR; |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2851 } |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2852 |
e7a68e14ccd3
nginx-0.0.7-2004-07-16-10:33:35 import
Igor Sysoev <igor@sysoev.ru>
parents:
393
diff
changeset
|
2853 |
547 | 2854 static void |
577 | 2855 ngx_ssl_shutdown_handler(ngx_event_t *ev) |
2856 { | |
2857 ngx_connection_t *c; | |
2858 ngx_connection_handler_pt handler; | |
2859 | |
2860 c = ev->data; | |
2861 handler = c->ssl->handler; | |
2862 | |
2863 if (ev->timedout) { | |
2864 c->timedout = 1; | |
2865 } | |
2866 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
2867 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); |
577 | 2868 |
2869 if (ngx_ssl_shutdown(c) == NGX_AGAIN) { | |
2870 return; | |
2871 } | |
2872 | |
2873 handler(c); | |
2874 } | |
2875 | |
2876 | |
2877 static void | |
547 | 2878 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
2879 char *text) | |
2880 { | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2881 int n; |
547 | 2882 ngx_uint_t level; |
2883 | |
2884 level = NGX_LOG_CRIT; | |
2885 | |
2886 if (sslerr == SSL_ERROR_SYSCALL) { | |
2887 | |
2888 if (err == NGX_ECONNRESET | |
7560
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
2889 #if (NGX_WIN32) |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
2890 || err == NGX_ECONNABORTED |
2432a687e789
SSL: lowered log level for WSAECONNABORTED errors on Windows.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7509
diff
changeset
|
2891 #endif |
547 | 2892 || err == NGX_EPIPE |
2893 || err == NGX_ENOTCONN | |
589 | 2894 || err == NGX_ETIMEDOUT |
547 | 2895 || err == NGX_ECONNREFUSED |
1869
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
2896 || err == NGX_ENETDOWN |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
2897 || err == NGX_ENETUNREACH |
192443881e51
add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN
Igor Sysoev <igor@sysoev.ru>
parents:
1868
diff
changeset
|
2898 || err == NGX_EHOSTDOWN |
547 | 2899 || err == NGX_EHOSTUNREACH) |
2900 { | |
2901 switch (c->log_error) { | |
2902 | |
2903 case NGX_ERROR_IGNORE_ECONNRESET: | |
2904 case NGX_ERROR_INFO: | |
2905 level = NGX_LOG_INFO; | |
2906 break; | |
2907 | |
2908 case NGX_ERROR_ERR: | |
2909 level = NGX_LOG_ERR; | |
2910 break; | |
2911 | |
2912 default: | |
2913 break; | |
2914 } | |
2915 } | |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2916 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2917 } else if (sslerr == SSL_ERROR_SSL) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2918 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2919 n = ERR_GET_REASON(ERR_peek_error()); |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2920 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
2921 /* handshake failures */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2922 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
2923 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
2924 || n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
2925 #endif |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
2926 #ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
2927 || n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
2928 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2929 || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ |
3718
bfd84b583868
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3516
diff
changeset
|
2930 || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2931 || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2932 || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ |
7311
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
2933 || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */ |
778358452a81
SSL: logging level of "https proxy request" errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7291
diff
changeset
|
2934 || n == SSL_R_HTTP_REQUEST /* 156 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
2935 || n == SSL_R_LENGTH_MISMATCH /* 159 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
2936 #ifdef SSL_R_NO_CIPHERS_PASSED |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2937 || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ |
6652
1891b2892b68
SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6591
diff
changeset
|
2938 #endif |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
2939 || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2940 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2941 || n == SSL_R_NO_SHARED_CIPHER /* 193 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
2942 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
2943 #ifdef SSL_R_CLIENTHELLO_TLSEXT |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
2944 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
2945 #endif |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2946 #ifdef SSL_R_PARSE_TLSEXT |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2947 || n == SSL_R_PARSE_TLSEXT /* 227 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2948 #endif |
7472
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
2949 #ifdef SSL_R_CALLBACK_FAILED |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
2950 || n == SSL_R_CALLBACK_FAILED /* 234 */ |
d430babbe643
SSL: server name callback changed to return fatal errors.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7465
diff
changeset
|
2951 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2952 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2953 || n == SSL_R_UNEXPECTED_RECORD /* 245 */ |
3455
028f0892e0cd
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3357
diff
changeset
|
2954 || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ |
3357
fc735aa50b8b
decrease SSL handshake error level to info
Igor Sysoev <igor@sysoev.ru>
parents:
3300
diff
changeset
|
2955 || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ |
7361
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
2956 #ifdef SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
2957 || n == SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS /* 253 */ |
c09c7d47acb9
SSL: logging level of "no suitable signature algorithm".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7360
diff
changeset
|
2958 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
2959 || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */ |
7360
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
2960 #ifdef SSL_R_NO_SHARED_GROUP |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
2961 || n == SSL_R_NO_SHARED_GROUP /* 266 */ |
8f25a44d9add
SSL: logging level of "no suitable key share".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7357
diff
changeset
|
2962 #endif |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2963 || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2964 || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ |
4228
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2965 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2966 || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2967 || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2968 || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2969 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2970 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2971 || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2972 #endif |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2973 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2974 || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ |
5fef0313f2ff
Decrease of log level of some SSL handshake errors.
Igor Sysoev <igor@sysoev.ru>
parents:
4186
diff
changeset
|
2975 #endif |
5902
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
2976 #ifdef SSL_R_INAPPROPRIATE_FALLBACK |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
2977 || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ |
b7a37f6a25ea
SSL: logging level of "inappropriate fallback" (ticket #662).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5892
diff
changeset
|
2978 #endif |
7461
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
2979 #ifdef SSL_R_CERT_CB_ERROR |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
2980 || n == SSL_R_CERT_CB_ERROR /* 377 */ |
a68799465b19
SSL: loading of connection-specific certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7460
diff
changeset
|
2981 #endif |
7317
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
2982 #ifdef SSL_R_VERSION_TOO_LOW |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
2983 || n == SSL_R_VERSION_TOO_LOW /* 396 */ |
6565f0dbe8c5
SSL: logging levels of "unsupported protocol", "version too low".
Maxim Dounin <mdounin@mdounin.ru>
parents:
7311
diff
changeset
|
2984 #endif |
1877
a55876dff8f5
low SSL handshake close notify alert error level
Igor Sysoev <igor@sysoev.ru>
parents:
1876
diff
changeset
|
2985 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
2986 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE |
2315
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2987 || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2988 || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2989 || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2990 || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2991 || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2992 || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2993 || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2994 || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2995 || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2996 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2997 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2998 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
2999 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3000 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3001 || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3002 || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3003 || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3004 || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3005 || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3006 || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3007 || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ |
31fafd8e7436
low some SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
2280
diff
changeset
|
3008 || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ |
6486
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3009 || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3010 #endif |
978ad80b3732
SSL: guarded error codes not present in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6485
diff
changeset
|
3011 ) |
1876
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3012 { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3013 switch (c->log_error) { |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3014 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3015 case NGX_ERROR_IGNORE_ECONNRESET: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3016 case NGX_ERROR_INFO: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3017 level = NGX_LOG_INFO; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3018 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3019 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3020 case NGX_ERROR_ERR: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3021 level = NGX_LOG_ERR; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3022 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3023 |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3024 default: |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3025 break; |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3026 } |
5d663752fd96
low SSL handshake errors level
Igor Sysoev <igor@sysoev.ru>
parents:
1873
diff
changeset
|
3027 } |
547 | 3028 } |
3029 | |
3030 ngx_ssl_error(level, c->log, err, text); | |
3031 } | |
3032 | |
3033 | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3034 static void |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3035 ngx_ssl_clear_error(ngx_log_t *log) |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3036 { |
1868 | 3037 while (ERR_peek_error()) { |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3038 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3039 } |
1868 | 3040 |
3041 ERR_clear_error(); | |
1755
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3042 } |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3043 |
59e36c1c6296
cleaning stale global SSL error
Igor Sysoev <igor@sysoev.ru>
parents:
1754
diff
changeset
|
3044 |
583 | 3045 void ngx_cdecl |
489 | 3046 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
577 | 3047 { |
4877
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3048 int flags; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3049 u_long n; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3050 va_list args; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3051 u_char *p, *last; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3052 u_char errstr[NGX_MAX_CONF_ERRSTR]; |
f2e450929c1f
OCSP stapling: log error data in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
4875
diff
changeset
|
3053 const char *data; |
461 | 3054 |
3055 last = errstr + NGX_MAX_CONF_ERRSTR; | |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3056 |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3057 va_start(args, fmt); |
2764
d4a717592877
use ngx_vslprintf(), ngx_slprintf()
Igor Sysoev <igor@sysoev.ru>
parents:
2720
diff
changeset
|
3058 p = ngx_vslprintf(errstr, last - 1, fmt, args); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3059 va_end(args); |
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3060 |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3061 if (ERR_peek_error()) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3062 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3063 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3064 for ( ;; ) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3065 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3066 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3067 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3068 if (n == 0) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3069 break; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3070 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3071 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3072 /* ERR_error_string_n() requires at least one byte */ |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3073 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3074 if (p >= last - 1) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3075 goto next; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3076 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3077 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3078 *p++ = ' '; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3079 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3080 ERR_error_string_n(n, (char *) p, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3081 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3082 while (p < last && *p) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3083 p++; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3084 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3085 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3086 if (p < last && *data && (flags & ERR_TXT_STRING)) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3087 *p++ = ':'; |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3088 p = ngx_cpystrn(p, (u_char *) data, last - p); |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3089 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3090 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3091 next: |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3092 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3093 (void) ERR_get_error(); |
1861 | 3094 } |
3095 | |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3096 if (p < last) { |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3097 *p++ = ')'; |
547 | 3098 } |
7459
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3099 } |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3100 |
982008fbc4ba
SSL: removed logging of empty "(SSL:)" in ngx_ssl_error().
Maxim Dounin <mdounin@mdounin.ru>
parents:
7455
diff
changeset
|
3101 ngx_log_error(level, log, err, "%*s", p - errstr, errstr); |
393
5659d773cfa8
nginx-0.0.7-2004-07-15-20:35:51 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
3102 } |
509 | 3103 |
3104 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3105 ngx_int_t |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3106 ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3107 ngx_array_t *certificates, ssize_t builtin_session_cache, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3108 ngx_shm_zone_t *shm_zone, time_t timeout) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3109 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3110 long cache_mode; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3111 |
5424
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3112 SSL_CTX_set_timeout(ssl->ctx, (long) timeout); |
767aa37f12de
SSL: SSL_CTX_set_timeout() now always called.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5423
diff
changeset
|
3113 |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3114 if (ngx_ssl_session_id_context(ssl, sess_ctx, certificates) != NGX_OK) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3115 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3116 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3117 |
1778 | 3118 if (builtin_session_cache == NGX_SSL_NO_SCACHE) { |
3119 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); | |
3120 return NGX_OK; | |
3121 } | |
3122 | |
2032 | 3123 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { |
3124 | |
3125 /* | |
3126 * If the server explicitly says that it does not support | |
3127 * session reuse (see SSL_SESS_CACHE_OFF above), then | |
3128 * Outlook Express fails to upload a sent email to | |
3129 * the Sent Items folder on the IMAP server via a separate IMAP | |
6552 | 3130 * connection in the background. Therefore we have a special |
2032 | 3131 * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) |
3132 * where the server pretends that it supports session reuse, | |
3133 * but it does not actually store any session. | |
3134 */ | |
3135 | |
3136 SSL_CTX_set_session_cache_mode(ssl->ctx, | |
3137 SSL_SESS_CACHE_SERVER | |
3138 |SSL_SESS_CACHE_NO_AUTO_CLEAR | |
3139 |SSL_SESS_CACHE_NO_INTERNAL_STORE); | |
3140 | |
3141 SSL_CTX_sess_set_cache_size(ssl->ctx, 1); | |
3142 | |
3143 return NGX_OK; | |
3144 } | |
3145 | |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3146 cache_mode = SSL_SESS_CACHE_SERVER; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3147 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3148 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3149 cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3150 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3151 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3152 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3153 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3154 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3155 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3156 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3157 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3158 } |
1015
32ebb6b13ff3
ssl_session_timeout was set only if builtin cache was used
Igor Sysoev <igor@sysoev.ru>
parents:
1014
diff
changeset
|
3159 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3160 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3161 if (shm_zone) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3162 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3163 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3164 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3165 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3166 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3167 == 0) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3168 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3169 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3170 "SSL_CTX_set_ex_data() failed"); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3171 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3172 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3173 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3174 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3175 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3176 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3177 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3178 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3179 static ngx_int_t |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3180 ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3181 ngx_array_t *certificates) |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3182 { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3183 int n, i; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3184 X509 *cert; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3185 X509_NAME *name; |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3186 ngx_str_t *certs; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3187 ngx_uint_t k; |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3188 EVP_MD_CTX *md; |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3189 unsigned int len; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3190 STACK_OF(X509_NAME) *list; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3191 u_char buf[EVP_MAX_MD_SIZE]; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3192 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3193 /* |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3194 * Session ID context is set based on the string provided, |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3195 * the server certificates, and the client CA list. |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3196 */ |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3197 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3198 md = EVP_MD_CTX_create(); |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3199 if (md == NULL) { |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3200 return NGX_ERROR; |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3201 } |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3202 |
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3203 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3204 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3205 "EVP_DigestInit_ex() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3206 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3207 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3208 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3209 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3210 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3211 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3212 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3213 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3214 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3215 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3216 cert; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3217 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3218 { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3219 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3220 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3221 "X509_digest() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3222 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3223 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3224 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3225 if (EVP_DigestUpdate(md, buf, len) == 0) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3226 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3227 "EVP_DigestUpdate() failed"); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3228 goto failed; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
3229 } |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3230 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3231 |
7465
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3232 if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3233 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3234 /* |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3235 * If certificates are loaded dynamically, we use certificate |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3236 * names as specified in the configuration (with variables). |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3237 */ |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3238 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3239 certs = certificates->elts; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3240 for (k = 0; k < certificates->nelts; k++) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3241 |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3242 if (EVP_DigestUpdate(md, certs[k].data, certs[k].len) == 0) { |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3243 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3244 "EVP_DigestUpdate() failed"); |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3245 goto failed; |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3246 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3247 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3248 } |
6708bec13757
SSL: adjusted session id context with dynamic certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7463
diff
changeset
|
3249 |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3250 list = SSL_CTX_get_client_CA_list(ssl->ctx); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3251 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3252 if (list != NULL) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3253 n = sk_X509_NAME_num(list); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3254 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3255 for (i = 0; i < n; i++) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3256 name = sk_X509_NAME_value(list, i); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3257 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3258 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3259 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3260 "X509_NAME_digest() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3261 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3262 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3263 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3264 if (EVP_DigestUpdate(md, buf, len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3265 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3266 "EVP_DigestUpdate() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3267 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3268 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3269 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3270 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3271 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3272 if (EVP_DigestFinal_ex(md, buf, &len) == 0) { |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3273 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
7455
992bf7540a98
SSL: fixed EVP_DigestFinal_ex() error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7454
diff
changeset
|
3274 "EVP_DigestFinal_ex() failed"); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3275 goto failed; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3276 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3277 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3278 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3279 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3280 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3281 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3282 "SSL_CTX_set_session_id_context() failed"); |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3283 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3284 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3285 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3286 return NGX_OK; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3287 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3288 failed: |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3289 |
6490
ddf761495ce6
SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6489
diff
changeset
|
3290 EVP_MD_CTX_destroy(md); |
5834
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3291 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3292 return NGX_ERROR; |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3293 } |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3294 |
ca63fc5ed9b1
SSL: session id context now includes certificate hash.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5823
diff
changeset
|
3295 |
3992
a1dd9dc754ab
A new fix for the case when ssl_session_cache defined, but ssl is not
Igor Sysoev <igor@sysoev.ru>
parents:
3962
diff
changeset
|
3296 ngx_int_t |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3297 ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3298 { |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3299 size_t len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3300 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3301 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3302 |
993
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3303 if (data) { |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3304 shm_zone->data = data; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3305 return NGX_OK; |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3306 } |
1b9a4d92173f
pass the inherited shm_zone data
Igor Sysoev <igor@sysoev.ru>
parents:
989
diff
changeset
|
3307 |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3308 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3309 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3310 if (shm_zone->shm.exists) { |
5640
4c6ceca4f5f7
Win32: fixed shared ssl_session_cache (ticket #528).
Maxim Dounin <mdounin@mdounin.ru>
parents:
5634
diff
changeset
|
3311 shm_zone->data = shpool->data; |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3312 return NGX_OK; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3313 } |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3314 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3315 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3316 if (cache == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3317 return NGX_ERROR; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3318 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3319 |
2720
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3320 shpool->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3321 shm_zone->data = cache; |
b3b8c66bd520
support attaching to an existent Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2716
diff
changeset
|
3322 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3323 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3324 ngx_ssl_session_rbtree_insert_value); |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3325 |
1760 | 3326 ngx_queue_init(&cache->expire_queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3327 |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3328 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3329 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3330 shpool->log_ctx = ngx_slab_alloc(shpool, len); |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3331 if (shpool->log_ctx == NULL) { |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3332 return NGX_ERROR; |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3333 } |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3334 |
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3335 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", |
2716
d5896f6608e8
move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory
Igor Sysoev <igor@sysoev.ru>
parents:
2710
diff
changeset
|
3336 &shm_zone->shm.name); |
2611
2bce3f6416c6
improve ngx_slab_alloc() error logging
Igor Sysoev <igor@sysoev.ru>
parents:
2536
diff
changeset
|
3337 |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3338 shpool->log_nomem = 0; |
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3339 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3340 return NGX_OK; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3341 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3342 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3343 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3344 /* |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3345 * The length of the session id is 16 bytes for SSLv2 sessions and |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3346 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3347 * It seems that the typical length of the external ASN1 representation |
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3348 * of a session is 118 or 119 bytes for SSLv3/TSLv1. |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3349 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3350 * Thus on 32-bit platforms we allocate separately an rbtree node, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3351 * a session id, and an ASN1 representation, they take accordingly |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3352 * 64, 32, and 128 bytes. |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3353 * |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3354 * On 64-bit platforms we allocate separately an rbtree node + session_id, |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3355 * and an ASN1 representation, they take accordingly 128 and 128 bytes. |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3356 * |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3357 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3358 * so they are outside the code locked by shared pool mutex |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3359 */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3360 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3361 static int |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3362 ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3363 { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3364 int len; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3365 u_char *p, *id, *cached_sess, *session_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3366 uint32_t hash; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3367 SSL_CTX *ssl_ctx; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3368 unsigned int session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3369 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3370 ngx_connection_t *c; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3371 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3372 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3373 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3374 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3375 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3376 len = i2d_SSL_SESSION(sess, NULL); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3377 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3378 /* do not cache too big session */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3379 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3380 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3381 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3382 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3383 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3384 p = buf; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3385 i2d_SSL_SESSION(sess, &p); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3386 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3387 c = ngx_ssl_get_connection(ssl_conn); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3388 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3389 ssl_ctx = c->ssl->session_ctx; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3390 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3391 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3392 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3393 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3394 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3395 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3396 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3397 /* drop one or two expired sessions */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3398 ngx_ssl_expire_sessions(cache, shpool, 1); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3399 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3400 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3401 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3402 if (cached_sess == NULL) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3403 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3404 /* drop the oldest non-expired session and try once more */ |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3405 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3406 ngx_ssl_expire_sessions(cache, shpool, 0); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3407 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3408 cached_sess = ngx_slab_alloc_locked(shpool, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3409 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3410 if (cached_sess == NULL) { |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3411 sess_id = NULL; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3412 goto failed; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3413 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3414 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3415 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3416 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3417 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3418 if (sess_id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3419 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3420 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3421 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3422 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3423 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3424 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3425 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3426 if (sess_id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3427 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3428 } |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3429 } |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3430 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3431 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3432 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3433 #if (NGX_PTR_SIZE == 8) |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3434 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3435 id = sess_id->sess_id; |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3436 |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3437 #else |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3438 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3439 id = ngx_slab_alloc_locked(shpool, session_id_length); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3440 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3441 if (id == NULL) { |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3442 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3443 /* drop the oldest non-expired session and try once more */ |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3444 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3445 ngx_ssl_expire_sessions(cache, shpool, 0); |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3446 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3447 id = ngx_slab_alloc_locked(shpool, session_id_length); |
5081
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3448 |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3449 if (id == NULL) { |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3450 goto failed; |
bebcc2f837d3
SSL: retry "sess_id" and "id" allocations.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5024
diff
changeset
|
3451 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3452 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3453 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3454 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3455 |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3456 ngx_memcpy(cached_sess, buf, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3457 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3458 ngx_memcpy(id, session_id, session_id_length); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3459 |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3460 hash = ngx_crc32_short(session_id, session_id_length); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3461 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3462 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3463 "ssl new session: %08XD:%ud:%d", |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3464 hash, session_id_length, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3465 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3466 sess_id->node.key = hash; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3467 sess_id->node.data = (u_char) session_id_length; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3468 sess_id->id = id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3469 sess_id->len = len; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3470 sess_id->session = cached_sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3471 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3472 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3473 |
1760 | 3474 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3475 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3476 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3477 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3478 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3479 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3480 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3481 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3482 failed: |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3483 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3484 if (cached_sess) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3485 ngx_slab_free_locked(shpool, cached_sess); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3486 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3487 |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3488 if (sess_id) { |
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3489 ngx_slab_free_locked(shpool, sess_id); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3490 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3491 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3492 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3493 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3494 ngx_log_error(NGX_LOG_ALERT, c->log, 0, |
5634
5024d29354f1
Core: slab log_nomem flag.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5573
diff
changeset
|
3495 "could not allocate new session%s", shpool->log_ctx); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3496 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3497 return 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3498 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3499 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3500 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3501 static ngx_ssl_session_t * |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3502 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3503 #if OPENSSL_VERSION_NUMBER >= 0x10100003L |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3504 const |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3505 #endif |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3506 u_char *id, int len, int *copy) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3507 { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3508 size_t slen; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3509 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3510 ngx_int_t rc; |
7509
b99cbafd51da
SSL: removed OpenSSL 0.9.7 compatibility.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7484
diff
changeset
|
3511 const u_char *p; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3512 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3513 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3514 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3515 ngx_ssl_session_t *sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3516 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3517 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3518 u_char buf[NGX_SSL_MAX_SESSION_SIZE]; |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3519 ngx_connection_t *c; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3520 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3521 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3522 *copy = 0; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3523 |
3961
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3524 c = ngx_ssl_get_connection(ssl_conn); |
4048aa055411
fix build by gcc46 with -Wunused-value option
Igor Sysoev <igor@sysoev.ru>
parents:
3960
diff
changeset
|
3525 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3526 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
3155 | 3527 "ssl get session: %08XD:%d", hash, len); |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3528 |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3529 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3530 ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3531 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3532 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3533 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3534 sess = NULL; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3535 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3536 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3537 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3538 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3539 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3540 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3541 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3542 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3543 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3544 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3545 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3546 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3547 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3548 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3549 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3550 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3551 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3552 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3553 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3554 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3555 /* hash == node->key */ |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3556 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3557 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3558 |
6487
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3559 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, |
9dd43f4ef67e
SSL: get_session callback changed in OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6486
diff
changeset
|
3560 (size_t) len, (size_t) node->data); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3561 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3562 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3563 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3564 if (sess_id->expire > ngx_time()) { |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3565 slen = sess_id->len; |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3566 |
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3567 ngx_memcpy(buf, sess_id->session, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3568 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3569 ngx_shmtx_unlock(&shpool->mutex); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3570 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3571 p = buf; |
7365
cd4fa2fab8d8
SSL: fixed unlocked access to sess_id->len.
Ruslan Ermilov <ru@nginx.com>
parents:
7361
diff
changeset
|
3572 sess = d2i_SSL_SESSION(NULL, &p, slen); |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3573 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3574 return sess; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3575 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3576 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3577 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3578 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3579 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3580 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3581 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3582 #if (NGX_PTR_SIZE == 4) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3583 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3584 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3585 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3586 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3587 sess = NULL; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3588 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3589 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3590 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3591 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3592 node = (rc < 0) ? node->left : node->right; |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3593 } |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3594 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3595 done: |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3596 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3597 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3598 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3599 return sess; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3600 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3601 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3602 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3603 void |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3604 ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3605 { |
6474 | 3606 SSL_CTX_remove_session(ssl, sess); |
3607 | |
3608 ngx_ssl_remove_session(ssl, sess); | |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3609 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3610 |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3611 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3612 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3613 ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3614 { |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3615 u_char *id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3616 uint32_t hash; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3617 ngx_int_t rc; |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3618 unsigned int len; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3619 ngx_shm_zone_t *shm_zone; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3620 ngx_slab_pool_t *shpool; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3621 ngx_rbtree_node_t *node, *sentinel; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3622 ngx_ssl_sess_id_t *sess_id; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3623 ngx_ssl_session_cache_t *cache; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3624 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3625 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3626 |
1924
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3627 if (shm_zone == NULL) { |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3628 return; |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3629 } |
291689a7e5dc
invalidate SSL session if there is no valid client certificate
Igor Sysoev <igor@sysoev.ru>
parents:
1877
diff
changeset
|
3630 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3631 cache = shm_zone->data; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3632 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3633 id = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3634 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3635 hash = ngx_crc32_short(id, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3636 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3637 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
3638 "ssl remove session: %08XD:%ud", hash, len); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3639 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3640 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3641 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3642 ngx_shmtx_lock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3643 |
1759
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3644 node = cache->session_rbtree.root; |
89234cfbf810
embed session_rbtree and sentinel inside ngx_ssl_session_cache_t
Igor Sysoev <igor@sysoev.ru>
parents:
1758
diff
changeset
|
3645 sentinel = cache->session_rbtree.sentinel; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3646 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3647 while (node != sentinel) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3648 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3649 if (hash < node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3650 node = node->left; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3651 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3652 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3653 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3654 if (hash > node->key) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3655 node = node->right; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3656 continue; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3657 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3658 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3659 /* hash == node->key */ |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3660 |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3661 sess_id = (ngx_ssl_sess_id_t *) node; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3662 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3663 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3664 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3665 if (rc == 0) { |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3666 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3667 ngx_queue_remove(&sess_id->queue); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3668 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3669 ngx_rbtree_delete(&cache->session_rbtree, node); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3670 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3671 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3672 #if (NGX_PTR_SIZE == 4) |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3673 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3674 #endif |
4497
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3675 ngx_slab_free_locked(shpool, sess_id); |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3676 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3677 goto done; |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3678 } |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3679 |
95ab6658654a
Fix of rbtree lookup on hash collisions.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4414
diff
changeset
|
3680 node = (rc < 0) ? node->left : node->right; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3681 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3682 |
1013
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3683 done: |
7dd987e09701
stop rbtree search early if equal hash was found
Igor Sysoev <igor@sysoev.ru>
parents:
993
diff
changeset
|
3684 |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3685 ngx_shmtx_unlock(&shpool->mutex); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3686 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3687 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3688 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3689 static void |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3690 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3691 ngx_slab_pool_t *shpool, ngx_uint_t n) |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3692 { |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3693 time_t now; |
1760 | 3694 ngx_queue_t *q; |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3695 ngx_ssl_sess_id_t *sess_id; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3696 |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3697 now = ngx_time(); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3698 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3699 while (n < 3) { |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3700 |
1760 | 3701 if (ngx_queue_empty(&cache->expire_queue)) { |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3702 return; |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3703 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3704 |
1760 | 3705 q = ngx_queue_last(&cache->expire_queue); |
3706 | |
3707 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); | |
3708 | |
1757
7ab8bd535eed
use ngx_time() instead of ngx_timeofday()
Igor Sysoev <igor@sysoev.ru>
parents:
1756
diff
changeset
|
3709 if (n++ != 0 && sess_id->expire > now) { |
1439 | 3710 return; |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3711 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3712 |
1760 | 3713 ngx_queue_remove(q); |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3714 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3715 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3716 "expire session: %08Xi", sess_id->node.key); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3717 |
1760 | 3718 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); |
3719 | |
1014
5ffd76a9ccf3
optimize the SSL session cache allocations
Igor Sysoev <igor@sysoev.ru>
parents:
1013
diff
changeset
|
3720 ngx_slab_free_locked(shpool, sess_id->session); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3721 #if (NGX_PTR_SIZE == 4) |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3722 ngx_slab_free_locked(shpool, sess_id->id); |
1017
ee25c79bea34
optimize the SSL session cache allocations on 64-bit platforms
Igor Sysoev <igor@sysoev.ru>
parents:
1015
diff
changeset
|
3723 #endif |
974
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3724 ngx_slab_free_locked(shpool, sess_id); |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3725 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3726 } |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3727 |
8dfb3aa75de2
move the session cache callbacks to the ngx_openssl_module
Igor Sysoev <igor@sysoev.ru>
parents:
969
diff
changeset
|
3728 |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3729 static void |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3730 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3731 ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3732 { |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3733 ngx_rbtree_node_t **p; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3734 ngx_ssl_sess_id_t *sess_id, *sess_id_temp; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3735 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3736 for ( ;; ) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3737 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3738 if (node->key < temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3739 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3740 p = &temp->left; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3741 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3742 } else if (node->key > temp->key) { |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3743 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3744 p = &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3745 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3746 } else { /* node->key == temp->key */ |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3747 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3748 sess_id = (ngx_ssl_sess_id_t *) node; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3749 sess_id_temp = (ngx_ssl_sess_id_t *) temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3750 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3751 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3752 (size_t) node->data, (size_t) temp->data) |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3753 < 0) ? &temp->left : &temp->right; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3754 } |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3755 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3756 if (*p == sentinel) { |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3757 break; |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3758 } |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3759 |
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3760 temp = *p; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3761 } |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3762 |
1743
4fc402c3ec73
optimize rbtree initialization and insert
Igor Sysoev <igor@sysoev.ru>
parents:
1439
diff
changeset
|
3763 *p = node; |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3764 node->parent = temp; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3765 node->left = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3766 node->right = sentinel; |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3767 ngx_rbt_red(node); |
1043
7073b87fa8e9
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
1029
diff
changeset
|
3768 } |
1027
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3769 |
ff07ccfaad50
fix duplicate rbtree keys case
Igor Sysoev <igor@sysoev.ru>
parents:
1025
diff
changeset
|
3770 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3771 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3772 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3773 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3774 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3775 { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3776 u_char buf[80]; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3777 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3778 ssize_t n; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3779 ngx_str_t *path; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3780 ngx_file_t file; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3781 ngx_uint_t i; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3782 ngx_array_t *keys; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3783 ngx_file_info_t fi; |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3784 ngx_pool_cleanup_t *cln; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3785 ngx_ssl_session_ticket_key_t *key; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3786 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3787 if (paths == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3788 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3789 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3790 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3791 keys = ngx_array_create(cf->pool, paths->nelts, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3792 sizeof(ngx_ssl_session_ticket_key_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3793 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3794 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3795 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3796 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3797 cln = ngx_pool_cleanup_add(cf->pool, 0); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3798 if (cln == NULL) { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3799 return NGX_ERROR; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3800 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3801 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3802 cln->handler = ngx_ssl_session_ticket_keys_cleanup; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3803 cln->data = keys; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3804 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3805 path = paths->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3806 for (i = 0; i < paths->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3807 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3808 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3809 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3810 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3811 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3812 ngx_memzero(&file, sizeof(ngx_file_t)); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3813 file.name = path[i]; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3814 file.log = cf->log; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3815 |
7087
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
3816 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, |
47b7ffc3339d
Fixed calls to ngx_open_file() in certain places.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7086
diff
changeset
|
3817 NGX_FILE_OPEN, 0); |
7086 | 3818 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3819 if (file.fd == NGX_INVALID_FILE) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3820 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3821 ngx_open_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3822 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3823 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3824 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3825 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3826 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3827 ngx_fd_info_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3828 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3829 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3830 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3831 size = ngx_file_size(&fi); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3832 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3833 if (size != 48 && size != 80) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3834 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3835 "\"%V\" must be 48 or 80 bytes", &file.name); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3836 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3837 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3838 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3839 n = ngx_read_file(&file, buf, size, 0); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3840 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3841 if (n == NGX_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3842 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3843 ngx_read_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3844 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3845 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3846 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3847 if ((size_t) n != size) { |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3848 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3849 ngx_read_file_n " \"%V\" returned only " |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3850 "%z bytes instead of %uz", &file.name, n, size); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3851 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3852 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3853 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3854 key = ngx_array_push(keys); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3855 if (key == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3856 goto failed; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3857 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3858 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3859 if (size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3860 key->size = 48; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3861 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3862 ngx_memcpy(key->aes_key, buf + 16, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3863 ngx_memcpy(key->hmac_key, buf + 32, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3864 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3865 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3866 key->size = 80; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3867 ngx_memcpy(key->name, buf, 16); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3868 ngx_memcpy(key->hmac_key, buf + 16, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3869 ngx_memcpy(key->aes_key, buf + 48, 32); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3870 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3871 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3872 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3873 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3874 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3875 } |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3876 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3877 ngx_explicit_memzero(&buf, 80); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3878 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3879 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3880 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3881 == 0) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3882 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3883 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3884 "SSL_CTX_set_ex_data() failed"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3885 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3886 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3887 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3888 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3889 ngx_ssl_session_ticket_key_callback) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3890 == 0) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3891 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3892 ngx_log_error(NGX_LOG_WARN, cf->log, 0, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3893 "nginx was built with Session Tickets support, however, " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3894 "now it is linked dynamically to an OpenSSL library " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3895 "which has no tlsext support, therefore Session Tickets " |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3896 "are not available"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3897 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3898 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3899 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3900 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3901 failed: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3902 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3903 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3904 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3905 ngx_close_file_n " \"%V\" failed", &file.name); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3906 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3907 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3908 ngx_explicit_memzero(&buf, 80); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
3909 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3910 return NGX_ERROR; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3911 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3912 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3913 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3914 static int |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3915 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3916 unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3917 HMAC_CTX *hctx, int enc) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3918 { |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3919 size_t size; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3920 SSL_CTX *ssl_ctx; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3921 ngx_uint_t i; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3922 ngx_array_t *keys; |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3923 ngx_connection_t *c; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3924 ngx_ssl_session_ticket_key_t *key; |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3925 const EVP_MD *digest; |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3926 const EVP_CIPHER *cipher; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3927 #if (NGX_DEBUG) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3928 u_char buf[32]; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3929 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3930 |
6261
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3931 c = ngx_ssl_get_connection(ssl_conn); |
97f102a13f33
SSL: preserve default server context in connection (ticket #235).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6259
diff
changeset
|
3932 ssl_ctx = c->ssl->session_ctx; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3933 |
6686
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3934 #ifdef OPENSSL_NO_SHA256 |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3935 digest = EVP_sha1(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3936 #else |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3937 digest = EVP_sha256(); |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3938 #endif |
f28e74f02c88
SSL: factored out digest and cipher in session ticket callback.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6660
diff
changeset
|
3939 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3940 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3941 if (keys == NULL) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3942 return -1; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3943 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3944 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3945 key = keys->elts; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3946 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3947 if (enc == 1) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3948 /* encrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3949 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
3950 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3951 "ssl session ticket encrypt, key: \"%*s\" (%s session)", |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3952 ngx_hex_dump(buf, key[0].name, 16) - buf, buf, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3953 SSL_session_reused(ssl_conn) ? "reused" : "new"); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3954 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3955 if (key[0].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3956 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3957 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3958 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3959 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3960 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3961 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3962 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3963 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3964 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3965 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3966 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3967 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3968 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3969 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3970 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3971 "EVP_EncryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3972 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3973 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3974 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3975 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3976 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3977 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3978 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3979 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3980 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
3981 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3982 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
3983 |
5760
4b668378ad8b
Style: use ngx_memcpy() instead of memcpy().
Piotr Sikora <piotr@cloudflare.com>
parents:
5756
diff
changeset
|
3984 ngx_memcpy(name, key[0].name, 16); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3985 |
6660
3eb1a92a2f05
SSL: adopted session ticket handling for OpenSSL 1.1.0.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6659
diff
changeset
|
3986 return 1; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3987 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3988 } else { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3989 /* decrypt session ticket */ |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3990 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3991 for (i = 0; i < keys->nelts; i++) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3992 if (ngx_memcmp(name, key[i].name, 16) == 0) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3993 goto found; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3994 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3995 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3996 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
3997 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3998 "ssl session ticket decrypt, key: \"%*s\" not found", |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
3999 ngx_hex_dump(buf, name, 16) - buf, buf); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4000 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4001 return 0; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4002 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4003 found: |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4004 |
5657
3b48f9e69e70
SSL: fixed misuse of NGX_LOG_DEBUG_HTTP.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5640
diff
changeset
|
4005 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4006 "ssl session ticket decrypt, key: \"%*s\"%s", |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4007 ngx_hex_dump(buf, key[i].name, 16) - buf, buf, |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4008 (i == 0) ? " (default)" : ""); |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4009 |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4010 if (key[i].size == 48) { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4011 cipher = EVP_aes_128_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4012 size = 16; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4013 |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4014 } else { |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4015 cipher = EVP_aes_256_cbc(); |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4016 size = 32; |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4017 } |
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4018 |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4019 #if OPENSSL_VERSION_NUMBER >= 0x10000000L |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4020 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) { |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4021 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4022 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4023 } |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4024 #else |
6854
75e7d55214bd
SSL: support AES256 encryption of tickets.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6842
diff
changeset
|
4025 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL); |
6687
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4026 #endif |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4027 |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4028 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4029 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4030 "EVP_DecryptInit_ex() failed"); |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4031 return -1; |
dfa626cdde6b
SSL: improved session ticket callback error handling.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6686
diff
changeset
|
4032 } |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4033 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4034 return (i == 0) ? 1 : 2 /* renew */; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4035 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4036 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4037 |
7453
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4038 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4039 static void |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4040 ngx_ssl_session_ticket_keys_cleanup(void *data) |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4041 { |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4042 ngx_array_t *keys = data; |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4043 |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4044 ngx_explicit_memzero(keys->elts, |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4045 keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4046 } |
873150addfeb
SSL: explicitly zero out session ticket keys.
Ruslan Ermilov <ru@nginx.com>
parents:
7431
diff
changeset
|
4047 |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4048 #else |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4049 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4050 ngx_int_t |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4051 ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4052 { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4053 if (paths) { |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4054 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, |
7074
07a49cce21ca
SSL: fixed typo in the error message.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6995
diff
changeset
|
4055 "\"ssl_session_ticket_key\" ignored, not supported"); |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4056 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4057 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4058 return NGX_OK; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4059 } |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4060 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4061 #endif |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4062 |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
5424
diff
changeset
|
4063 |
509 | 4064 void |
4065 ngx_ssl_cleanup_ctx(void *data) | |
4066 { | |
589 | 4067 ngx_ssl_t *ssl = data; |
509 | 4068 |
6548
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4069 X509 *cert, *next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4070 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4071 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4072 |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4073 while (cert) { |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4074 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4075 X509_free(cert); |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4076 cert = next; |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4077 } |
8a34e92d8ab5
SSL: made it possible to iterate though all certificates.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6545
diff
changeset
|
4078 |
589 | 4079 SSL_CTX_free(ssl->ctx); |
509 | 4080 } |
541 | 4081 |
4082 | |
671 | 4083 ngx_int_t |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4084 ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4085 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4086 X509 *cert; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4087 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4088 cert = SSL_get_peer_certificate(c->ssl->connection); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4089 if (cert == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4090 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4091 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4092 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4093 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4094 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4095 /* X509_check_host() is only available in OpenSSL 1.0.2+ */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4096 |
5669
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4097 if (name->len == 0) { |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4098 goto failed; |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4099 } |
cac82b9b3499
SSL: explicit handling of empty names.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5666
diff
changeset
|
4100 |
5767
abd460ece11e
SSL: fix build with recent OpenSSL.
Piotr Sikora <piotr@cloudflare.com>
parents:
5760
diff
changeset
|
4101 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4102 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4103 "X509_check_host(): no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4104 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4105 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4106 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4107 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4108 "X509_check_host(): match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4109 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4110 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4111 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4112 #else |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4113 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4114 int n, i; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4115 X509_NAME *sname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4116 ASN1_STRING *str; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4117 X509_NAME_ENTRY *entry; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4118 GENERAL_NAME *altname; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4119 STACK_OF(GENERAL_NAME) *altnames; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4120 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4121 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4122 * As per RFC6125 and RFC2818, we check subjectAltName extension, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4123 * and if it's not present - commonName in Subject is checked. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4124 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4125 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4126 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4127 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4128 if (altnames) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4129 n = sk_GENERAL_NAME_num(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4130 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4131 for (i = 0; i < n; i++) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4132 altname = sk_GENERAL_NAME_value(altnames, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4133 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4134 if (altname->type != GEN_DNS) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4135 continue; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4136 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4137 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4138 str = altname->d.dNSName; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4139 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4140 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4141 "SSL subjectAltName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4142 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4143 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4144 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4145 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4146 "SSL subjectAltName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4147 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4148 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4149 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4150 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4151 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4152 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4153 "SSL subjectAltName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4154 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4155 GENERAL_NAMES_free(altnames); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4156 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4157 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4158 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4159 /* |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4160 * If there is no subjectAltName extension, check commonName |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4161 * in Subject. While RFC2818 requires to only check "most specific" |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4162 * CN, both Apache and OpenSSL check all CNs, and so do we. |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4163 */ |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4164 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4165 sname = X509_get_subject_name(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4166 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4167 if (sname == NULL) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4168 goto failed; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4169 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4170 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4171 i = -1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4172 for ( ;; ) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4173 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4174 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4175 if (i < 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4176 break; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4177 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4178 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4179 entry = X509_NAME_get_entry(sname, i); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4180 str = X509_NAME_ENTRY_get_data(entry); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4181 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4182 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4183 "SSL commonName: \"%*s\"", |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4184 ASN1_STRING_length(str), ASN1_STRING_data(str)); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4185 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4186 if (ngx_ssl_check_name(name, str) == NGX_OK) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4187 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4188 "SSL commonName: match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4189 goto found; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4190 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4191 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4192 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4193 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4194 "SSL commonName: no match"); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4195 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4196 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4197 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4198 failed: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4199 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4200 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4201 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4202 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4203 found: |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4204 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4205 X509_free(cert); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4206 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4207 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4208 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4209 |
6725
9b9ae81cd4f0
SSL: use X509_check_host() with LibreSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6699
diff
changeset
|
4210 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4211 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4212 static ngx_int_t |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4213 ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4214 { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4215 u_char *s, *p, *end; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4216 size_t slen, plen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4217 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4218 s = name->data; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4219 slen = name->len; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4220 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4221 p = ASN1_STRING_data(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4222 plen = ASN1_STRING_length(pattern); |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4223 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4224 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4225 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4226 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4227 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4228 if (plen > 2 && p[0] == '*' && p[1] == '.') { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4229 plen -= 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4230 p += 1; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4231 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4232 end = s + slen; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4233 s = ngx_strlchr(s, end, '.'); |
5666
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4234 |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4235 if (s == NULL) { |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4236 return NGX_ERROR; |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4237 } |
a77c0839c993
SSL: added explicit check for ngx_strlchr() result.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5661
diff
changeset
|
4238 |
5661
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4239 slen = end - s; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4240 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4241 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4242 return NGX_OK; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4243 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4244 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4245 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4246 return NGX_ERROR; |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4247 } |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4248 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4249 #endif |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4250 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4251 |
060c2e692b96
Upstream: proxy_ssl_verify and friends.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5658
diff
changeset
|
4252 ngx_int_t |
671 | 4253 ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
611 | 4254 { |
671 | 4255 s->data = (u_char *) SSL_get_version(c->ssl->connection); |
4256 return NGX_OK; | |
611 | 4257 } |
4258 | |
4259 | |
671 | 4260 ngx_int_t |
4261 ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
611 | 4262 { |
671 | 4263 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); |
4264 return NGX_OK; | |
611 | 4265 } |
4266 | |
4267 | |
647 | 4268 ngx_int_t |
6816
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4269 ngx_ssl_get_ciphers(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4270 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4271 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4272 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4273 int n, i, bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4274 size_t len; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4275 u_char *ciphers, *p; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4276 const SSL_CIPHER *cipher; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4277 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4278 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4279 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4280 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4281 if (n <= 0) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4282 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4283 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4284 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4285 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4286 len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4287 n /= bytes; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4288 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4289 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4290 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4291 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4292 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4293 len += ngx_strlen(SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4294 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4295 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4296 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4297 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4298 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4299 len += sizeof(":") - 1; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4300 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4301 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4302 s->data = ngx_pnalloc(pool, len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4303 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4304 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4305 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4306 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4307 p = s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4308 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4309 for (i = 0; i < n; i++) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4310 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4311 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4312 if (cipher) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4313 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher)); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4314 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4315 } else { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4316 p = ngx_sprintf(p, "0x"); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4317 p = ngx_hex_dump(p, ciphers + i * bytes, bytes); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4318 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4319 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4320 *p++ = ':'; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4321 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4322 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4323 p--; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4324 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4325 s->len = p - s->data; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4326 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4327 #else |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4328 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4329 u_char buf[4096]; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4330 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4331 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4332 == NULL) |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4333 { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4334 s->len = 0; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4335 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4336 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4337 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4338 s->len = ngx_strlen(buf); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4339 s->data = ngx_pnalloc(pool, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4340 if (s->data == NULL) { |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4341 return NGX_ERROR; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4342 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4343 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4344 ngx_memcpy(s->data, buf, s->len); |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4345 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4346 #endif |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4347 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4348 return NGX_OK; |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4349 } |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4350 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4351 |
ea93c7d8752a
SSL: $ssl_ciphers (ticket #870).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6815
diff
changeset
|
4352 ngx_int_t |
6817
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4353 ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4354 { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4355 #ifdef SSL_CTRL_GET_CURVES |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4356 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4357 int *curves, n, i, nid; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4358 u_char *p; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4359 size_t len; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4360 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4361 n = SSL_get1_curves(c->ssl->connection, NULL); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4362 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4363 if (n <= 0) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4364 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4365 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4366 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4367 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4368 curves = ngx_palloc(pool, n * sizeof(int)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4369 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4370 n = SSL_get1_curves(c->ssl->connection, curves); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4371 len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4372 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4373 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4374 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4375 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4376 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4377 len += sizeof("0x0000") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4378 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4379 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4380 len += ngx_strlen(OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4381 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4382 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4383 len += sizeof(":") - 1; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4384 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4385 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4386 s->data = ngx_pnalloc(pool, len); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4387 if (s->data == NULL) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4388 return NGX_ERROR; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4389 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4390 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4391 p = s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4392 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4393 for (i = 0; i < n; i++) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4394 nid = curves[i]; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4395 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4396 if (nid & TLSEXT_nid_unknown) { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4397 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4398 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4399 } else { |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4400 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid)); |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4401 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4402 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4403 *p++ = ':'; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4404 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4405 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4406 p--; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4407 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4408 s->len = p - s->data; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4409 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4410 #else |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4411 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4412 s->len = 0; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4413 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4414 #endif |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4415 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4416 return NGX_OK; |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4417 } |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4418 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4419 |
e75e854657ba
SSL: $ssl_curves (ticket #1088).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6816
diff
changeset
|
4420 ngx_int_t |
3154 | 4421 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4422 { | |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4423 u_char *buf; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4424 SSL_SESSION *sess; |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4425 unsigned int len; |
3154 | 4426 |
4427 sess = SSL_get0_session(c->ssl->connection); | |
5537
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4428 if (sess == NULL) { |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4429 s->len = 0; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4430 return NGX_OK; |
49b1ad48b55c
SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5531
diff
changeset
|
4431 } |
3154 | 4432 |
5756
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4433 buf = (u_char *) SSL_SESSION_get_id(sess, &len); |
5b7276408565
SSL: stop accessing SSL_SESSION's fields directly.
Piotr Sikora <piotr@cloudflare.com>
parents:
5755
diff
changeset
|
4434 |
3154 | 4435 s->len = 2 * len; |
4436 s->data = ngx_pnalloc(pool, 2 * len); | |
4437 if (s->data == NULL) { | |
4438 return NGX_ERROR; | |
4439 } | |
4440 | |
4441 ngx_hex_dump(s->data, buf, len); | |
4442 | |
4443 return NGX_OK; | |
4444 } | |
4445 | |
4446 | |
4447 ngx_int_t | |
5573
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4448 ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4449 { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4450 if (SSL_session_reused(c->ssl->connection)) { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4451 ngx_str_set(s, "r"); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4452 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4453 } else { |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4454 ngx_str_set(s, "."); |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4455 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4456 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4457 return NGX_OK; |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4458 } |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4459 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4460 |
7c05f6590753
SSL: the $ssl_session_reused variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5537
diff
changeset
|
4461 ngx_int_t |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4462 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4463 { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4464 s->len = 0; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4465 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4466 #ifdef SSL_ERROR_EARLY_DATA_REJECTED |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4467 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4468 /* BoringSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4469 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4470 if (SSL_in_early_data(c->ssl->connection)) { |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4471 ngx_str_set(s, "1"); |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4472 } |
7357
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4473 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4474 #elif defined SSL_READ_EARLY_DATA_SUCCESS |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4475 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4476 /* OpenSSL */ |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4477 |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4478 if (!SSL_is_init_finished(c->ssl->connection)) { |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4479 ngx_str_set(s, "1"); |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4480 } |
548a63b354a2
SSL: support for TLSv1.3 early data with OpenSSL.
Sergey Kandaurov <pluknet@nginx.com>
parents:
7356
diff
changeset
|
4481 |
7333
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4482 #endif |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4483 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4484 return NGX_OK; |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4485 } |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4486 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4487 |
ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7332
diff
changeset
|
4488 ngx_int_t |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4489 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4490 { |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4491 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4492 |
7092
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4493 size_t len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4494 const char *name; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4495 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4496 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4497 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4498 if (name) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4499 len = ngx_strlen(name); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4500 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4501 s->len = len; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4502 s->data = ngx_pnalloc(pool, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4503 if (s->data == NULL) { |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4504 return NGX_ERROR; |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4505 } |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4506 |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4507 ngx_memcpy(s->data, name, len); |
2e8de3d81783
SSL: fixed possible use-after-free in $ssl_server_name.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7091
diff
changeset
|
4508 |
5658
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4509 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4510 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4511 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4512 #endif |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4513 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4514 s->len = 0; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4515 return NGX_OK; |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4516 } |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4517 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4518 |
94ae92776441
SSL: $ssl_server_name variable.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5657
diff
changeset
|
4519 ngx_int_t |
2123 | 4520 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2045 | 4521 { |
4522 size_t len; | |
4523 BIO *bio; | |
4524 X509 *cert; | |
4525 | |
4526 s->len = 0; | |
4527 | |
4528 cert = SSL_get_peer_certificate(c->ssl->connection); | |
4529 if (cert == NULL) { | |
4530 return NGX_OK; | |
4531 } | |
4532 | |
4533 bio = BIO_new(BIO_s_mem()); | |
4534 if (bio == NULL) { | |
4535 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); | |
4536 X509_free(cert); | |
4537 return NGX_ERROR; | |
4538 } | |
4539 | |
4540 if (PEM_write_bio_X509(bio, cert) == 0) { | |
4541 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); | |
4542 goto failed; | |
4543 } | |
4544 | |
4545 len = BIO_pending(bio); | |
4546 s->len = len; | |
4547 | |
2049 | 4548 s->data = ngx_pnalloc(pool, len); |
2045 | 4549 if (s->data == NULL) { |
4550 goto failed; | |
4551 } | |
4552 | |
4553 BIO_read(bio, s->data, len); | |
4554 | |
4555 BIO_free(bio); | |
4556 X509_free(cert); | |
4557 | |
4558 return NGX_OK; | |
4559 | |
4560 failed: | |
4561 | |
4562 BIO_free(bio); | |
4563 X509_free(cert); | |
4564 | |
4565 return NGX_ERROR; | |
4566 } | |
4567 | |
4568 | |
4569 ngx_int_t | |
2123 | 4570 ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4571 { | |
4572 u_char *p; | |
4573 size_t len; | |
4574 ngx_uint_t i; | |
4575 ngx_str_t cert; | |
4576 | |
4577 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { | |
4578 return NGX_ERROR; | |
4579 } | |
4580 | |
4581 if (cert.len == 0) { | |
4582 s->len = 0; | |
4583 return NGX_OK; | |
4584 } | |
4585 | |
4586 len = cert.len - 1; | |
4587 | |
4588 for (i = 0; i < cert.len - 1; i++) { | |
4589 if (cert.data[i] == LF) { | |
4590 len++; | |
4591 } | |
4592 } | |
4593 | |
4594 s->len = len; | |
4595 s->data = ngx_pnalloc(pool, len); | |
4596 if (s->data == NULL) { | |
4597 return NGX_ERROR; | |
4598 } | |
4599 | |
4600 p = s->data; | |
4601 | |
3002
bf0c7e58e016
fix memory corruption in $ssl_client_cert
Igor Sysoev <igor@sysoev.ru>
parents:
2997
diff
changeset
|
4602 for (i = 0; i < cert.len - 1; i++) { |
2123 | 4603 *p++ = cert.data[i]; |
4604 if (cert.data[i] == LF) { | |
4605 *p++ = '\t'; | |
4606 } | |
4607 } | |
4608 | |
4609 return NGX_OK; | |
4610 } | |
4611 | |
4612 | |
4613 ngx_int_t | |
7091
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4614 ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool, |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4615 ngx_str_t *s) |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4616 { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4617 ngx_str_t cert; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4618 uintptr_t n; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4619 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4620 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4621 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4622 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4623 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4624 if (cert.len == 0) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4625 s->len = 0; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4626 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4627 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4628 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4629 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4630 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4631 s->len = cert.len + n * 2; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4632 s->data = ngx_pnalloc(pool, s->len); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4633 if (s->data == NULL) { |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4634 return NGX_ERROR; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4635 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4636 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4637 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT); |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4638 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4639 return NGX_OK; |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4640 } |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4641 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4642 |
82f0b8dcca27
SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin <mdounin@mdounin.ru>
parents:
7087
diff
changeset
|
4643 ngx_int_t |
647 | 4644 ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4645 { | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4646 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4647 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4648 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4649 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4650 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4651 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4652 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4653 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4654 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4655 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4656 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4657 name = X509_get_subject_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4658 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
4659 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4660 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4661 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4662 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4663 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4664 if (bio == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4665 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4666 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4667 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4668 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4669 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4670 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4671 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4672 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4673 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4674 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4675 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4676 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4677 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4678 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4679 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4680 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4681 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4682 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4683 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4684 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4685 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4686 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4687 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4688 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4689 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4690 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4691 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4692 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4693 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4694 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4695 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4696 ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4697 { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4698 BIO *bio; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4699 X509 *cert; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4700 X509_NAME *name; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4701 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4702 s->len = 0; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4703 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4704 cert = SSL_get_peer_certificate(c->ssl->connection); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4705 if (cert == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4706 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4707 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4708 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4709 name = X509_get_issuer_name(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4710 if (name == NULL) { |
7484
65074e13f171
SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.
Nikolay Morozov <n.morozov@securitycode.ru>
parents:
7477
diff
changeset
|
4711 X509_free(cert); |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4712 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4713 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4714 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4715 bio = BIO_new(BIO_s_mem()); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4716 if (bio == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4717 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4718 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4719 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4720 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4721 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4722 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4723 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4724 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4725 s->len = BIO_pending(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4726 s->data = ngx_pnalloc(pool, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4727 if (s->data == NULL) { |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4728 goto failed; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4729 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4730 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4731 BIO_read(bio, s->data, s->len); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4732 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4733 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4734 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4735 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4736 return NGX_OK; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4737 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4738 failed: |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4739 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4740 BIO_free(bio); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4741 X509_free(cert); |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4742 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4743 return NGX_ERROR; |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4744 } |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4745 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4746 |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4747 ngx_int_t |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4748 ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4749 ngx_str_t *s) |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4750 { |
647 | 4751 char *p; |
4752 size_t len; | |
4753 X509 *cert; | |
4754 X509_NAME *name; | |
4755 | |
4756 s->len = 0; | |
4757 | |
4758 cert = SSL_get_peer_certificate(c->ssl->connection); | |
4759 if (cert == NULL) { | |
4760 return NGX_OK; | |
4761 } | |
4762 | |
4763 name = X509_get_subject_name(cert); | |
4764 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4765 X509_free(cert); |
647 | 4766 return NGX_ERROR; |
4767 } | |
4768 | |
4769 p = X509_NAME_oneline(name, NULL, 0); | |
4770 | |
4771 for (len = 0; p[len]; len++) { /* void */ } | |
4772 | |
4773 s->len = len; | |
2049 | 4774 s->data = ngx_pnalloc(pool, len); |
647 | 4775 if (s->data == NULL) { |
4776 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4777 X509_free(cert); |
647 | 4778 return NGX_ERROR; |
4779 } | |
4780 | |
4781 ngx_memcpy(s->data, p, len); | |
4782 | |
4783 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4784 X509_free(cert); |
647 | 4785 |
4786 return NGX_OK; | |
4787 } | |
4788 | |
4789 | |
4790 ngx_int_t | |
6780
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4791 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool, |
56d6bfe6b609
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6775
diff
changeset
|
4792 ngx_str_t *s) |
647 | 4793 { |
4794 char *p; | |
4795 size_t len; | |
4796 X509 *cert; | |
4797 X509_NAME *name; | |
4798 | |
4799 s->len = 0; | |
4800 | |
4801 cert = SSL_get_peer_certificate(c->ssl->connection); | |
4802 if (cert == NULL) { | |
4803 return NGX_OK; | |
4804 } | |
4805 | |
4806 name = X509_get_issuer_name(cert); | |
4807 if (name == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4808 X509_free(cert); |
647 | 4809 return NGX_ERROR; |
4810 } | |
4811 | |
4812 p = X509_NAME_oneline(name, NULL, 0); | |
4813 | |
4814 for (len = 0; p[len]; len++) { /* void */ } | |
4815 | |
4816 s->len = len; | |
2049 | 4817 s->data = ngx_pnalloc(pool, len); |
647 | 4818 if (s->data == NULL) { |
4819 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4820 X509_free(cert); |
647 | 4821 return NGX_ERROR; |
4822 } | |
4823 | |
4824 ngx_memcpy(s->data, p, len); | |
4825 | |
4826 OPENSSL_free(p); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4827 X509_free(cert); |
647 | 4828 |
4829 return NGX_OK; | |
4830 } | |
4831 | |
4832 | |
671 | 4833 ngx_int_t |
4834 ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
4835 { | |
4836 size_t len; | |
4837 X509 *cert; | |
4838 BIO *bio; | |
4839 | |
4840 s->len = 0; | |
4841 | |
4842 cert = SSL_get_peer_certificate(c->ssl->connection); | |
4843 if (cert == NULL) { | |
4844 return NGX_OK; | |
4845 } | |
4846 | |
4847 bio = BIO_new(BIO_s_mem()); | |
4848 if (bio == NULL) { | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4849 X509_free(cert); |
671 | 4850 return NGX_ERROR; |
4851 } | |
4852 | |
4853 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); | |
4854 len = BIO_pending(bio); | |
4855 | |
4856 s->len = len; | |
2049 | 4857 s->data = ngx_pnalloc(pool, len); |
671 | 4858 if (s->data == NULL) { |
4859 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4860 X509_free(cert); |
671 | 4861 return NGX_ERROR; |
4862 } | |
4863 | |
4864 BIO_read(bio, s->data, len); | |
4865 BIO_free(bio); | |
1974
f32cc6df6bd6
fix memory leak when ssl_verify_client is on
Igor Sysoev <igor@sysoev.ru>
parents:
1948
diff
changeset
|
4866 X509_free(cert); |
671 | 4867 |
4868 return NGX_OK; | |
4869 } | |
4870 | |
4871 | |
2994 | 4872 ngx_int_t |
5700
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4873 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4874 { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4875 X509 *cert; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4876 unsigned int len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4877 u_char buf[EVP_MAX_MD_SIZE]; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4878 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4879 s->len = 0; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4880 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4881 cert = SSL_get_peer_certificate(c->ssl->connection); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4882 if (cert == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4883 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4884 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4885 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4886 if (!X509_digest(cert, EVP_sha1(), buf, &len)) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4887 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4888 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4889 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4890 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4891 s->len = 2 * len; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4892 s->data = ngx_pnalloc(pool, 2 * len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4893 if (s->data == NULL) { |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4894 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4895 return NGX_ERROR; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4896 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4897 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4898 ngx_hex_dump(s->data, buf, len); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4899 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4900 X509_free(cert); |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4901 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4902 return NGX_OK; |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4903 } |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4904 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4905 |
5e892d40e5cc
SSL: $ssl_client_fingerprint variable.
Sergey Budnevitch <sb@waeme.net>
parents:
5669
diff
changeset
|
4906 ngx_int_t |
2994 | 4907 ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
4908 { | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4909 X509 *cert; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4910 long rc; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4911 const char *str; |
2994 | 4912 |
4913 cert = SSL_get_peer_certificate(c->ssl->connection); | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4914 if (cert == NULL) { |
3516
dd1570b6f237
ngx_str_set() and ngx_str_null()
Igor Sysoev <igor@sysoev.ru>
parents:
3488
diff
changeset
|
4915 ngx_str_set(s, "NONE"); |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4916 return NGX_OK; |
2994 | 4917 } |
4918 | |
4919 X509_free(cert); | |
4920 | |
6814
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4921 rc = SSL_get_verify_result(c->ssl->connection); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4922 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4923 if (rc == X509_V_OK) { |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4924 ngx_str_set(s, "SUCCESS"); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4925 return NGX_OK; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4926 } |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4927 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4928 str = X509_verify_cert_error_string(rc); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4929 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4930 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str)); |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4931 if (s->data == NULL) { |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4932 return NGX_ERROR; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4933 } |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4934 |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4935 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data; |
379139020d36
SSL: $ssl_client_verify extended with a failure reason.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6812
diff
changeset
|
4936 |
2994 | 4937 return NGX_OK; |
4938 } | |
4939 | |
4940 | |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4941 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4942 ngx_ssl_get_client_v_start(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4943 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4944 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4945 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4946 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4947 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4948 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4949 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4950 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4951 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4952 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4953 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4954 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4955 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4956 if (bio == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4957 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4958 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4959 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4960 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4961 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4962 ASN1_TIME_print(bio, X509_get0_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4963 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4964 ASN1_TIME_print(bio, X509_get_notBefore(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4965 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4966 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4967 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4968 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4969 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4970 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4971 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4972 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4973 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4974 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4975 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4976 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4977 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4978 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4979 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4980 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4981 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4982 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4983 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4984 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4985 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4986 ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4987 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4988 BIO *bio; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4989 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4990 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4991 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4992 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4993 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4994 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4995 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4996 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4997 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4998 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
4999 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5000 if (bio == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5001 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5002 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5003 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5004 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5005 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5006 ASN1_TIME_print(bio, X509_get0_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5007 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5008 ASN1_TIME_print(bio, X509_get_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5009 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5010 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5011 len = BIO_pending(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5012 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5013 s->len = len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5014 s->data = ngx_pnalloc(pool, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5015 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5016 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5017 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5018 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5019 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5020 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5021 BIO_read(bio, s->data, len); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5022 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5023 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5024 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5025 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5026 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5027 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5028 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5029 ngx_int_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5030 ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5031 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5032 X509 *cert; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5033 time_t now, end; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5034 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5035 s->len = 0; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5036 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5037 cert = SSL_get_peer_certificate(c->ssl->connection); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5038 if (cert == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5039 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5040 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5041 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5042 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5043 end = ngx_ssl_parse_time(X509_get0_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5044 #else |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5045 end = ngx_ssl_parse_time(X509_get_notAfter(cert)); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5046 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5047 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5048 if (end == (time_t) NGX_ERROR) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5049 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5050 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5051 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5052 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5053 now = ngx_time(); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5054 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5055 if (end < now + 86400) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5056 ngx_str_set(s, "0"); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5057 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5058 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5059 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5060 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5061 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5062 if (s->data == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5063 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5064 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5065 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5066 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5067 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5068 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5069 X509_free(cert); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5070 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5071 return NGX_OK; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5072 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5073 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5074 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5075 static time_t |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5076 ngx_ssl_parse_time( |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5077 #if OPENSSL_VERSION_NUMBER > 0x10100000L |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5078 const |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5079 #endif |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5080 ASN1_TIME *asn1time) |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5081 { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5082 BIO *bio; |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5083 char *value; |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5084 size_t len; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5085 time_t time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5086 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5087 /* |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5088 * OpenSSL doesn't provide a way to convert ASN1_TIME |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5089 * into time_t. To do this, we use ASN1_TIME_print(), |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5090 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g., |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5091 * "Feb 3 00:55:52 2015 GMT"), and parse the result. |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5092 */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5093 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5094 bio = BIO_new(BIO_s_mem()); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5095 if (bio == NULL) { |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5096 return NGX_ERROR; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5097 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5098 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5099 /* fake weekday prepended to match C asctime() format */ |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5100 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5101 BIO_write(bio, "Tue ", sizeof("Tue ") - 1); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5102 ASN1_TIME_print(bio, asn1time); |
6842
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5103 len = BIO_get_mem_data(bio, &value); |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5104 |
25d0d6dabe00
SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6841
diff
changeset
|
5105 time = ngx_parse_http_time((u_char *) value, len); |
6815
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5106 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5107 BIO_free(bio); |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5108 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5109 return time; |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5110 } |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5111 |
2d15fff64e3c
SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6814
diff
changeset
|
5112 |
541 | 5113 static void * |
5114 ngx_openssl_create_conf(ngx_cycle_t *cycle) | |
5115 { | |
5116 ngx_openssl_conf_t *oscf; | |
577 | 5117 |
541 | 5118 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); |
5119 if (oscf == NULL) { | |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2764
diff
changeset
|
5120 return NULL; |
541 | 5121 } |
577 | 5122 |
541 | 5123 /* |
5124 * set by ngx_pcalloc(): | |
577 | 5125 * |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5126 * oscf->engine = 0; |
577 | 5127 */ |
541 | 5128 |
5129 return oscf; | |
5130 } | |
5131 | |
5132 | |
5133 static char * | |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5134 ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
541 | 5135 { |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5136 #ifndef OPENSSL_NO_ENGINE |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5137 |
541 | 5138 ngx_openssl_conf_t *oscf = conf; |
571 | 5139 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5140 ENGINE *engine; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5141 ngx_str_t *value; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5142 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5143 if (oscf->engine) { |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5144 return "is duplicate"; |
541 | 5145 } |
577 | 5146 |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5147 oscf->engine = 1; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5148 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5149 value = cf->args->elts; |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5150 |
6552 | 5151 engine = ENGINE_by_id((char *) value[1].data); |
541 | 5152 |
5153 if (engine == NULL) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5154 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5155 "ENGINE_by_id(\"%V\") failed", &value[1]); |
541 | 5156 return NGX_CONF_ERROR; |
5157 } | |
5158 | |
5159 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { | |
6699
9cf2dce316e5
Fixed log levels of configuration parsing errors.
Valentin Bartenev <vbart@nginx.com>
parents:
6687
diff
changeset
|
5160 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, |
541 | 5161 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5162 &value[1]); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5163 |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5164 ENGINE_free(engine); |
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5165 |
541 | 5166 return NGX_CONF_ERROR; |
5167 } | |
5168 | |
5169 ENGINE_free(engine); | |
5170 | |
5171 return NGX_CONF_OK; | |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5172 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5173 #else |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5174 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5175 return "is not supported"; |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5176 |
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5177 #endif |
2504
9e9a985d956a
load SSL engine before certificates,
Igor Sysoev <igor@sysoev.ru>
parents:
2388
diff
changeset
|
5178 } |
571 | 5179 |
5180 | |
5181 static void | |
5182 ngx_openssl_exit(ngx_cycle_t *cycle) | |
5183 { | |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5184 #if OPENSSL_VERSION_NUMBER < 0x10100003L |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5185 |
3464
7f99ce2247f9
add OpenSSL_add_all_algorithms(), this fixes the error
Igor Sysoev <igor@sysoev.ru>
parents:
3457
diff
changeset
|
5186 EVP_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5187 #ifndef OPENSSL_NO_ENGINE |
571 | 5188 ENGINE_cleanup(); |
5777
4d092aa2f463
SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
Piotr Sikora <piotr@cloudflare.com>
parents:
5775
diff
changeset
|
5189 #endif |
6488
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5190 |
a57b2b8999e7
SSL: initialization changes for OpenSSL 1.1.0.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6487
diff
changeset
|
5191 #endif |
571 | 5192 } |