nginx: src/event/ngx_event_openssl.c annotate

annotate src/event/ngx_event_openssl.c @ 7412:6c52c99c475e stable-1.14

SSL: logging level of "https proxy request" errors. The "http request" and "https proxy request" errors cannot happen with HTTP due to pre-handshake checks in ngx_http_ssl_handshake(), but can happen when SSL is used in stream and mail modules.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 05 Jul 2018 20:45:29 +0300
parents	2e8de3d81783
children	7c00d8dbdb3a

rev	line source
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	1
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	2 /*
444 42d11f017717 nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright Igor Sysoev <igor@sysoev.ru> parents: 441 diff changeset	3 * Copyright (C) Igor Sysoev
4412 d620f497c50f Copyright updated. Maxim Konovalov <maxim@nginx.com> parents: 4400 diff changeset	4 * Copyright (C) Nginx, Inc.
441 da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	5 */
da8c5707af39 nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files Igor Sysoev <igor@sysoev.ru> parents: 399 diff changeset	6
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	7
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	8 #include <ngx_config.h>
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	9 #include <ngx_core.h>
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	10 #include <ngx_event.h>
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	11
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	12
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	13 #define NGX_SSL_PASSWORD_BUFFER_SIZE 4096
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	14
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	15
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	16 typedef struct {
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	17 ngx_uint_t engine; /* unsigned engine:1; */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	18 } ngx_openssl_conf_t;
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	19
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	20
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	21 static int ngx_ssl_password_callback(char *buf, int size, int rwflag,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	22 void *userdata);
5222 23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules. Piotr Sikora <piotr@cloudflare.com> parents: 5081 diff changeset	23 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	24 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	25 int ret);
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	26 static void ngx_ssl_passwords_cleanup(void *data);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	27 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	28 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	29 static void ngx_ssl_write_handler(ngx_event_t *wev);
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	30 static void ngx_ssl_read_handler(ngx_event_t *rev);
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	31 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	32 static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	33 ngx_err_t err, char *text);
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	34 static void ngx_ssl_clear_error(ngx_log_t *log);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	35
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	36 static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	37 ngx_str_t *sess_ctx);
3992 a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not Igor Sysoev <igor@sysoev.ru> parents: 3962 diff changeset	38 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t shm_zone, void data);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	39 static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	40 ngx_ssl_session_t *sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	41 static ngx_ssl_session_t ngx_ssl_get_cached_session(ngx_ssl_conn_t ssl_conn,
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	42 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	43 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	44 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	45 u_char id, int len, int copy);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	46 static void ngx_ssl_remove_session(SSL_CTX ssl, ngx_ssl_session_t sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	47 static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	48 ngx_slab_pool_t *shpool, ngx_uint_t n);
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	49 static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	50 ngx_rbtree_node_t node, ngx_rbtree_node_t sentinel);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	51
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	52 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	53 static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	54 unsigned char name, unsigned char iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	55 HMAC_CTX *hctx, int enc);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	56 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	57
6725 9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 6699 diff changeset	58 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	59 static ngx_int_t ngx_ssl_check_name(ngx_str_t name, ASN1_STRING str);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	60 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	61
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	62 static time_t ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	63 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	64 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	65 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	66 ASN1_TIME *asn1time);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	67
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	68 static void ngx_openssl_create_conf(ngx_cycle_t cycle);
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	69 static char ngx_openssl_engine(ngx_conf_t cf, ngx_command_t cmd, void conf);
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	70 static void ngx_openssl_exit(ngx_cycle_t *cycle);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	71
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	72
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	73 static ngx_command_t ngx_openssl_commands[] = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	74
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	75 { ngx_string("ssl_engine"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	76 NGX_MAIN_CONF\|NGX_DIRECT_CONF\|NGX_CONF_TAKE1,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	77 ngx_openssl_engine,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	78 0,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	79 0,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	80 NULL },
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	81
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	82 ngx_null_command
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	83 };
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	84
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	85
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	86 static ngx_core_module_t ngx_openssl_module_ctx = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	87 ngx_string("openssl"),
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	88 ngx_openssl_create_conf,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	89 NULL
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	90 };
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	91
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	92
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	93 ngx_module_t ngx_openssl_module = {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	94 NGX_MODULE_V1,
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	95 &ngx_openssl_module_ctx, /* module context */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	96 ngx_openssl_commands, /* module directives */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	97 NGX_CORE_MODULE, /* module type */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	98 NULL, /* init master */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	99 NULL, /* init module */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	100 NULL, /* init process */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	101 NULL, /* init thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	102 NULL, /* exit thread */
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	103 NULL, /* exit process */
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	104 ngx_openssl_exit, /* exit master */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	105 NGX_MODULE_V1_PADDING
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	106 };
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	107
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	108
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	109 int ngx_ssl_connection_index;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	110 int ngx_ssl_server_conf_index;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	111 int ngx_ssl_session_cache_index;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	112 int ngx_ssl_session_ticket_keys_index;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	113 int ngx_ssl_certificate_index;
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	114 int ngx_ssl_next_certificate_index;
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	115 int ngx_ssl_certificate_name_index;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	116 int ngx_ssl_stapling_index;
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	117
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	118
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	119 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	120 ngx_ssl_init(ngx_log_t *log)
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	121 {
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	122 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	123
6902 5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	124 if (OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL) == 0) {
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	125 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "OPENSSL_init_ssl() failed");
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	126 return NGX_ERROR;
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	127 }
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	128
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	129 /*
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	130 * OPENSSL_init_ssl() may leave errors in the error queue
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	131 * while returning success
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	132 */
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	133
5cb85b0ee00b SSL: clear error queue after OPENSSL_init_ssl(). Sergey Kandaurov <pluknet@nginx.com> parents: 6854 diff changeset	134 ERR_clear_error();
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	135
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	136 #else
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	137
968 1b60ecc8cdb7 OPENSSL_config() Igor Sysoev <igor@sysoev.ru> parents: 671 diff changeset	138 OPENSSL_config(NULL);
1b60ecc8cdb7 OPENSSL_config() Igor Sysoev <igor@sysoev.ru> parents: 671 diff changeset	139
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	140 SSL_library_init();
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	141 SSL_load_error_strings();
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	142
3464 7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	143 OpenSSL_add_all_algorithms();
7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	144
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	145 #endif
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	146
4868 22a6ef66b6f5 SSL: added version checks for ssl compression workaround. Maxim Dounin <mdounin@mdounin.ru> parents: 4867 diff changeset	147 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	148 #ifndef SSL_OP_NO_COMPRESSION
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	149 {
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	150 /*
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	151 * Disable gzip compression in OpenSSL prior to 1.0.0 version,
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	152 * this saves about 522K per connection.
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	153 */
4867 90bbf2adb2c9 SSL: fixed compression workaround to remove all methods. Maxim Dounin <mdounin@mdounin.ru> parents: 4696 diff changeset	154 int n;
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	155 STACK_OF(SSL_COMP) *ssl_comp_methods;
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	156
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	157 ssl_comp_methods = SSL_COMP_get_compression_methods();
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	158 n = sk_SSL_COMP_num(ssl_comp_methods);
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	159
4867 90bbf2adb2c9 SSL: fixed compression workaround to remove all methods. Maxim Dounin <mdounin@mdounin.ru> parents: 4696 diff changeset	160 while (n--) {
90bbf2adb2c9 SSL: fixed compression workaround to remove all methods. Maxim Dounin <mdounin@mdounin.ru> parents: 4696 diff changeset	161 (void) sk_SSL_COMP_pop(ssl_comp_methods);
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	162 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	163 }
b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	164 #endif
4868 22a6ef66b6f5 SSL: added version checks for ssl compression workaround. Maxim Dounin <mdounin@mdounin.ru> parents: 4867 diff changeset	165 #endif
4696 b43fe2deb053 Disabled gzip compression in OpenSSL prior to 1.0.0 version. Igor Sysoev <igor@sysoev.ru> parents: 4651 diff changeset	166
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	167 ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	168
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	169 if (ngx_ssl_connection_index == -1) {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	170 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	171 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	172 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	173
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	174 ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	175 NULL);
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	176 if (ngx_ssl_server_conf_index == -1) {
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	177 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	178 "SSL_CTX_get_ex_new_index() failed");
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	179 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	180 }
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	181
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	182 ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	183 NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	184 if (ngx_ssl_session_cache_index == -1) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	185 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	186 "SSL_CTX_get_ex_new_index() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	187 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	188 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	189
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	190 ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	191 NULL, NULL);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	192 if (ngx_ssl_session_ticket_keys_index == -1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	193 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	194 "SSL_CTX_get_ex_new_index() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	195 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	196 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	197
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	198 ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	199 NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	200 if (ngx_ssl_certificate_index == -1) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	201 ngx_ssl_error(NGX_LOG_ALERT, log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	202 "SSL_CTX_get_ex_new_index() failed");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	203 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	204 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	205
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	206 ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	207 NULL);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	208 if (ngx_ssl_next_certificate_index == -1) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	209 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	210 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	211 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	212
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	213 ngx_ssl_certificate_name_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	214 NULL);
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	215
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	216 if (ngx_ssl_certificate_name_index == -1) {
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	217 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	218 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	219 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	220
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6490 diff changeset	221 ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL);
a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6490 diff changeset	222
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	223 if (ngx_ssl_stapling_index == -1) {
6545 a873b4d9cd80 OCSP stapling: staple now stored in certificate, not SSL context. Maxim Dounin <mdounin@mdounin.ru> parents: 6490 diff changeset	224 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	225 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	226 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	227
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	228 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	229 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	230
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	231
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	232 ngx_int_t
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	233 ngx_ssl_create(ngx_ssl_t ssl, ngx_uint_t protocols, void data)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	234 {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	235 ssl->ctx = SSL_CTX_new(SSLv23_method());
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	236
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	237 if (ssl->ctx == NULL) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	238 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	239 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	240 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	241
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	242 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) {
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	243 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	244 "SSL_CTX_set_ex_data() failed");
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	245 return NGX_ERROR;
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	246 }
065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	247
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	248 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	249 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	250 "SSL_CTX_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	251 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	252 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	253
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	254 ssl->buffer_size = NGX_SSL_BUFSIZE;
a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	255
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	256 /* client side options */
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	257
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	258 #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	259 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	260 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	261
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	262 #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	263 SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	264 #endif
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	265
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	266 /* server side options */
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	267
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	268 #ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	269 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	270 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	271
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	272 #ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	273 SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	274 #endif
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	275
5378 a73678f5f96f SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING. Piotr Sikora <piotr@cloudflare.com> parents: 5365 diff changeset	276 #ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	277 /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	278 SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
5378 a73678f5f96f SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING. Piotr Sikora <piotr@cloudflare.com> parents: 5365 diff changeset	279 #endif
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	280
5778 45ed2f1f0a6a SSL: let it build against BoringSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5777 diff changeset	281 #ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	282 SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
5778 45ed2f1f0a6a SSL: let it build against BoringSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5777 diff changeset	283 #endif
45ed2f1f0a6a SSL: let it build against BoringSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5777 diff changeset	284
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	285 #ifdef SSL_OP_TLS_D5_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	286 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	287 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	288
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	289 #ifdef SSL_OP_TLS_BLOCK_PADDING_BUG
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	290 SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	291 #endif
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	292
275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	293 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	294 SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
5823 275e35d54626 SSL: guard use of all SSL options for bug workarounds. Piotr Sikora <piotr@cloudflare.com> parents: 5779 diff changeset	295 #endif
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	296
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	297 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	298
6034 3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	299 #ifdef SSL_CTRL_CLEAR_OPTIONS
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	300 /* only in 0.9.8m+ */
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	301 SSL_CTX_clear_options(ssl->ctx,
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	302 SSL_OP_NO_SSLv2\|SSL_OP_NO_SSLv3\|SSL_OP_NO_TLSv1);
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	303 #endif
3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	304
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	305 if (!(protocols & NGX_SSL_SSLv2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	306 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	307 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	308 if (!(protocols & NGX_SSL_SSLv3)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	309 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	310 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	311 if (!(protocols & NGX_SSL_TLSv1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	312 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	313 }
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	314 #ifdef SSL_OP_NO_TLSv1_1
6034 3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	315 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	316 if (!(protocols & NGX_SSL_TLSv1_1)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	317 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	318 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	319 #endif
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	320 #ifdef SSL_OP_NO_TLSv1_2
6034 3e847964ab55 SSL: clear protocol options. Maxim Dounin <mdounin@mdounin.ru> parents: 5986 diff changeset	321 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
4400 a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	322 if (!(protocols & NGX_SSL_TLSv1_2)) {
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	323 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	324 }
a0505851e70c Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4236 diff changeset	325 #endif
6981 08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	326 #ifdef SSL_OP_NO_TLSv1_3
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	327 SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	328 if (!(protocols & NGX_SSL_TLSv1_3)) {
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	329 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	330 }
08dc60979133 SSL: added support for TLSv1.3 in ssl_protocols directive. Sergey Kandaurov <pluknet@nginx.com> parents: 6902 diff changeset	331 #endif
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	332
4185 6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	333 #ifdef SSL_OP_NO_COMPRESSION
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	334 SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	335 #endif
6af5959a2ace Disabling SSL compression. This saves about 300K per SSL connection. Igor Sysoev <igor@sysoev.ru> parents: 4064 diff changeset	336
4186 cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	337 #ifdef SSL_MODE_RELEASE_BUFFERS
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	338 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS);
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	339 #endif
cce2fd0acc0f Releasing memory of idle SSL connection. This saves about 34K per SSL Igor Sysoev <igor@sysoev.ru> parents: 4185 diff changeset	340
6036 4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	341 #ifdef SSL_MODE_NO_AUTO_CHAIN
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	342 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN);
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	343 #endif
4e3f87c02cb4 SSL: use of SSL_MODE_NO_AUTO_CHAIN. Maxim Dounin <mdounin@mdounin.ru> parents: 6034 diff changeset	344
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	345 SSL_CTX_set_read_ahead(ssl->ctx, 1);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	346
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	347 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	348
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	349 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	350 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	351
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	352
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	353 ngx_int_t
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	354 ngx_ssl_certificates(ngx_conf_t cf, ngx_ssl_t ssl, ngx_array_t *certs,
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	355 ngx_array_t keys, ngx_array_t passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	356 {
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	357 ngx_str_t cert, key;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	358 ngx_uint_t i;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	359
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	360 cert = certs->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	361 key = keys->elts;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	362
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	363 for (i = 0; i < certs->nelts; i++) {
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	364
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	365 if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords)
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	366 != NGX_OK)
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	367 {
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	368 return NGX_ERROR;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	369 }
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	370 }
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	371
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	372 return NGX_OK;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	373 }
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	374
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	375
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6549 diff changeset	376 ngx_int_t
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	377 ngx_ssl_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	378 ngx_str_t key, ngx_array_t passwords)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	379 {
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	380 BIO *bio;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	381 X509 *x509;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	382 u_long n;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	383 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	384 ngx_uint_t tries;
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	385
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	386 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	387 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	388 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	389
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	390 /*
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	391 * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	392 * allow to access certificate later from SSL_CTX, so we reimplement
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	393 * it here
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	394 */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	395
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	396 bio = BIO_new_file((char *) cert->data, "r");
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	397 if (bio == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	398 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	399 "BIO_new_file(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	400 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	401 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	402
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	403 x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	404 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	405 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	406 "PEM_read_bio_X509_AUX(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	407 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	408 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	409 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	410
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	411 if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	412 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	413 "SSL_CTX_use_certificate(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	414 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	415 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	416 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	417 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	418
6812 a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	419 if (X509_set_ex_data(x509, ngx_ssl_certificate_name_index, cert->data)
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	420 == 0)
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	421 {
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	422 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	423 X509_free(x509);
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	424 BIO_free(bio);
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	425 return NGX_ERROR;
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	426 }
a7ec59df0c4d OCSP stapling: added certificate name to warnings. Maxim Dounin <mdounin@mdounin.ru> parents: 6780 diff changeset	427
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	428 if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	429 SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	430 == 0)
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	431 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	432 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	433 X509_free(x509);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	434 BIO_free(bio);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	435 return NGX_ERROR;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	436 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	437
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	438 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	439 == 0)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	440 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	441 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	442 "SSL_CTX_set_ex_data() failed");
5384 cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal. Piotr Sikora <piotr@cloudflare.com> parents: 5378 diff changeset	443 X509_free(x509);
cfbf1d1cc233 SSL: fixed possible memory and file descriptor leak on HUP signal. Piotr Sikora <piotr@cloudflare.com> parents: 5378 diff changeset	444 BIO_free(bio);
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	445 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	446 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	447
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	448 /* read rest of the chain */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	449
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	450 for ( ;; ) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	451
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	452 x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	453 if (x509 == NULL) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	454 n = ERR_peek_last_error();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	455
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	456 if (ERR_GET_LIB(n) == ERR_LIB_PEM
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	457 && ERR_GET_REASON(n) == PEM_R_NO_START_LINE)
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	458 {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	459 /* end of file */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	460 ERR_clear_error();
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	461 break;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	462 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	463
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	464 /* some real error */
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	465
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	466 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	467 "PEM_read_bio_X509(\"%s\") failed", cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	468 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	469 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	470 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	471
6549 d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	472 #ifdef SSL_CTRL_CHAIN_CERT
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	473
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	474 /*
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	475 * SSL_CTX_add0_chain_cert() is needed to add chain to
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	476 * a particular certificate when multiple certificates are used;
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	477 * only available in OpenSSL 1.0.2+
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	478 */
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	479
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	480 if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) {
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	481 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	482 "SSL_CTX_add0_chain_cert(\"%s\") failed",
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	483 cert->data);
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	484 X509_free(x509);
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	485 BIO_free(bio);
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	486 return NGX_ERROR;
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	487 }
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	488
d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	489 #else
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	490 if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) {
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	491 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	492 "SSL_CTX_add_extra_chain_cert(\"%s\") failed",
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	493 cert->data);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	494 X509_free(x509);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	495 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	496 return NGX_ERROR;
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	497 }
6549 d3302eb87a0c SSL: support for per-certificate chains. Maxim Dounin <mdounin@mdounin.ru> parents: 6548 diff changeset	498 #endif
4875 386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	499 }
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	500
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	501 BIO_free(bio);
386a06a22c40 OCSP stapling: loading OCSP responses. Maxim Dounin <mdounin@mdounin.ru> parents: 4872 diff changeset	502
5934 2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	503 if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	504
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	505 #ifndef OPENSSL_NO_ENGINE
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	506
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	507 u_char p, last;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	508 ENGINE *engine;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	509 EVP_PKEY *pkey;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	510
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	511 p = key->data + sizeof("engine:") - 1;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	512 last = (u_char *) ngx_strchr(p, ':');
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	513
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	514 if (last == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	515 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	516 "invalid syntax in \"%V\"", key);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	517 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	518 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	519
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	520 *last = '\0';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	521
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	522 engine = ENGINE_by_id((char *) p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	523
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	524 if (engine == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	525 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	526 "ENGINE_by_id(\"%s\") failed", p);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	527 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	528 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	529
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	530 *last++ = ':';
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	531
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	532 pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	533
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	534 if (pkey == NULL) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	535 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	536 "ENGINE_load_private_key(\"%s\") failed", last);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	537 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	538 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	539 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	540
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	541 ENGINE_free(engine);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	542
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	543 if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	544 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	545 "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	546 EVP_PKEY_free(pkey);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	547 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	548 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	549
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	550 EVP_PKEY_free(pkey);
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	551
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	552 return NGX_OK;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	553
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	554 #else
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	555
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	556 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	557 "loading \"engine:...\" certificate keys "
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	558 "is not supported");
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	559 return NGX_ERROR;
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	560
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	561 #endif
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	562 }
2c33ed82cde1 SSL: loading certificate keys via ENGINE_load_private_key(). Dmitrii Pichulin parents: 5902 diff changeset	563
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	564 if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	565 return NGX_ERROR;
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	566 }
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	567
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	568 if (passwords) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	569 tries = passwords->nelts;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	570 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	571
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	572 SSL_CTX_set_default_passwd_cb(ssl->ctx, ngx_ssl_password_callback);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	573 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, pwd);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	574
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	575 } else {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	576 tries = 1;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	577 #if (NGX_SUPPRESS_WARN)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	578 pwd = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	579 #endif
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	580 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	581
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	582 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	583
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	584 if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	585 SSL_FILETYPE_PEM)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	586 != 0)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	587 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	588 break;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	589 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	590
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	591 if (--tries) {
5892 42520df85ebb SSL: simplified ssl_password_file error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 5882 diff changeset	592 ERR_clear_error();
42520df85ebb SSL: simplified ssl_password_file error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 5882 diff changeset	593 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
42520df85ebb SSL: simplified ssl_password_file error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 5882 diff changeset	594 continue;
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	595 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	596
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	597 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	598 "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	599 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	600 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	601
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	602 SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	603
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	604 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	605 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	606
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	607
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	608 static int
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	609 ngx_ssl_password_callback(char buf, int size, int rwflag, void userdata)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	610 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	611 ngx_str_t *pwd = userdata;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	612
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	613 if (rwflag) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	614 ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	615 "ngx_ssl_password_callback() is called for encryption");
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	616 return 0;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	617 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	618
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	619 if (pwd->len > (size_t) size) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	620 ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	621 "password is truncated to %d bytes", size);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	622 } else {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	623 size = pwd->len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	624 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	625
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	626 ngx_memcpy(buf, pwd->data, size);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	627
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	628 return size;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	629 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	630
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	631
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	632 ngx_int_t
6591 04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	633 ngx_ssl_ciphers(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *ciphers,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	634 ngx_uint_t prefer_server_ciphers)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	635 {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	636 if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	637 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	638 "SSL_CTX_set_cipher_list(\"%V\") failed",
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	639 ciphers);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	640 return NGX_ERROR;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	641 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	642
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	643 if (prefer_server_ciphers) {
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	644 SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	645 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	646
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	647 #if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER)
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	648 /* a temporary 512-bit RSA key is required for export versions of MSIE */
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	649 SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback);
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	650 #endif
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	651
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	652 return NGX_OK;
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	653 }
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	654
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	655
04d8d1f85649 SSL: ngx_ssl_ciphers() to set list of ciphers. Tim Taubert <tim@timtaubert.de> parents: 6554 diff changeset	656 ngx_int_t
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	657 ngx_ssl_client_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	658 ngx_int_t depth)
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	659 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	660 STACK_OF(X509_NAME) *list;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	661
5222 23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules. Piotr Sikora <piotr@cloudflare.com> parents: 5081 diff changeset	662 SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	663
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	664 SSL_CTX_set_verify_depth(ssl->ctx, depth);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	665
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	666 if (cert->len == 0) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	667 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	668 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	669
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	670 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	671 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	672 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	673
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	674 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	675 == 0)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	676 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	677 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	678 "SSL_CTX_load_verify_locations(\"%s\") failed",
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	679 cert->data);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	680 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	681 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	682
5365 6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	683 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	684 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	685 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	686 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	687
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	688 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	689
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	690 list = SSL_load_client_CA_file((char *) cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	691
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	692 if (list == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	693 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	694 "SSL_load_client_CA_file(\"%s\") failed", cert->data);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	695 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	696 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	697
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	698 /*
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	699 * before 0.9.7h and 0.9.8 SSL_load_client_CA_file()
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	700 * always leaved an error in the error queue
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	701 */
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	702
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	703 ERR_clear_error();
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	704
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	705 SSL_CTX_set_client_CA_list(ssl->ctx, list);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	706
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	707 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	708 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	709
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	710
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	711 ngx_int_t
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	712 ngx_ssl_trusted_certificate(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *cert,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	713 ngx_int_t depth)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	714 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	715 SSL_CTX_set_verify_depth(ssl->ctx, depth);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	716
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	717 if (cert->len == 0) {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	718 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	719 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	720
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	721 if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	722 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	723 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	724
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	725 if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	726 == 0)
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	727 {
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	728 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	729 "SSL_CTX_load_verify_locations(\"%s\") failed",
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	730 cert->data);
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	731 return NGX_ERROR;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	732 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	733
5365 6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	734 /*
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	735 * SSL_CTX_load_verify_locations() may leave errors in the error queue
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	736 * while returning success
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	737 */
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	738
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	739 ERR_clear_error();
6c35a1f428f2 SSL: clear error queue after SSL_CTX_load_verify_locations(). Maxim Dounin <mdounin@mdounin.ru> parents: 5330 diff changeset	740
4872 7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	741 return NGX_OK;
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	742 }
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	743
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	744
7c3cca603438 OCSP stapling: ssl_trusted_certificate directive. Maxim Dounin <mdounin@mdounin.ru> parents: 4868 diff changeset	745 ngx_int_t
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	746 ngx_ssl_crl(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *crl)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	747 {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	748 X509_STORE *store;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	749 X509_LOOKUP *lookup;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	750
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	751 if (crl->len == 0) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	752 return NGX_OK;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	753 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	754
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	755 if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) {
2995 cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	756 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	757 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	758
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	759 store = SSL_CTX_get_cert_store(ssl->ctx);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	760
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	761 if (store == NULL) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	762 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	763 "SSL_CTX_get_cert_store() failed");
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	764 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	765 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	766
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	767 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	768
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	769 if (lookup == NULL) {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	770 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	771 "X509_STORE_add_lookup() failed");
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	772 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	773 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	774
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	775 if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	776 == 0)
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	777 {
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	778 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	779 "X509_LOOKUP_load_file(\"%s\") failed", crl->data);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	780 return NGX_ERROR;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	781 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	782
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	783 X509_STORE_set_flags(store,
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	784 X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL);
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	785
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	786 return NGX_OK;
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	787 }
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	788
cc07d164f0dc ssl_crl Igor Sysoev <igor@sysoev.ru> parents: 2994 diff changeset	789
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	790 static int
5222 23a186e8ca45 Style: remove unnecessary references to HTTP from non-HTTP modules. Piotr Sikora <piotr@cloudflare.com> parents: 5081 diff changeset	791 ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	792 {
1977 40c9cb8576bb get certificate info only for debug build Igor Sysoev <igor@sysoev.ru> parents: 1976 diff changeset	793 #if (NGX_DEBUG)
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	794 char subject, issuer;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	795 int err, depth;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	796 X509 *cert;
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	797 X509_NAME sname, iname;
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	798 ngx_connection_t *c;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	799 ngx_ssl_conn_t *ssl_conn;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	800
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	801 ssl_conn = X509_STORE_CTX_get_ex_data(x509_store,
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	802 SSL_get_ex_data_X509_STORE_CTX_idx());
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	803
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	804 c = ngx_ssl_get_connection(ssl_conn);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	805
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	806 cert = X509_STORE_CTX_get_current_cert(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	807 err = X509_STORE_CTX_get_error(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	808 depth = X509_STORE_CTX_get_error_depth(x509_store);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	809
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	810 sname = X509_get_subject_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	811 subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)";
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	812
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	813 iname = X509_get_issuer_name(cert);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	814 issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)";
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	815
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	816 ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0,
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	817 "verify:%d, error:%d, depth:%d, "
5775 294d020bbcfe SSL: misplaced space in debug message. Maxim Dounin <mdounin@mdounin.ru> parents: 5767 diff changeset	818 "subject:\"%s\", issuer:\"%s\"",
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	819 ok, err, depth, subject, issuer);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	820
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	821 if (sname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	822 OPENSSL_free(subject);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	823 }
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	824
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	825 if (iname) {
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	826 OPENSSL_free(issuer);
c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	827 }
1977 40c9cb8576bb get certificate info only for debug build Igor Sysoev <igor@sysoev.ru> parents: 1976 diff changeset	828 #endif
1976 c4d8867f0162 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1974 diff changeset	829
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	830 return 1;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	831 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	832
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	833
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	834 static void
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	835 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	836 {
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	837 BIO rbio, wbio;
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	838 ngx_connection_t *c;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	839
6982 ac9b1df5b246 SSL: disabled renegotiation detection in client mode. Sergey Kandaurov <pluknet@nginx.com> parents: 6981 diff changeset	840 if ((where & SSL_CB_HANDSHAKE_START)
ac9b1df5b246 SSL: disabled renegotiation detection in client mode. Sergey Kandaurov <pluknet@nginx.com> parents: 6981 diff changeset	841 && SSL_is_server((ngx_ssl_conn_t *) ssl_conn))
ac9b1df5b246 SSL: disabled renegotiation detection in client mode. Sergey Kandaurov <pluknet@nginx.com> parents: 6981 diff changeset	842 {
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	843 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	844
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	845 if (c->ssl->handshaked) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	846 c->ssl->renegotiation = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	847 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	848 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	849 }
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	850
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	851 if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	852 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	853
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	854 if (!c->ssl->handshake_buffer_set) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	855 /*
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	856 * By default OpenSSL uses 4k buffer during a handshake,
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	857 * which is too low for long certificate chains and might
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	858 * result in extra round-trips.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	859 *
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	860 * To adjust a buffer size we detect that buffering was added
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	861 * to write side of the connection by comparing rbio and wbio.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	862 * If they are different, we assume that it's due to buffering
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	863 * added to wbio, and set buffer size.
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	864 */
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	865
5423 5b5a486bd40e SSL: fixed build with OpenSSL 0.9.7. Maxim Dounin <mdounin@mdounin.ru> parents: 5395 diff changeset	866 rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn);
5b5a486bd40e SSL: fixed build with OpenSSL 0.9.7. Maxim Dounin <mdounin@mdounin.ru> parents: 5395 diff changeset	867 wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn);
5395 a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	868
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	869 if (rbio != wbio) {
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	870 (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE);
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	871 c->ssl->handshake_buffer_set = 1;
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	872 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	873 }
a720f0b0e083 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). Maxim Dounin <mdounin@mdounin.ru> parents: 5384 diff changeset	874 }
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	875 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	876
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	877
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	878 RSA *
5223 71d85de7b53b Style: replace SSL ssl with ngx_ssl_conn_t ssl_conn. Piotr Sikora <piotr@cloudflare.com> parents: 5222 diff changeset	879 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
71d85de7b53b Style: replace SSL ssl with ngx_ssl_conn_t ssl_conn. Piotr Sikora <piotr@cloudflare.com> parents: 5222 diff changeset	880 int key_length)
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	881 {
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	882 static RSA *key;
b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	883
5754 c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	884 if (key_length != 512) {
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	885 return NULL;
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	886 }
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	887
6489 c256dfdd469d SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6488 diff changeset	888 #if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED)
5755 8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined. Maxim Dounin <mdounin@mdounin.ru> parents: 5754 diff changeset	889
5754 c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	890 if (key == NULL) {
c7ecd097b883 SSL: return temporary RSA key only when the key length matches. Piotr Sikora <piotr@cloudflare.com> parents: 5747 diff changeset	891 key = RSA_generate_key(512, RSA_F4, NULL, NULL);
559 c1f965ef9718 nginx-0.3.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 549 diff changeset	892 }
c1f965ef9718 nginx-0.3.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 549 diff changeset	893
5755 8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined. Maxim Dounin <mdounin@mdounin.ru> parents: 5754 diff changeset	894 #endif
8df08465fcfd SSL: fixed build with OPENSSL_NO_DEPRECATED defined. Maxim Dounin <mdounin@mdounin.ru> parents: 5754 diff changeset	895
3959 b1f48fa31e6c MSIE export versions are rare now, so RSA 512 key is generated on demand Igor Sysoev <igor@sysoev.ru> parents: 3851 diff changeset	896 return key;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	897 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	898
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	899
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	900 ngx_array_t *
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	901 ngx_ssl_read_password_file(ngx_conf_t cf, ngx_str_t file)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	902 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	903 u_char p, last, *end;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	904 size_t len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	905 ssize_t n;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	906 ngx_fd_t fd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	907 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	908 ngx_array_t *passwords;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	909 ngx_pool_cleanup_t *cln;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	910 u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE];
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	911
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	912 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	913 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	914 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	915
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	916 cln = ngx_pool_cleanup_add(cf->temp_pool, 0);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	917 passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	918
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	919 if (cln == NULL \|\| passwords == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	920 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	921 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	922
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	923 cln->handler = ngx_ssl_passwords_cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	924 cln->data = passwords;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	925
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	926 fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0);
7086 577628e6b6a6 Style. Sergey Kandaurov <pluknet@nginx.com> parents: 7074 diff changeset	927
5744 42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	928 if (fd == NGX_INVALID_FILE) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	929 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	930 ngx_open_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	931 return NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	932 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	933
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	934 len = 0;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	935 last = buf;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	936
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	937 do {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	938 n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	939
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	940 if (n == -1) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	941 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	942 ngx_read_fd_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	943 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	944 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	945 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	946
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	947 end = last + n;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	948
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	949 if (len && n == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	950 *end++ = LF;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	951 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	952
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	953 p = buf;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	954
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	955 for ( ;; ) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	956 last = ngx_strlchr(last, end, LF);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	957
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	958 if (last == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	959 break;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	960 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	961
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	962 len = last++ - p;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	963
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	964 if (len && p[len - 1] == CR) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	965 len--;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	966 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	967
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	968 if (len) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	969 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	970 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	971 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	972 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	973 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	974
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	975 pwd->len = len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	976 pwd->data = ngx_pnalloc(cf->temp_pool, len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	977
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	978 if (pwd->data == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	979 passwords->nelts--;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	980 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	981 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	982 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	983
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	984 ngx_memcpy(pwd->data, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	985 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	986
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	987 p = last;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	988 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	989
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	990 len = end - p;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	991
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	992 if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	993 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	994 "too long line in \"%s\"", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	995 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	996 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	997 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	998
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	999 ngx_memmove(buf, p, len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1000 last = buf + len;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1001
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1002 } while (n != 0);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1003
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1004 if (passwords->nelts == 0) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1005 pwd = ngx_array_push(passwords);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1006 if (pwd == NULL) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1007 passwords = NULL;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1008 goto cleanup;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1009 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1010
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1011 ngx_memzero(pwd, sizeof(ngx_str_t));
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1012 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1013
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1014 cleanup:
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1015
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1016 if (ngx_close_file(fd) == NGX_FILE_ERROR) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1017 ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1018 ngx_close_file_n " \"%s\" failed", file->data);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1019 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1020
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1021 ngx_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1022
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1023 return passwords;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1024 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1025
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1026
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1027 static void
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1028 ngx_ssl_passwords_cleanup(void *data)
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1029 {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1030 ngx_array_t *passwords = data;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1031
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1032 ngx_str_t *pwd;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1033 ngx_uint_t i;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1034
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1035 pwd = passwords->elts;
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1036
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1037 for (i = 0; i < passwords->nelts; i++) {
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1038 ngx_memzero(pwd[i].data, pwd[i].len);
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1039 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1040 }
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1041
42114bf12da0 SSL: the "ssl_password_file" directive. Valentin Bartenev <vbart@nginx.com> parents: 5700 diff changeset	1042
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1043 ngx_int_t
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1044 ngx_ssl_dhparam(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *file)
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1045 {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1046 DH *dh;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1047 BIO *bio;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1048
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1049 if (file->len == 0) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1050 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1051 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1052
5330 314c3d7cc3a5 Backed out f1a91825730a and 7094bd12c1ff. Maxim Dounin <mdounin@mdounin.ru> parents: 5317 diff changeset	1053 if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) {
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1054 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1055 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1056
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1057 bio = BIO_new_file((char *) file->data, "r");
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1058 if (bio == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1059 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1060 "BIO_new_file(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1061 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1062 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1063
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1064 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1065 if (dh == NULL) {
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1066 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1067 "PEM_read_bio_DHparams(\"%s\") failed", file->data);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1068 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1069 return NGX_ERROR;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1070 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1071
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1072 SSL_CTX_set_tmp_dh(ssl->ctx, dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1073
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1074 DH_free(dh);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1075 BIO_free(bio);
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1076
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1077 return NGX_OK;
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1078 }
f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1079
4522 14411ee4d89f Whitespace fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4499 diff changeset	1080
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1081 ngx_int_t
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1082 ngx_ssl_ecdh_curve(ngx_conf_t cf, ngx_ssl_t ssl, ngx_str_t *name)
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1083 {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1084 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1085 #ifndef OPENSSL_NO_ECDH
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1086
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1087 /*
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1088 * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
4572 67653855682e Fixed spelling in multiline C comments. Ruslan Ermilov <ru@nginx.com> parents: 4522 diff changeset	1089 * from RFC 4492 section 5.1.1, or explicitly described curves over
6552 addd98357629 SSL: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6551 diff changeset	1090 * binary fields. OpenSSL only supports the "named curves", which provide
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1091 * maximum interoperability.
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1092 */
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1093
6983 3518287d995e SSL: compatibility with OpenSSL master branch. Sergey Kandaurov <pluknet@nginx.com> parents: 6982 diff changeset	1094 #if (defined SSL_CTX_set1_curves_list \|\| defined SSL_CTRL_SET_CURVES_LIST)
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1095
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1096 /*
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1097 * OpenSSL 1.0.2+ allows configuring a curve list instead of a single
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1098 * curve previously supported. By default an internal list is used,
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1099 * with prime256v1 being preferred by server in OpenSSL 1.0.2b+
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1100 * and X25519 in OpenSSL 1.1.0+.
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1101 *
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1102 * By default a curve preferred by the client will be used for
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1103 * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1104 * be used to prefer server curves instead, similar to what it
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1105 * does for ciphers.
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1106 */
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1107
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1108 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1109
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1110 #if SSL_CTRL_SET_ECDH_AUTO
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1111 /* not needed in OpenSSL 1.1.0+ */
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1112 SSL_CTX_set_ecdh_auto(ssl->ctx, 1);
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1113 #endif
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1114
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1115 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1116 return NGX_OK;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1117 }
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1118
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1119 if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1120 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1121 "SSL_CTX_set1_curves_list(\"%s\") failed", name->data);
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1122 return NGX_ERROR;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1123 }
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1124
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1125 #else
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1126
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1127 int nid;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1128 char *curve;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1129 EC_KEY *ecdh;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1130
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1131 if (ngx_strcmp(name->data, "auto") == 0) {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1132 curve = "prime256v1";
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1133
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1134 } else {
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1135 curve = (char *) name->data;
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1136 }
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1137
2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1138 nid = OBJ_sn2nid(curve);
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1139 if (nid == 0) {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1140 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1141 "OBJ_sn2nid(\"%s\") failed: unknown curve", curve);
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1142 return NGX_ERROR;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1143 }
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1144
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1145 ecdh = EC_KEY_new_by_curve_name(nid);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1146 if (ecdh == NULL) {
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1147 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1148 "EC_KEY_new_by_curve_name(\"%s\") failed", curve);
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1149 return NGX_ERROR;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1150 }
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1151
5003 82234f3f5ca2 SSL: speedup loading of configs with many ssl servers. Maxim Dounin <mdounin@mdounin.ru> parents: 4877 diff changeset	1152 SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE);
82234f3f5ca2 SSL: speedup loading of configs with many ssl servers. Maxim Dounin <mdounin@mdounin.ru> parents: 4877 diff changeset	1153
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1154 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1155
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1156 EC_KEY_free(ecdh);
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1157 #endif
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1158 #endif
6553 2014ed60f17f SSL: support for multiple curves (ticket #885). Maxim Dounin <mdounin@mdounin.ru> parents: 6552 diff changeset	1159 #endif
3960 0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1160
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1161 return NGX_OK;
0832a6997227 ECDHE support Igor Sysoev <igor@sysoev.ru> parents: 3959 diff changeset	1162 }
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1163
4522 14411ee4d89f Whitespace fixes. Maxim Dounin <mdounin@mdounin.ru> parents: 4499 diff changeset	1164
2044 f45cec1cd270 DH parameters, ssl_dhparam Igor Sysoev <igor@sysoev.ru> parents: 2032 diff changeset	1165 ngx_int_t
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1166 ngx_ssl_create_connection(ngx_ssl_t ssl, ngx_connection_t c, ngx_uint_t flags)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1167 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1168 ngx_ssl_connection_t *sc;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1169
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1170 sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1171 if (sc == NULL) {
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1172 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1173 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1174
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1175 sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	1176 sc->buffer_size = ssl->buffer_size;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1177
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	1178 sc->session_ctx = ssl->ctx;
97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	1179
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1180 sc->connection = SSL_new(ssl->ctx);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1181
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1182 if (sc->connection == NULL) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1183 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed");
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1184 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1185 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1186
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1187 if (SSL_set_fd(sc->connection, c->fd) == 0) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1188 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed");
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1189 return NGX_ERROR;
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1190 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1191
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1192 if (flags & NGX_SSL_CLIENT) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1193 SSL_set_connect_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1194
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1195 } else {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1196 SSL_set_accept_state(sc->connection);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1197 }
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1198
969 065b39794fff ngx_ssl_get_server_conf() Igor Sysoev <igor@sysoev.ru> parents: 968 diff changeset	1199 if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1200 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed");
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1201 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1202 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	1203
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1204 c->ssl = sc;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1205
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1206 return NGX_OK;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1207 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1208
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1209
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1210 ngx_int_t
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1211 ngx_ssl_set_session(ngx_connection_t c, ngx_ssl_session_t session)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1212 {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1213 if (session) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1214 if (SSL_set_session(c->ssl->connection, session) == 0) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1215 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed");
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1216 return NGX_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1217 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1218 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1219
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1220 return NGX_OK;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1221 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1222
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1223
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1224 ngx_int_t
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1225 ngx_ssl_handshake(ngx_connection_t *c)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1226 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1227 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1228 ngx_err_t err;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1229
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1230 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1231
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1232 n = SSL_do_handshake(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1233
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1234 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1235
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1236 if (n == 1) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1237
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1238 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1239 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1240 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1241
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1242 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1243 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1244 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1245
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1246 #if (NGX_DEBUG)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1247 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1248 char buf[129], s, d;
3851 033015e01eec fix building on Fedora 14 Igor Sysoev <igor@sysoev.ru> parents: 3815 diff changeset	1249 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
3488 92378c49456d MSVC8 compatibility with OpenSSL 1.0.0 Igor Sysoev <igor@sysoev.ru> parents: 3464 diff changeset	1250 const
92378c49456d MSVC8 compatibility with OpenSSL 1.0.0 Igor Sysoev <igor@sysoev.ru> parents: 3464 diff changeset	1251 #endif
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1252 SSL_CIPHER *cipher;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1253
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1254 cipher = SSL_get_current_cipher(c->ssl->connection);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1255
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1256 if (cipher) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1257 SSL_CIPHER_description(cipher, &buf[1], 128);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1258
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1259 for (s = &buf[1], d = buf; *s; s++) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1260 if (s == ' ' && d == ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1261 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1262 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1263
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1264 if (s == LF \|\| s == CR) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1265 continue;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1266 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1267
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1268 ++d = s;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1269 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1270
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1271 if (*d != ' ') {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1272 d++;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1273 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1274
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1275 *d = '\0';
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1276
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1277 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1278 "SSL: %s, cipher: \"%s\"",
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1279 SSL_get_version(c->ssl->connection), &buf[1]);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1280
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1281 if (SSL_session_reused(c->ssl->connection)) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1282 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1283 "SSL reused session");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1284 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1285
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1286 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1287 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1288 "SSL no shared ciphers");
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1289 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1290 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1291 #endif
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1292
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1293 c->ssl->handshaked = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1294
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1295 c->recv = ngx_ssl_recv;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1296 c->send = ngx_ssl_write;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1297 c->recv_chain = ngx_ssl_recv_chain;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1298 c->send_chain = ngx_ssl_send_chain;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1299
6255 b40af2fd1c16 SSL: compatibility with OpenSSL master branch. Maxim Dounin <mdounin@mdounin.ru> parents: 6036 diff changeset	1300 #if OPENSSL_VERSION_NUMBER < 0x10100000L
5946 ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1301 #ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1302
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1303 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
6995 eb5d119323d8 SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6983 diff changeset	1304 if (c->ssl->connection->s3 && SSL_is_server(c->ssl->connection)) {
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1305 c->ssl->connection->s3->flags \|= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1306 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1307
5946 ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1308 #endif
6255 b40af2fd1c16 SSL: compatibility with OpenSSL master branch. Maxim Dounin <mdounin@mdounin.ru> parents: 6036 diff changeset	1309 #endif
5946 ee941e49bd88 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. Lukas Tribus <luky-37@hotmail.com> parents: 5934 diff changeset	1310
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1311 return NGX_OK;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1312 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1313
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1314 sslerr = SSL_get_error(c->ssl->connection, n);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1315
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1316 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1317
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1318 if (sslerr == SSL_ERROR_WANT_READ) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1319 c->read->ready = 0;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1320 c->read->handler = ngx_ssl_handshake_handler;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1321 c->write->handler = ngx_ssl_handshake_handler;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1322
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1323 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1324 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1325 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1326
5024 03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1327 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1328 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1329 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1330
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1331 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1332 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1333
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1334 if (sslerr == SSL_ERROR_WANT_WRITE) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1335 c->write->ready = 0;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1336 c->read->handler = ngx_ssl_handshake_handler;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1337 c->write->handler = ngx_ssl_handshake_handler;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1338
5024 03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1339 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1340 return NGX_ERROR;
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1341 }
03513220b83b SSL: fixed ngx_ssl_handshake() with level-triggered event methods. Maxim Dounin <mdounin@mdounin.ru> parents: 5023 diff changeset	1342
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1343 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1344 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1345 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1346
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1347 return NGX_AGAIN;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1348 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1349
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1350 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1351
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1352 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1353 c->ssl->no_send_shutdown = 1;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1354 c->read->eof = 1;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1355
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1356 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
5747 57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake". Maxim Dounin <mdounin@mdounin.ru> parents: 5744 diff changeset	1357 ngx_connection_error(c, err,
57c05ff57980 SSL: logging level of "peer closed connection in SSL handshake". Maxim Dounin <mdounin@mdounin.ru> parents: 5744 diff changeset	1358 "peer closed connection in SSL handshake");
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1359
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1360 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1361 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1362
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1363 c->read->error = 1;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1364
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1365 ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1366
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1367 return NGX_ERROR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1368 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1369
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1370
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1371 static void
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1372 ngx_ssl_handshake_handler(ngx_event_t *ev)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1373 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1374 ngx_connection_t *c;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1375
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1376 c = ev->data;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1377
549 e16a8d574da5 nginx-0.2.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 547 diff changeset	1378 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1379 "SSL handshake handler: %d", ev->write);
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1380
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1381 if (ev->timedout) {
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1382 c->ssl->handler(c);
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1383 return;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1384 }
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1385
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1386 if (ngx_ssl_handshake(c) == NGX_AGAIN) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1387 return;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1388 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1389
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1390 c->ssl->handler(c);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1391 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1392
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1393
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1394 ssize_t
5882 ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1395 ngx_ssl_recv_chain(ngx_connection_t c, ngx_chain_t cl, off_t limit)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1396 {
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1397 u_char *last;
5882 ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1398 ssize_t n, bytes, size;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1399 ngx_buf_t *b;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1400
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1401 bytes = 0;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1402
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1403 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1404 last = b->last;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1405
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1406 for ( ;; ) {
5882 ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1407 size = b->end - last;
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1408
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1409 if (limit) {
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1410 if (bytes >= limit) {
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1411 return bytes;
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1412 }
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1413
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1414 if (bytes + size > limit) {
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1415 size = (ssize_t) (limit - bytes);
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1416 }
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1417 }
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1418
ec81934727a1 Core: added limit to recv_chain(). Roman Arutyunyan <arut@nginx.com> parents: 5834 diff changeset	1419 n = ngx_ssl_recv(c, last, size);
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1420
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1421 if (n > 0) {
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1422 last += n;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1423 bytes += n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1424
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1425 if (last == b->end) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1426 cl = cl->next;
1154 427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1427
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1428 if (cl == NULL) {
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1429 return bytes;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1430 }
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1431
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1432 b = cl->buf;
427de53e45c2 ngx_ssl_recv_chain() must not update buf->last, Igor Sysoev <igor@sysoev.ru> parents: 1043 diff changeset	1433 last = b->last;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1434 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1435
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1436 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1437 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1438
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1439 if (bytes) {
2052 b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1440
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1441 if (n == 0 \|\| n == NGX_ERROR) {
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1442 c->read->ready = 1;
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1443 }
b4085596a7e6 fix "proxy_pass https://..." broken in r1427 Igor Sysoev <igor@sysoev.ru> parents: 2049 diff changeset	1444
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1445 return bytes;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1446 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1447
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1448 return n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1449 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1450 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1451
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1452
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1453 ssize_t
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1454 ngx_ssl_recv(ngx_connection_t c, u_char buf, size_t size)
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1455 {
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1456 int n, bytes;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1457
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1458 if (c->ssl->last == NGX_ERROR) {
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1459 c->read->error = 1;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1460 return NGX_ERROR;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1461 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1462
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1463 if (c->ssl->last == NGX_DONE) {
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1464 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1465 c->read->eof = 1;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1466 return 0;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1467 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1468
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1469 bytes = 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1470
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1471 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1472
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1473 /*
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1474 * SSL_read() may return data in parts, so try to read
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1475 * until SSL_read() would return no data
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1476 */
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1477
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1478 for ( ;; ) {
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1479
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1480 n = SSL_read(c->ssl->connection, buf, size);
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1481
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1482 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1483
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1484 if (n > 0) {
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1485 bytes += n;
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1486 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1487
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1488 c->ssl->last = ngx_ssl_handle_recv(c, n);
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1489
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1490 if (c->ssl->last == NGX_OK) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1491
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1492 size -= n;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1493
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1494 if (size == 0) {
5450 9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1495 c->read->ready = 1;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1496 return bytes;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1497 }
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1498
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1499 buf += n;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1500
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1501 continue;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1502 }
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1503
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1504 if (bytes) {
5450 9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1505 if (c->ssl->last != NGX_AGAIN) {
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1506 c->read->ready = 1;
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1507 }
9868c72f6f43 SSL: fixed c->read->ready handling in ngx_ssl_recv(). Maxim Dounin <mdounin@mdounin.ru> parents: 5425 diff changeset	1508
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1509 return bytes;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1510 }
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1511
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1512 switch (c->ssl->last) {
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1513
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1514 case NGX_DONE:
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1515 c->read->ready = 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1516 c->read->eof = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1517 return 0;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1518
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1519 case NGX_ERROR:
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1520 c->read->error = 1;
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1521
4499 778ef9c3fd2d Fixed spelling in single-line comments. Ruslan Ermilov <ru@nginx.com> parents: 4497 diff changeset	1522 /* fall through */
1426 adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1523
adbafd129d06 do not set read->eof, ready, and error prematurely Igor Sysoev <igor@sysoev.ru> parents: 1421 diff changeset	1524 case NGX_AGAIN:
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1525 return c->ssl->last;
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	1526 }
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1527 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1528 }
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1529
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1530
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1531 static ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1532 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1533 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1534 int sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1535 ngx_err_t err;
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1536
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1537 if (c->ssl->renegotiation) {
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1538 /*
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1539 * disable renegotiation (CVE-2009-3555):
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1540 * OpenSSL (at least up to 0.9.8l) does not handle disabled
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1541 * renegotiation gracefully, so drop connection here
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1542 */
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1543
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1544 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1545
4236 2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1546 while (ERR_peek_error()) {
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1547 ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1548 "ignoring stale global SSL error");
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1549 }
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1550
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1551 ERR_clear_error();
2ada2a26b24c Silently ignoring a stale global SSL error left after disabled renegotiation. Igor Sysoev <igor@sysoev.ru> parents: 4228 diff changeset	1552
3300 5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1553 c->ssl->no_wait_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1554 c->ssl->no_send_shutdown = 1;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1555
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1556 return NGX_ERROR;
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1557 }
5a08dfb8d763 disable SSL renegotiation (CVE-2009-3555) Igor Sysoev <igor@sysoev.ru> parents: 3283 diff changeset	1558
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1559 if (n > 0) {
479 c52408583801 nginx-0.1.14-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 473 diff changeset	1560
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1561 if (c->ssl->saved_write_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1562
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1563 c->write->handler = c->ssl->saved_write_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1564 c->ssl->saved_write_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1565 c->write->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1566
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1567 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1568 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1569 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1570
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	1571 ngx_post_event(c->write, &ngx_posted_events);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1572 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1573
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1574 return NGX_OK;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1575 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1576
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1577 sslerr = SSL_get_error(c->ssl->connection, n);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1578
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1579 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1580
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1581 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1582
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1583 if (sslerr == SSL_ERROR_WANT_READ) {
455 295d97d70c69 nginx-0.1.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 452 diff changeset	1584 c->read->ready = 0;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1585 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1586 }
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1587
445 f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import Igor Sysoev <igor@sysoev.ru> parents: 444 diff changeset	1588 if (sslerr == SSL_ERROR_WANT_WRITE) {
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	1589
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1590 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1591 "peer started SSL renegotiation");
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1592
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1593 c->write->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1594
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1595 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1596 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1597 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1598
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1599 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1600 * we do not set the timer because there is already the read event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1601 */
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1602
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1603 if (c->ssl->saved_write_handler == NULL) {
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1604 c->ssl->saved_write_handler = c->write->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1605 c->write->handler = ngx_ssl_write_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1606 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1607
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1608 return NGX_AGAIN;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1609 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1610
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1611 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1612 c->ssl->no_send_shutdown = 1;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1613
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1614 if (sslerr == SSL_ERROR_ZERO_RETURN \|\| ERR_peek_error() == 0) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1615 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1616 "peer shutdown SSL cleanly");
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1617 return NGX_DONE;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1618 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1619
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1620 ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed");
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1621
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1622 return NGX_ERROR;
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1623 }
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1624
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	1625
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1626 static void
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1627 ngx_ssl_write_handler(ngx_event_t *wev)
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1628 {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1629 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1630
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1631 c = wev->data;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1632
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1633 c->read->handler(c->read);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1634 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1635
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1636
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1637 /*
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1638 * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1639 * before the SSL_write() call to decrease a SSL overhead.
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1640 *
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1641 * Besides for protocols such as HTTP it is possible to always buffer
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1642 * the output to decrease a SSL overhead some more.
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1643 */
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1644
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1645 ngx_chain_t *
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1646 ngx_ssl_send_chain(ngx_connection_t c, ngx_chain_t in, off_t limit)
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1647 {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1648 int n;
399 4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import Igor Sysoev <igor@sysoev.ru> parents: 398 diff changeset	1649 ngx_uint_t flush;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1650 ssize_t send, size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1651 ngx_buf_t *buf;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1652
2280 6453161bf53e always use buffer, if connection is buffered, Igor Sysoev <igor@sysoev.ru> parents: 2165 diff changeset	1653 if (!c->ssl->buffer) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1654
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1655 while (in) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1656 if (ngx_buf_special(in->buf)) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1657 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1658 continue;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1659 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1660
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1661 n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1662
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1663 if (n == NGX_ERROR) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1664 return NGX_CHAIN_ERROR;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1665 }
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1666
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1667 if (n == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1668 return in;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1669 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1670
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1671 in->buf->pos += n;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1672
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1673 if (in->buf->pos == in->buf->last) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1674 in = in->next;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1675 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1676 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1677
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1678 return in;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1679 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1680
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1681
3962 df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	1682 /* the maximum limit size is the maximum int32_t value - the page size */
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	1683
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	1684 if (limit == 0 \|\| limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) {
df2ae4bc7415 fix SSL connection issues on platforms with 32-bit off_t Igor Sysoev <igor@sysoev.ru> parents: 3961 diff changeset	1685 limit = NGX_MAX_INT32_VALUE - ngx_pagesize;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1686 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1687
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1688 buf = c->ssl->buf;
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1689
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1690 if (buf == NULL) {
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	1691 buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size);
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1692 if (buf == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1693 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1694 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1695
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1696 c->ssl->buf = buf;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1697 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1698
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1699 if (buf->start == NULL) {
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	1700 buf->start = ngx_palloc(c->pool, c->ssl->buffer_size);
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1701 if (buf->start == NULL) {
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1702 return NGX_CHAIN_ERROR;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1703 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1704
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1705 buf->pos = buf->start;
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1706 buf->last = buf->start;
5487 a297b7ad6f94 SSL: ssl_buffer_size directive. Maxim Dounin <mdounin@mdounin.ru> parents: 5450 diff changeset	1707 buf->end = buf->start + c->ssl->buffer_size;
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1708 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1709
5023 70a35b7b63ea SSL: take into account data in the buffer while limiting output. Valentin Bartenev <vbart@nginx.com> parents: 5022 diff changeset	1710 send = buf->last - buf->pos;
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	1711 flush = (in == NULL) ? 1 : buf->flush;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1712
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1713 for ( ;; ) {
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1714
3283 52b1624b93c2 fix segfault in SSL if limit_rate is used Igor Sysoev <igor@sysoev.ru> parents: 3159 diff changeset	1715 while (in && buf->last < buf->end && send < limit) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	1716 if (in->buf->last_buf \|\| in->buf->flush) {
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1717 flush = 1;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1718 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1719
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1720 if (ngx_buf_special(in->buf)) {
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1721 in = in->next;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1722 continue;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1723 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1724
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1725 size = in->buf->last - in->buf->pos;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1726
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1727 if (size > buf->end - buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1728 size = buf->end - buf->last;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1729 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1730
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1731 if (send + size > limit) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1732 size = (ssize_t) (limit - send);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1733 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1734
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1735 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6474 diff changeset	1736 "SSL buf copy: %z", size);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1737
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1738 ngx_memcpy(buf->last, in->buf->pos, size);
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1739
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1740 buf->last += size;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1741 in->buf->pos += size;
3283 52b1624b93c2 fix segfault in SSL if limit_rate is used Igor Sysoev <igor@sysoev.ru> parents: 3159 diff changeset	1742 send += size;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1743
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1744 if (in->buf->pos == in->buf->last) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1745 in = in->next;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1746 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1747 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1748
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	1749 if (!flush && send < limit && buf->last < buf->end) {
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1750 break;
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1751 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1752
5021 674f8739e443 SSL: calculation of buffer size moved closer to its usage. Valentin Bartenev <vbart@nginx.com> parents: 5020 diff changeset	1753 size = buf->last - buf->pos;
674f8739e443 SSL: calculation of buffer size moved closer to its usage. Valentin Bartenev <vbart@nginx.com> parents: 5020 diff changeset	1754
5022 1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	1755 if (size == 0) {
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	1756 buf->flush = 0;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	1757 c->buffered &= ~NGX_SSL_BUFFERED;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	1758 return in;
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	1759 }
1d819608ad4a SSL: avoid calling SSL_write() with zero data size. Valentin Bartenev <vbart@nginx.com> parents: 5021 diff changeset	1760
398 201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1761 n = ngx_ssl_write(c, buf->pos, size);
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1762
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1763 if (n == NGX_ERROR) {
201b5f68b59f nginx-0.0.7-2004-07-23-21:05:37 import Igor Sysoev <igor@sysoev.ru> parents: 397 diff changeset	1764 return NGX_CHAIN_ERROR;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1765 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1766
511 c12967aadd87 nginx-0.1.30-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 509 diff changeset	1767 if (n == NGX_AGAIN) {
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	1768 break;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1769 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1770
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1771 buf->pos += n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1772
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1773 if (n < size) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1774 break;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1775 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1776
5019 69693a098655 SSL: resetting of flush flag after the data was written. Valentin Bartenev <vbart@nginx.com> parents: 5018 diff changeset	1777 flush = 0;
69693a098655 SSL: resetting of flush flag after the data was written. Valentin Bartenev <vbart@nginx.com> parents: 5018 diff changeset	1778
5018 0ea36741bb35 SSL: removed conditions that always hold true. Valentin Bartenev <vbart@nginx.com> parents: 5003 diff changeset	1779 buf->pos = buf->start;
0ea36741bb35 SSL: removed conditions that always hold true. Valentin Bartenev <vbart@nginx.com> parents: 5003 diff changeset	1780 buf->last = buf->start;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1781
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1782 if (in == NULL \|\| send == limit) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1783 break;
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1784 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1785 }
f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1786
5020 587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	1787 buf->flush = flush;
587dbe2edc5f SSL: preservation of flush flag for buffered data. Valentin Bartenev <vbart@nginx.com> parents: 5019 diff changeset	1788
597 9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1789 if (buf->pos < buf->last) {
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1790 c->buffered \|= NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1791
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1792 } else {
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1793 c->buffered &= ~NGX_SSL_BUFFERED;
9262f520ce21 nginx-0.3.20-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 591 diff changeset	1794 }
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1795
399 4e21d1291a14 nginx-0.0.7-2004-07-25-22:34:14 import Igor Sysoev <igor@sysoev.ru> parents: 398 diff changeset	1796 return in;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1797 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1798
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1799
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	1800 ssize_t
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1801 ngx_ssl_write(ngx_connection_t c, u_char data, size_t size)
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1802 {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1803 int n, sslerr;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1804 ngx_err_t err;
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1805
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1806 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1807
6480 f01ab2dbcfdc Fixed logging. Sergey Kandaurov <pluknet@nginx.com> parents: 6474 diff changeset	1808 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1809
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1810 n = SSL_write(c->ssl->connection, data, size);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1811
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1812 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1813
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1814 if (n > 0) {
539 371c1cee100d nginx-0.1.44-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 513 diff changeset	1815
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1816 if (c->ssl->saved_read_handler) {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1817
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1818 c->read->handler = c->ssl->saved_read_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1819 c->ssl->saved_read_handler = NULL;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1820 c->read->ready = 1;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1821
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1822 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1823 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1824 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1825
563 9c2f3ed7a247 nginx-0.3.3-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 559 diff changeset	1826 ngx_post_event(c->read, &ngx_posted_events);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1827 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1828
5986 c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write(). Ruslan Ermilov <ru@nginx.com> parents: 5946 diff changeset	1829 c->sent += n;
c2f309fb7ad2 SSL: account sent bytes in ngx_ssl_write(). Ruslan Ermilov <ru@nginx.com> parents: 5946 diff changeset	1830
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1831 return n;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1832 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1833
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1834 sslerr = SSL_get_error(c->ssl->connection, n);
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1835
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1836 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1837
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1838 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr);
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1839
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1840 if (sslerr == SSL_ERROR_WANT_WRITE) {
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1841 c->write->ready = 0;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1842 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1843 }
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1844
445 f26432a1935a nginx-0.1.0-2004-09-30-10:38:49 import Igor Sysoev <igor@sysoev.ru> parents: 444 diff changeset	1845 if (sslerr == SSL_ERROR_WANT_READ) {
452 23fb87bddda1 nginx-0.1.1-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 445 diff changeset	1846
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1847 ngx_log_error(NGX_LOG_INFO, c->log, 0,
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1848 "peer started SSL renegotiation");
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1849
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1850 c->read->ready = 0;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1851
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1852 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1853 return NGX_ERROR;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1854 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1855
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1856 /*
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1857 * we do not set the timer because there is already
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1858 * the write event timer
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1859 */
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1860
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1861 if (c->ssl->saved_read_handler == NULL) {
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1862 c->ssl->saved_read_handler = c->read->handler;
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1863 c->read->handler = ngx_ssl_read_handler;
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1864 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1865
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1866 return NGX_AGAIN;
de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1867 }
395 f8f0f1834266 nginx-0.0.7-2004-07-16-21:11:43 import Igor Sysoev <igor@sysoev.ru> parents: 394 diff changeset	1868
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1869 c->ssl->no_wait_shutdown = 1;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1870 c->ssl->no_send_shutdown = 1;
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1871 c->write->error = 1;
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1872
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1873 ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed");
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1874
397 de797f3b4c27 nginx-0.0.7-2004-07-23-09:37:29 import Igor Sysoev <igor@sysoev.ru> parents: 396 diff changeset	1875 return NGX_ERROR;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1876 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1877
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1878
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1879 static void
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1880 ngx_ssl_read_handler(ngx_event_t *rev)
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1881 {
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1882 ngx_connection_t *c;
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1883
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1884 c = rev->data;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1885
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	1886 c->write->handler(c->write);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1887 }
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1888
8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1889
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1890 void
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1891 ngx_ssl_free_buffer(ngx_connection_t *c)
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1892 {
1795 3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1893 if (c->ssl->buf && c->ssl->buf->start) {
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1894 if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) {
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1895 c->ssl->buf->start = NULL;
3a0132e2be2c fix segfault introduced in r1780 Igor Sysoev <igor@sysoev.ru> parents: 1779 diff changeset	1896 }
1779 06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1897 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1898 }
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1899
06014cfdb5b1 create ssl buffer on demand and free it before keep-alive Igor Sysoev <igor@sysoev.ru> parents: 1778 diff changeset	1900
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1901 ngx_int_t
45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	1902 ngx_ssl_shutdown(ngx_connection_t *c)
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1903 {
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1904 int n, sslerr, mode;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1905 ngx_err_t err;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1906
6407 062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1907 if (SSL_in_init(c->ssl->connection)) {
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1908 /*
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1909 * OpenSSL 1.0.2f complains if SSL_shutdown() is called during
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1910 * an SSL handshake, while previous versions always return 0.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1911 * Avoid calling SSL_shutdown() if handshake wasn't completed.
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1912 */
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1913
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1914 SSL_free(c->ssl->connection);
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1915 c->ssl = NULL;
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1916
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1917 return NGX_OK;
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1918 }
062c189fee20 SSL: avoid calling SSL_shutdown() during handshake (ticket #901). Maxim Dounin <mdounin@mdounin.ru> parents: 6406 diff changeset	1919
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1920 if (c->timedout) {
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1921 mode = SSL_RECEIVED_SHUTDOWN\|SSL_SENT_SHUTDOWN;
4064 5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1922 SSL_set_quiet_shutdown(c->ssl->connection, 1);
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1923
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1924 } else {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1925 mode = SSL_get_shutdown(c->ssl->connection);
473 8e8f3af115b5 nginx-0.1.11-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 469 diff changeset	1926
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1927 if (c->ssl->no_wait_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1928 mode \|= SSL_RECEIVED_SHUTDOWN;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1929 }
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1930
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1931 if (c->ssl->no_send_shutdown) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1932 mode \|= SSL_SENT_SHUTDOWN;
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1933 }
4064 5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1934
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1935 if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) {
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1936 SSL_set_quiet_shutdown(c->ssl->connection, 1);
5b776ad53c3c Proper SSL shutdown handling. Maxim Dounin <mdounin@mdounin.ru> parents: 3992 diff changeset	1937 }
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1938 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1939
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1940 SSL_set_shutdown(c->ssl->connection, mode);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1941
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1942 ngx_ssl_clear_error(c->log);
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	1943
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1944 n = SSL_shutdown(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1945
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1946 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1947
461 a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	1948 sslerr = 0;
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1949
6406 d194cad6dd3a SSL: fixed SSL_shutdown() comment. Maxim Dounin <mdounin@mdounin.ru> parents: 6261 diff changeset	1950 /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1951
1865 4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 Igor Sysoev <igor@sysoev.ru> parents: 1861 diff changeset	1952 if (n != 1 && ERR_peek_error()) {
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1953 sslerr = SSL_get_error(c->ssl->connection, n);
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1954
396 6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1955 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
6f3b20c1ac50 nginx-0.0.7-2004-07-18-23:11:20 import Igor Sysoev <igor@sysoev.ru> parents: 395 diff changeset	1956 "SSL_get_error: %d", sslerr);
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1957 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1958
1865 4bcbb0fe5c8d fix bogus crit log message "SSL_shutdown() failed" introduced in r1755 Igor Sysoev <igor@sysoev.ru> parents: 1861 diff changeset	1959 if (n == 1 \|\| sslerr == 0 \|\| sslerr == SSL_ERROR_ZERO_RETURN) {
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1960 SSL_free(c->ssl->connection);
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1961 c->ssl = NULL;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1962
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1963 return NGX_OK;
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1964 }
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1965
427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1966 if (sslerr == SSL_ERROR_WANT_READ \|\| sslerr == SSL_ERROR_WANT_WRITE) {
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1967 c->read->handler = ngx_ssl_shutdown_handler;
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1968 c->write->handler = ngx_ssl_shutdown_handler;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1969
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1970 if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1971 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1972 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1973
2388 722b5aff05ae use "!= NGX_OK" instead of "== NGX_ERROR" Igor Sysoev <igor@sysoev.ru> parents: 2315 diff changeset	1974 if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1975 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1976 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1977
1754 427d442e1ad8 SSL_shutdown() never returns -1, on error it returns 0. Igor Sysoev <igor@sysoev.ru> parents: 1743 diff changeset	1978 if (sslerr == SSL_ERROR_WANT_READ) {
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1979 ngx_add_timer(c->read, 30000);
d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1980 }
d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	1981
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1982 return NGX_AGAIN;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1983 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1984
591 8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1985 err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1986
8c0cdd81580e nginx-0.3.17-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 589 diff changeset	1987 ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed");
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1988
543 511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1989 SSL_free(c->ssl->connection);
511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1990 c->ssl = NULL;
511a89da35ad nginx-0.2.0-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 541 diff changeset	1991
394 e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1992 return NGX_ERROR;
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1993 }
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1994
e7a68e14ccd3 nginx-0.0.7-2004-07-16-10:33:35 import Igor Sysoev <igor@sysoev.ru> parents: 393 diff changeset	1995
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	1996 static void
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1997 ngx_ssl_shutdown_handler(ngx_event_t *ev)
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1998 {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	1999 ngx_connection_t *c;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2000 ngx_connection_handler_pt handler;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2001
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2002 c = ev->data;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2003 handler = c->ssl->handler;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2004
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2005 if (ev->timedout) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2006 c->timedout = 1;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2007 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2008
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2009 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler");
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2010
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2011 if (ngx_ssl_shutdown(c) == NGX_AGAIN) {
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2012 return;
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2013 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2014
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2015 handler(c);
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2016 }
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2017
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2018
4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2019 static void
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2020 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2021 char *text)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2022 {
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2023 int n;
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2024 ngx_uint_t level;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2025
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2026 level = NGX_LOG_CRIT;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2027
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2028 if (sslerr == SSL_ERROR_SYSCALL) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2029
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2030 if (err == NGX_ECONNRESET
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2031 \|\| err == NGX_EPIPE
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2032 \|\| err == NGX_ENOTCONN
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	2033 \|\| err == NGX_ETIMEDOUT
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2034 \|\| err == NGX_ECONNREFUSED
1869 192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	2035 \|\| err == NGX_ENETDOWN
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	2036 \|\| err == NGX_ENETUNREACH
192443881e51 add NGX_ENETDOWN, NGX_ENETUNREACH, and NGX_EHOSTDOWN Igor Sysoev <igor@sysoev.ru> parents: 1868 diff changeset	2037 \|\| err == NGX_EHOSTDOWN
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2038 \|\| err == NGX_EHOSTUNREACH)
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2039 {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2040 switch (c->log_error) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2041
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2042 case NGX_ERROR_IGNORE_ECONNRESET:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2043 case NGX_ERROR_INFO:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2044 level = NGX_LOG_INFO;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2045 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2046
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2047 case NGX_ERROR_ERR:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2048 level = NGX_LOG_ERR;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2049 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2050
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2051 default:
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2052 break;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2053 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2054 }
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2055
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2056 } else if (sslerr == SSL_ERROR_SSL) {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2057
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2058 n = ERR_GET_REASON(ERR_peek_error());
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2059
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2060 /* handshake failures */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2061 if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2062 \|\| n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */
3718 bfd84b583868 decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3516 diff changeset	2063 \|\| n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2064 \|\| n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2065 \|\| n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
7412 6c52c99c475e SSL: logging level of "https proxy request" errors. Maxim Dounin <mdounin@mdounin.ru> parents: 7092 diff changeset	2066 \|\| n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */
6c52c99c475e SSL: logging level of "https proxy request" errors. Maxim Dounin <mdounin@mdounin.ru> parents: 7092 diff changeset	2067 \|\| n == SSL_R_HTTP_REQUEST /* 156 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2068 \|\| n == SSL_R_LENGTH_MISMATCH /* 159 */
6652 1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6591 diff changeset	2069 #ifdef SSL_R_NO_CIPHERS_PASSED
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2070 \|\| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
6652 1891b2892b68 SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6591 diff changeset	2071 #endif
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2072 \|\| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2073 \|\| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2074 \|\| n == SSL_R_NO_SHARED_CIPHER /* 193 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2075 \|\| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2076 #ifdef SSL_R_PARSE_TLSEXT
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2077 \|\| n == SSL_R_PARSE_TLSEXT /* 227 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2078 #endif
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2079 \|\| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2080 \|\| n == SSL_R_UNEXPECTED_RECORD /* 245 */
3455 028f0892e0cd decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3357 diff changeset	2081 \|\| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
3357 fc735aa50b8b decrease SSL handshake error level to info Igor Sysoev <igor@sysoev.ru> parents: 3300 diff changeset	2082 \|\| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2083 \|\| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2084 \|\| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
4228 5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2085 #ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2086 \|\| n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2087 \|\| n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2088 \|\| n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2089 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2090 #ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2091 \|\| n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2092 #endif
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2093 #ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2094 \|\| n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */
5fef0313f2ff Decrease of log level of some SSL handshake errors. Igor Sysoev <igor@sysoev.ru> parents: 4186 diff changeset	2095 #endif
5902 b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662). Maxim Dounin <mdounin@mdounin.ru> parents: 5892 diff changeset	2096 #ifdef SSL_R_INAPPROPRIATE_FALLBACK
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662). Maxim Dounin <mdounin@mdounin.ru> parents: 5892 diff changeset	2097 \|\| n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
b7a37f6a25ea SSL: logging level of "inappropriate fallback" (ticket #662). Maxim Dounin <mdounin@mdounin.ru> parents: 5892 diff changeset	2098 #endif
1877 a55876dff8f5 low SSL handshake close notify alert error level Igor Sysoev <igor@sysoev.ru> parents: 1876 diff changeset	2099 \|\| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
6486 978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2100 #ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
2315 31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2101 \|\| n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2102 \|\| n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2103 \|\| n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2104 \|\| n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2105 \|\| n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2106 \|\| n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2107 \|\| n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2108 \|\| n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2109 \|\| n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2110 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2111 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2112 \|\| n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2113 \|\| n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2114 \|\| n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2115 \|\| n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2116 \|\| n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2117 \|\| n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2118 \|\| n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2119 \|\| n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2120 \|\| n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2121 \|\| n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */
31fafd8e7436 low some SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 2280 diff changeset	2122 \|\| n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */
6486 978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2123 \|\| n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2124 #endif
978ad80b3732 SSL: guarded error codes not present in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6485 diff changeset	2125 )
1876 5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2126 {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2127 switch (c->log_error) {
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2128
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2129 case NGX_ERROR_IGNORE_ECONNRESET:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2130 case NGX_ERROR_INFO:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2131 level = NGX_LOG_INFO;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2132 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2133
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2134 case NGX_ERROR_ERR:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2135 level = NGX_LOG_ERR;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2136 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2137
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2138 default:
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2139 break;
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2140 }
5d663752fd96 low SSL handshake errors level Igor Sysoev <igor@sysoev.ru> parents: 1873 diff changeset	2141 }
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2142 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2143
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2144 ngx_ssl_error(level, c->log, err, text);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2145 }
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2146
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2147
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2148 static void
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2149 ngx_ssl_clear_error(ngx_log_t *log)
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2150 {
1868 c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	2151 while (ERR_peek_error()) {
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2152 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2153 }
1868 c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	2154
c2cd0720f292 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1865 diff changeset	2155 ERR_clear_error();
1755 59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2156 }
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2157
59e36c1c6296 cleaning stale global SSL error Igor Sysoev <igor@sysoev.ru> parents: 1754 diff changeset	2158
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2159 void ngx_cdecl
489 45a460f82aec nginx-0.1.19-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 479 diff changeset	2160 ngx_ssl_error(ngx_uint_t level, ngx_log_t log, ngx_err_t err, char fmt, ...)
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	2161 {
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2162 int flags;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2163 u_long n;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2164 va_list args;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2165 u_char p, last;
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2166 u_char errstr[NGX_MAX_CONF_ERRSTR];
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2167 const char *data;
461 a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	2168
a88a3e4e158f nginx-0.1.5-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 455 diff changeset	2169 last = errstr + NGX_MAX_CONF_ERRSTR;
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2170
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2171 va_start(args, fmt);
2764 d4a717592877 use ngx_vslprintf(), ngx_slprintf() Igor Sysoev <igor@sysoev.ru> parents: 2720 diff changeset	2172 p = ngx_vslprintf(errstr, last - 1, fmt, args);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2173 va_end(args);
5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2174
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2175 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2176
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	2177 for ( ;; ) {
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2178
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2179 n = ERR_peek_error_line_data(NULL, NULL, &data, &flags);
583 4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2180
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2181 if (n == 0) {
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2182 break;
4e296b7d25bf nginx-0.3.13-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 577 diff changeset	2183 }
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2184
6775 8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error(). Valentin Bartenev <vbart@nginx.com> parents: 6725 diff changeset	2185 /* ERR_error_string_n() requires at least one byte */
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error(). Valentin Bartenev <vbart@nginx.com> parents: 6725 diff changeset	2186
8081e1f3ab8b SSL: overcame possible buffer over-read in ngx_ssl_error(). Valentin Bartenev <vbart@nginx.com> parents: 6725 diff changeset	2187 if (p >= last - 1) {
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2188 goto next;
1861 f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	2189 }
f00b30557c81 pull all errors Igor Sysoev <igor@sysoev.ru> parents: 1860 diff changeset	2190
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2191 *p++ = ' ';
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2192
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2193 ERR_error_string_n(n, (char *) p, last - p);
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2194
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2195 while (p < last && *p) {
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2196 p++;
818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2197 }
4877 f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2198
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2199 if (p < last && *data && (flags & ERR_TXT_STRING)) {
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2200 *p++ = ':';
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2201 p = ngx_cpystrn(p, (u_char *) data, last - p);
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2202 }
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2203
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2204 next:
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2205
f2e450929c1f OCSP stapling: log error data in ngx_ssl_error(). Maxim Dounin <mdounin@mdounin.ru> parents: 4875 diff changeset	2206 (void) ERR_get_error();
547 818fbd4750b9 nginx-0.2.2-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 543 diff changeset	2207 }
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2208
6259 2f34ea503ac4 SSL: handled long string truncation in ngx_ssl_error(). Vladimir Homutov <vl@nginx.com> parents: 6255 diff changeset	2209 ngx_log_error(level, log, err, "%*s)", p - errstr, errstr);
393 5659d773cfa8 nginx-0.0.7-2004-07-15-20:35:51 import Igor Sysoev <igor@sysoev.ru> parents: diff changeset	2210 }
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2211
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	2212
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2213 ngx_int_t
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2214 ngx_ssl_session_cache(ngx_ssl_t ssl, ngx_str_t sess_ctx,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2215 ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2216 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2217 long cache_mode;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2218
5424 767aa37f12de SSL: SSL_CTX_set_timeout() now always called. Maxim Dounin <mdounin@mdounin.ru> parents: 5423 diff changeset	2219 SSL_CTX_set_timeout(ssl->ctx, (long) timeout);
767aa37f12de SSL: SSL_CTX_set_timeout() now always called. Maxim Dounin <mdounin@mdounin.ru> parents: 5423 diff changeset	2220
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2221 if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2222 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2223 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2224
1778 14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2225 if (builtin_session_cache == NGX_SSL_NO_SCACHE) {
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2226 SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF);
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2227 return NGX_OK;
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2228 }
14510c3cc6cb ssl_session_cache off Igor Sysoev <igor@sysoev.ru> parents: 1760 diff changeset	2229
2032 12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2230 if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2231
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2232 /*
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2233 * If the server explicitly says that it does not support
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2234 * session reuse (see SSL_SESS_CACHE_OFF above), then
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2235 * Outlook Express fails to upload a sent email to
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2236 * the Sent Items folder on the IMAP server via a separate IMAP
6552 addd98357629 SSL: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6551 diff changeset	2237 * connection in the background. Therefore we have a special
2032 12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2238 * mode (SSL_SESS_CACHE_SERVER\|SSL_SESS_CACHE_NO_INTERNAL_STORE)
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2239 * where the server pretends that it supports session reuse,
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2240 * but it does not actually store any session.
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2241 */
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2242
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2243 SSL_CTX_set_session_cache_mode(ssl->ctx,
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2244 SSL_SESS_CACHE_SERVER
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2245 \|SSL_SESS_CACHE_NO_AUTO_CLEAR
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2246 \|SSL_SESS_CACHE_NO_INTERNAL_STORE);
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2247
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2248 SSL_CTX_sess_set_cache_size(ssl->ctx, 1);
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2249
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2250 return NGX_OK;
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2251 }
12b3ad3353f9 ssl_session_cache none Igor Sysoev <igor@sysoev.ru> parents: 1977 diff changeset	2252
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2253 cache_mode = SSL_SESS_CACHE_SERVER;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2254
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2255 if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2256 cache_mode \|= SSL_SESS_CACHE_NO_INTERNAL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2257 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2258
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2259 SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2260
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2261 if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2262
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2263 if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2264 SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2265 }
1015 32ebb6b13ff3 ssl_session_timeout was set only if builtin cache was used Igor Sysoev <igor@sysoev.ru> parents: 1014 diff changeset	2266 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2267
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2268 if (shm_zone) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2269 SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2270 SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2271 SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2272
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2273 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2274 == 0)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2275 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2276 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2277 "SSL_CTX_set_ex_data() failed");
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2278 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2279 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2280 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2281
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2282 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2283 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2284
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2285
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2286 static ngx_int_t
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2287 ngx_ssl_session_id_context(ngx_ssl_t ssl, ngx_str_t sess_ctx)
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2288 {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2289 int n, i;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2290 X509 *cert;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2291 X509_NAME *name;
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2292 EVP_MD_CTX *md;
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2293 unsigned int len;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2294 STACK_OF(X509_NAME) *list;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2295 u_char buf[EVP_MAX_MD_SIZE];
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2296
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2297 /*
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2298 * Session ID context is set based on the string provided,
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2299 * the server certificates, and the client CA list.
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2300 */
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2301
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2302 md = EVP_MD_CTX_create();
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2303 if (md == NULL) {
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2304 return NGX_ERROR;
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2305 }
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2306
ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2307 if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2308 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2309 "EVP_DigestInit_ex() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2310 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2311 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2312
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2313 if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2314 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2315 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2316 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2317 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2318
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2319 for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2320 cert;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2321 cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2322 {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2323 if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2324 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2325 "X509_digest() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2326 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2327 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2328
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2329 if (EVP_DigestUpdate(md, buf, len) == 0) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2330 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2331 "EVP_DigestUpdate() failed");
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2332 goto failed;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	2333 }
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2334 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2335
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2336 list = SSL_CTX_get_client_CA_list(ssl->ctx);
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2337
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2338 if (list != NULL) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2339 n = sk_X509_NAME_num(list);
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2340
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2341 for (i = 0; i < n; i++) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2342 name = sk_X509_NAME_value(list, i);
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2343
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2344 if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2345 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2346 "X509_NAME_digest() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2347 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2348 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2349
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2350 if (EVP_DigestUpdate(md, buf, len) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2351 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2352 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2353 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2354 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2355 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2356 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2357
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2358 if (EVP_DigestFinal_ex(md, buf, &len) == 0) {
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2359 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2360 "EVP_DigestUpdate() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2361 goto failed;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2362 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2363
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2364 EVP_MD_CTX_destroy(md);
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2365
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2366 if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) {
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2367 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2368 "SSL_CTX_set_session_id_context() failed");
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2369 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2370 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2371
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2372 return NGX_OK;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2373
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2374 failed:
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2375
6490 ddf761495ce6 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6489 diff changeset	2376 EVP_MD_CTX_destroy(md);
5834 ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2377
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2378 return NGX_ERROR;
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2379 }
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2380
ca63fc5ed9b1 SSL: session id context now includes certificate hash. Maxim Dounin <mdounin@mdounin.ru> parents: 5823 diff changeset	2381
3992 a1dd9dc754ab A new fix for the case when ssl_session_cache defined, but ssl is not Igor Sysoev <igor@sysoev.ru> parents: 3962 diff changeset	2382 ngx_int_t
993 1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2383 ngx_ssl_session_cache_init(ngx_shm_zone_t shm_zone, void data)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2384 {
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2385 size_t len;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2386 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2387 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2388
993 1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2389 if (data) {
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2390 shm_zone->data = data;
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2391 return NGX_OK;
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2392 }
1b9a4d92173f pass the inherited shm_zone data Igor Sysoev <igor@sysoev.ru> parents: 989 diff changeset	2393
5640 4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528). Maxim Dounin <mdounin@mdounin.ru> parents: 5634 diff changeset	2394 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528). Maxim Dounin <mdounin@mdounin.ru> parents: 5634 diff changeset	2395
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2396 if (shm_zone->shm.exists) {
5640 4c6ceca4f5f7 Win32: fixed shared ssl_session_cache (ticket #528). Maxim Dounin <mdounin@mdounin.ru> parents: 5634 diff changeset	2397 shm_zone->data = shpool->data;
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2398 return NGX_OK;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2399 }
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2400
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2401 cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t));
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2402 if (cache == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2403 return NGX_ERROR;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2404 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2405
2720 b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2406 shpool->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2407 shm_zone->data = cache;
b3b8c66bd520 support attaching to an existent Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2716 diff changeset	2408
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2409 ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel,
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2410 ngx_ssl_session_rbtree_insert_value);
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2411
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2412 ngx_queue_init(&cache->expire_queue);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2413
2716 d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2710 diff changeset	2414 len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len;
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2415
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2416 shpool->log_ctx = ngx_slab_alloc(shpool, len);
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2417 if (shpool->log_ctx == NULL) {
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2418 return NGX_ERROR;
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2419 }
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2420
2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2421 ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z",
2716 d5896f6608e8 move zone name from ngx_shm_zone_t to ngx_shm_t to use Win32 shared memory Igor Sysoev <igor@sysoev.ru> parents: 2710 diff changeset	2422 &shm_zone->shm.name);
2611 2bce3f6416c6 improve ngx_slab_alloc() error logging Igor Sysoev <igor@sysoev.ru> parents: 2536 diff changeset	2423
5634 5024d29354f1 Core: slab log_nomem flag. Maxim Dounin <mdounin@mdounin.ru> parents: 5573 diff changeset	2424 shpool->log_nomem = 0;
5024d29354f1 Core: slab log_nomem flag. Maxim Dounin <mdounin@mdounin.ru> parents: 5573 diff changeset	2425
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2426 return NGX_OK;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2427 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2428
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2429
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2430 /*
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2431 * The length of the session id is 16 bytes for SSLv2 sessions and
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2432 * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes.
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2433 * It seems that the typical length of the external ASN1 representation
5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2434 * of a session is 118 or 119 bytes for SSLv3/TSLv1.
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2435 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2436 * Thus on 32-bit platforms we allocate separately an rbtree node,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2437 * a session id, and an ASN1 representation, they take accordingly
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2438 * 64, 32, and 128 bytes.
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2439 *
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2440 * On 64-bit platforms we allocate separately an rbtree node + session_id,
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2441 * and an ASN1 representation, they take accordingly 128 and 128 bytes.
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2442 *
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2443 * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2444 * so they are outside the code locked by shared pool mutex
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2445 */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2446
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2447 static int
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2448 ngx_ssl_new_session(ngx_ssl_conn_t ssl_conn, ngx_ssl_session_t sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2449 {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2450 int len;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2451 u_char p, id, cached_sess, session_id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2452 uint32_t hash;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2453 SSL_CTX *ssl_ctx;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2454 unsigned int session_id_length;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2455 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2456 ngx_connection_t *c;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2457 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2458 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2459 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2460 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2461
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2462 len = i2d_SSL_SESSION(sess, NULL);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2463
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2464 /* do not cache too big session */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2465
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2466 if (len > (int) NGX_SSL_MAX_SESSION_SIZE) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2467 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2468 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2469
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2470 p = buf;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2471 i2d_SSL_SESSION(sess, &p);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2472
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2473 c = ngx_ssl_get_connection(ssl_conn);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2474
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	2475 ssl_ctx = c->ssl->session_ctx;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2476 shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2477
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2478 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2479 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2480
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2481 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2482
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2483 /* drop one or two expired sessions */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2484 ngx_ssl_expire_sessions(cache, shpool, 1);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2485
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2486 cached_sess = ngx_slab_alloc_locked(shpool, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2487
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2488 if (cached_sess == NULL) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2489
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2490 /* drop the oldest non-expired session and try once more */
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2491
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2492 ngx_ssl_expire_sessions(cache, shpool, 0);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2493
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2494 cached_sess = ngx_slab_alloc_locked(shpool, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2495
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2496 if (cached_sess == NULL) {
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2497 sess_id = NULL;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2498 goto failed;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2499 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2500 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2501
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2502 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2503
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2504 if (sess_id == NULL) {
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2505
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2506 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2507
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2508 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2509
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2510 sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t));
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2511
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2512 if (sess_id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2513 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2514 }
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2515 }
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2516
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2517 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2518
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2519 session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2520
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2521 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2522
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2523 session_id = sess->session_id;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2524 session_id_length = sess->session_id_length;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2525
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2526 #endif
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2527
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2528 #if (NGX_PTR_SIZE == 8)
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2529
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2530 id = sess_id->sess_id;
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2531
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2532 #else
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2533
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2534 id = ngx_slab_alloc_locked(shpool, session_id_length);
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2535
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2536 if (id == NULL) {
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2537
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2538 /* drop the oldest non-expired session and try once more */
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2539
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2540 ngx_ssl_expire_sessions(cache, shpool, 0);
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2541
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2542 id = ngx_slab_alloc_locked(shpool, session_id_length);
5081 bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2543
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2544 if (id == NULL) {
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2545 goto failed;
bebcc2f837d3 SSL: retry "sess_id" and "id" allocations. Maxim Dounin <mdounin@mdounin.ru> parents: 5024 diff changeset	2546 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2547 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2548
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2549 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2550
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2551 ngx_memcpy(cached_sess, buf, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2552
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2553 ngx_memcpy(id, session_id, session_id_length);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2554
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2555 hash = ngx_crc32_short(session_id, session_id_length);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2556
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2557 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2558 "ssl new session: %08XD:%ud:%d",
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2559 hash, session_id_length, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2560
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2561 sess_id->node.key = hash;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2562 sess_id->node.data = (u_char) session_id_length;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2563 sess_id->id = id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2564 sess_id->len = len;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2565 sess_id->session = cached_sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2566
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	2567 sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2568
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2569 ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2570
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2571 ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2572
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2573 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2574
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2575 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2576
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2577 failed:
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2578
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2579 if (cached_sess) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2580 ngx_slab_free_locked(shpool, cached_sess);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2581 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2582
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2583 if (sess_id) {
ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2584 ngx_slab_free_locked(shpool, sess_id);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2585 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2586
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2587 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2588
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2589 ngx_log_error(NGX_LOG_ALERT, c->log, 0,
5634 5024d29354f1 Core: slab log_nomem flag. Maxim Dounin <mdounin@mdounin.ru> parents: 5573 diff changeset	2590 "could not allocate new session%s", shpool->log_ctx);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2591
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2592 return 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2593 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2594
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2595
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2596 static ngx_ssl_session_t *
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2597 ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2598 #if OPENSSL_VERSION_NUMBER >= 0x10100003L
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2599 const
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2600 #endif
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2601 u_char id, int len, int copy)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2602 {
989 5595e47d4f17 d2i_SSL_SESSION() was changed in 0.9.7f Igor Sysoev <igor@sysoev.ru> parents: 974 diff changeset	2603 #if OPENSSL_VERSION_NUMBER >= 0x0090707fL
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2604 const
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2605 #endif
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2606 u_char *p;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2607 uint32_t hash;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2608 ngx_int_t rc;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2609 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2610 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2611 ngx_rbtree_node_t node, sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2612 ngx_ssl_session_t *sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2613 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2614 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2615 u_char buf[NGX_SSL_MAX_SESSION_SIZE];
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	2616 ngx_connection_t *c;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2617
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2618 hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2619 *copy = 0;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2620
3961 4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	2621 c = ngx_ssl_get_connection(ssl_conn);
4048aa055411 fix build by gcc46 with -Wunused-value option Igor Sysoev <igor@sysoev.ru> parents: 3960 diff changeset	2622
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2623 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
3155 e720c4a68ee0 fix debug log message Igor Sysoev <igor@sysoev.ru> parents: 3154 diff changeset	2624 "ssl get session: %08XD:%d", hash, len);
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	2625
97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	2626 shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx,
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2627 ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2628
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2629 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2630
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2631 sess = NULL;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2632
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2633 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2634
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2635 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2636
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2637 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2638 sentinel = cache->session_rbtree.sentinel;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2639
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2640 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2641
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2642 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2643 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2644 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2645 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2646
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2647 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2648 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2649 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2650 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2651
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2652 /* hash == node->key */
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2653
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2654 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2655
6487 9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2656 rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id,
9dd43f4ef67e SSL: get_session callback changed in OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6486 diff changeset	2657 (size_t) len, (size_t) node->data);
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2658
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2659 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2660
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2661 if (sess_id->expire > ngx_time()) {
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2662 ngx_memcpy(buf, sess_id->session, sess_id->len);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2663
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2664 ngx_shmtx_unlock(&shpool->mutex);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2665
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2666 p = buf;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2667 sess = d2i_SSL_SESSION(NULL, &p, sess_id->len);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2668
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2669 return sess;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2670 }
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2671
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2672 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2673
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2674 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2675
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2676 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2677 #if (NGX_PTR_SIZE == 4)
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2678 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2679 #endif
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2680 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2681
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2682 sess = NULL;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2683
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2684 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2685 }
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2686
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2687 node = (rc < 0) ? node->left : node->right;
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2688 }
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2689
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2690 done:
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2691
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2692 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2693
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2694 return sess;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2695 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2696
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2697
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2698 void
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2699 ngx_ssl_remove_cached_session(SSL_CTX ssl, ngx_ssl_session_t sess)
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2700 {
6474 2cd019520210 Style. Ruslan Ermilov <ru@nginx.com> parents: 6407 diff changeset	2701 SSL_CTX_remove_session(ssl, sess);
2cd019520210 Style. Ruslan Ermilov <ru@nginx.com> parents: 6407 diff changeset	2702
2cd019520210 Style. Ruslan Ermilov <ru@nginx.com> parents: 6407 diff changeset	2703 ngx_ssl_remove_session(ssl, sess);
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2704 }
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2705
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2706
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2707 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2708 ngx_ssl_remove_session(SSL_CTX ssl, ngx_ssl_session_t sess)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2709 {
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2710 u_char *id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2711 uint32_t hash;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2712 ngx_int_t rc;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2713 unsigned int len;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2714 ngx_shm_zone_t *shm_zone;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2715 ngx_slab_pool_t *shpool;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2716 ngx_rbtree_node_t node, sentinel;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2717 ngx_ssl_sess_id_t *sess_id;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2718 ngx_ssl_session_cache_t *cache;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2719
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2720 shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2721
1924 291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2722 if (shm_zone == NULL) {
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2723 return;
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2724 }
291689a7e5dc invalidate SSL session if there is no valid client certificate Igor Sysoev <igor@sysoev.ru> parents: 1877 diff changeset	2725
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2726 cache = shm_zone->data;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2727
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2728 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2729
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2730 id = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2731
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2732 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2733
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2734 id = sess->session_id;
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2735 len = sess->session_id_length;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2736
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2737 #endif
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2738
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2739 hash = ngx_crc32_short(id, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2740
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2741 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	2742 "ssl remove session: %08XD:%ud", hash, len);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2743
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2744 shpool = (ngx_slab_pool_t *) shm_zone->shm.addr;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2745
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2746 ngx_shmtx_lock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2747
1759 89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2748 node = cache->session_rbtree.root;
89234cfbf810 embed session_rbtree and sentinel inside ngx_ssl_session_cache_t Igor Sysoev <igor@sysoev.ru> parents: 1758 diff changeset	2749 sentinel = cache->session_rbtree.sentinel;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2750
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2751 while (node != sentinel) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2752
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2753 if (hash < node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2754 node = node->left;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2755 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2756 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2757
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2758 if (hash > node->key) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2759 node = node->right;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2760 continue;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2761 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2762
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2763 /* hash == node->key */
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2764
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2765 sess_id = (ngx_ssl_sess_id_t *) node;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2766
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2767 rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2768
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2769 if (rc == 0) {
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2770
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2771 ngx_queue_remove(&sess_id->queue);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2772
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2773 ngx_rbtree_delete(&cache->session_rbtree, node);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2774
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2775 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2776 #if (NGX_PTR_SIZE == 4)
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2777 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2778 #endif
4497 95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2779 ngx_slab_free_locked(shpool, sess_id);
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2780
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2781 goto done;
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2782 }
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2783
95ab6658654a Fix of rbtree lookup on hash collisions. Maxim Dounin <mdounin@mdounin.ru> parents: 4414 diff changeset	2784 node = (rc < 0) ? node->left : node->right;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2785 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2786
1013 7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2787 done:
7dd987e09701 stop rbtree search early if equal hash was found Igor Sysoev <igor@sysoev.ru> parents: 993 diff changeset	2788
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2789 ngx_shmtx_unlock(&shpool->mutex);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2790 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2791
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2792
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2793 static void
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2794 ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2795 ngx_slab_pool_t *shpool, ngx_uint_t n)
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2796 {
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	2797 time_t now;
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2798 ngx_queue_t *q;
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2799 ngx_ssl_sess_id_t *sess_id;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2800
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	2801 now = ngx_time();
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2802
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2803 while (n < 3) {
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2804
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2805 if (ngx_queue_empty(&cache->expire_queue)) {
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2806 return;
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2807 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2808
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2809 q = ngx_queue_last(&cache->expire_queue);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2810
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2811 sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2812
1757 7ab8bd535eed use ngx_time() instead of ngx_timeofday() Igor Sysoev <igor@sysoev.ru> parents: 1756 diff changeset	2813 if (n++ != 0 && sess_id->expire > now) {
1439 36548ad85be1 style fix Igor Sysoev <igor@sysoev.ru> parents: 1426 diff changeset	2814 return;
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2815 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2816
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2817 ngx_queue_remove(q);
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2818
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2819 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0,
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2820 "expire session: %08Xi", sess_id->node.key);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2821
1760 49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2822 ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node);
49429f5b2d94 use ngx_queue.h Igor Sysoev <igor@sysoev.ru> parents: 1759 diff changeset	2823
1014 5ffd76a9ccf3 optimize the SSL session cache allocations Igor Sysoev <igor@sysoev.ru> parents: 1013 diff changeset	2824 ngx_slab_free_locked(shpool, sess_id->session);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2825 #if (NGX_PTR_SIZE == 4)
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2826 ngx_slab_free_locked(shpool, sess_id->id);
1017 ee25c79bea34 optimize the SSL session cache allocations on 64-bit platforms Igor Sysoev <igor@sysoev.ru> parents: 1015 diff changeset	2827 #endif
974 8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2828 ngx_slab_free_locked(shpool, sess_id);
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2829 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2830 }
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2831
8dfb3aa75de2 move the session cache callbacks to the ngx_openssl_module Igor Sysoev <igor@sysoev.ru> parents: 969 diff changeset	2832
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2833 static void
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2834 ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp,
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2835 ngx_rbtree_node_t node, ngx_rbtree_node_t sentinel)
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2836 {
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2837 ngx_rbtree_node_t **p;
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2838 ngx_ssl_sess_id_t sess_id, sess_id_temp;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2839
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2840 for ( ;; ) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2841
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2842 if (node->key < temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2843
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2844 p = &temp->left;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2845
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2846 } else if (node->key > temp->key) {
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2847
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2848 p = &temp->right;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2849
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2850 } else { /* node->key == temp->key */
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2851
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2852 sess_id = (ngx_ssl_sess_id_t *) node;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2853 sess_id_temp = (ngx_ssl_sess_id_t *) temp;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2854
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2855 p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id,
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2856 (size_t) node->data, (size_t) temp->data)
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2857 < 0) ? &temp->left : &temp->right;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2858 }
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2859
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2860 if (*p == sentinel) {
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2861 break;
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2862 }
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2863
4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2864 temp = *p;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2865 }
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2866
1743 4fc402c3ec73 optimize rbtree initialization and insert Igor Sysoev <igor@sysoev.ru> parents: 1439 diff changeset	2867 *p = node;
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2868 node->parent = temp;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2869 node->left = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2870 node->right = sentinel;
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2871 ngx_rbt_red(node);
1043 7073b87fa8e9 style fix: remove trailing spaces Igor Sysoev <igor@sysoev.ru> parents: 1029 diff changeset	2872 }
1027 ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2873
ff07ccfaad50 fix duplicate rbtree keys case Igor Sysoev <igor@sysoev.ru> parents: 1025 diff changeset	2874
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2875 #ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2876
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2877 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2878 ngx_ssl_session_ticket_keys(ngx_conf_t cf, ngx_ssl_t ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2879 {
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2880 u_char buf[80];
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2881 size_t size;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2882 ssize_t n;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2883 ngx_str_t *path;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2884 ngx_file_t file;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2885 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2886 ngx_array_t *keys;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2887 ngx_file_info_t fi;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2888 ngx_ssl_session_ticket_key_t *key;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2889
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2890 if (paths == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2891 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2892 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2893
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2894 keys = ngx_array_create(cf->pool, paths->nelts,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2895 sizeof(ngx_ssl_session_ticket_key_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2896 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2897 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2898 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2899
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2900 path = paths->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2901 for (i = 0; i < paths->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2902
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2903 if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2904 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2905 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2906
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2907 ngx_memzero(&file, sizeof(ngx_file_t));
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2908 file.name = path[i];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2909 file.log = cf->log;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2910
7087 47b7ffc3339d Fixed calls to ngx_open_file() in certain places. Sergey Kandaurov <pluknet@nginx.com> parents: 7086 diff changeset	2911 file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY,
47b7ffc3339d Fixed calls to ngx_open_file() in certain places. Sergey Kandaurov <pluknet@nginx.com> parents: 7086 diff changeset	2912 NGX_FILE_OPEN, 0);
7086 577628e6b6a6 Style. Sergey Kandaurov <pluknet@nginx.com> parents: 7074 diff changeset	2913
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2914 if (file.fd == NGX_INVALID_FILE) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2915 ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2916 ngx_open_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2917 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2918 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2919
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2920 if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2921 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2922 ngx_fd_info_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2923 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2924 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2925
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2926 size = ngx_file_size(&fi);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2927
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2928 if (size != 48 && size != 80) {
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2929 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2930 "\"%V\" must be 48 or 80 bytes", &file.name);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2931 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2932 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2933
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2934 n = ngx_read_file(&file, buf, size, 0);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2935
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2936 if (n == NGX_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2937 ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2938 ngx_read_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2939 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2940 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2941
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2942 if ((size_t) n != size) {
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2943 ngx_conf_log_error(NGX_LOG_CRIT, cf, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2944 ngx_read_file_n " \"%V\" returned only "
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2945 "%z bytes instead of %uz", &file.name, n, size);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2946 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2947 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2948
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2949 key = ngx_array_push(keys);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2950 if (key == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2951 goto failed;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2952 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2953
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2954 if (size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2955 key->size = 48;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2956 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2957 ngx_memcpy(key->aes_key, buf + 16, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2958 ngx_memcpy(key->hmac_key, buf + 32, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2959
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2960 } else {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2961 key->size = 80;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2962 ngx_memcpy(key->name, buf, 16);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2963 ngx_memcpy(key->hmac_key, buf + 16, 32);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2964 ngx_memcpy(key->aes_key, buf + 48, 32);
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	2965 }
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2966
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2967 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2968 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2969 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2970 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2971 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2972
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2973 if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2974 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2975 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2976 ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2977 "SSL_CTX_set_ex_data() failed");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2978 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2979 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2980
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2981 if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2982 ngx_ssl_session_ticket_key_callback)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2983 == 0)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2984 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2985 ngx_log_error(NGX_LOG_WARN, cf->log, 0,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2986 "nginx was built with Session Tickets support, however, "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2987 "now it is linked dynamically to an OpenSSL library "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2988 "which has no tlsext support, therefore Session Tickets "
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2989 "are not available");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2990 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2991
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2992 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2993
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2994 failed:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2995
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2996 if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2997 ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2998 ngx_close_file_n " \"%V\" failed", &file.name);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	2999 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3000
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3001 return NGX_ERROR;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3002 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3003
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3004
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3005 static int
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3006 ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3007 unsigned char name, unsigned char iv, EVP_CIPHER_CTX *ectx,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3008 HMAC_CTX *hctx, int enc)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3009 {
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3010 size_t size;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3011 SSL_CTX *ssl_ctx;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3012 ngx_uint_t i;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3013 ngx_array_t *keys;
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3014 ngx_connection_t *c;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3015 ngx_ssl_session_ticket_key_t *key;
6686 f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3016 const EVP_MD *digest;
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3017 const EVP_CIPHER *cipher;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3018 #if (NGX_DEBUG)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3019 u_char buf[32];
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3020 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3021
6261 97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3022 c = ngx_ssl_get_connection(ssl_conn);
97f102a13f33 SSL: preserve default server context in connection (ticket #235). Maxim Dounin <mdounin@mdounin.ru> parents: 6259 diff changeset	3023 ssl_ctx = c->ssl->session_ctx;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3024
6686 f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3025 #ifdef OPENSSL_NO_SHA256
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3026 digest = EVP_sha1();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3027 #else
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3028 digest = EVP_sha256();
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3029 #endif
f28e74f02c88 SSL: factored out digest and cipher in session ticket callback. Sergey Kandaurov <pluknet@nginx.com> parents: 6660 diff changeset	3030
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3031 keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3032 if (keys == NULL) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3033 return -1;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3034 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3035
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3036 key = keys->elts;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3037
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3038 if (enc == 1) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3039 /* encrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3040
5657 3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. Maxim Dounin <mdounin@mdounin.ru> parents: 5640 diff changeset	3041 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3042 "ssl session ticket encrypt, key: \"%*s\" (%s session)",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3043 ngx_hex_dump(buf, key[0].name, 16) - buf, buf,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3044 SSL_session_reused(ssl_conn) ? "reused" : "new");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3045
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3046 if (key[0].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3047 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3048 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3049
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3050 } else {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3051 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3052 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3053 }
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3054
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3055 if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3056 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3057 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3058 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3059
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3060 if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3061 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3062 "EVP_EncryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3063 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3064 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3065
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3066 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3067 if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3068 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3069 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3070 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3071 #else
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3072 HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL);
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3073 #endif
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3074
5760 4b668378ad8b Style: use ngx_memcpy() instead of memcpy(). Piotr Sikora <piotr@cloudflare.com> parents: 5756 diff changeset	3075 ngx_memcpy(name, key[0].name, 16);
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3076
6660 3eb1a92a2f05 SSL: adopted session ticket handling for OpenSSL 1.1.0. Sergey Kandaurov <pluknet@nginx.com> parents: 6659 diff changeset	3077 return 1;
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3078
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3079 } else {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3080 /* decrypt session ticket */
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3081
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3082 for (i = 0; i < keys->nelts; i++) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3083 if (ngx_memcmp(name, key[i].name, 16) == 0) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3084 goto found;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3085 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3086 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3087
5657 3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. Maxim Dounin <mdounin@mdounin.ru> parents: 5640 diff changeset	3088 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3089 "ssl session ticket decrypt, key: \"%*s\" not found",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3090 ngx_hex_dump(buf, name, 16) - buf, buf);
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3091
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3092 return 0;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3093
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3094 found:
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3095
5657 3b48f9e69e70 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. Maxim Dounin <mdounin@mdounin.ru> parents: 5640 diff changeset	3096 ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0,
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3097 "ssl session ticket decrypt, key: \"%*s\"%s",
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3098 ngx_hex_dump(buf, key[i].name, 16) - buf, buf,
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3099 (i == 0) ? " (default)" : "");
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3100
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3101 if (key[i].size == 48) {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3102 cipher = EVP_aes_128_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3103 size = 16;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3104
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3105 } else {
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3106 cipher = EVP_aes_256_cbc();
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3107 size = 32;
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3108 }
75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3109
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3110 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3111 if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3112 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3113 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3114 }
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3115 #else
6854 75e7d55214bd SSL: support AES256 encryption of tickets. Maxim Dounin <mdounin@mdounin.ru> parents: 6842 diff changeset	3116 HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL);
6687 dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3117 #endif
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3118
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3119 if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) {
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3120 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3121 "EVP_DecryptInit_ex() failed");
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3122 return -1;
dfa626cdde6b SSL: improved session ticket callback error handling. Sergey Kandaurov <pluknet@nginx.com> parents: 6686 diff changeset	3123 }
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3124
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3125 return (i == 0) ? 1 : 2 /* renew */;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3126 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3127 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3128
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3129 #else
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3130
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3131 ngx_int_t
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3132 ngx_ssl_session_ticket_keys(ngx_conf_t cf, ngx_ssl_t ssl, ngx_array_t *paths)
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3133 {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3134 if (paths) {
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3135 ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
7074 07a49cce21ca SSL: fixed typo in the error message. Sergey Kandaurov <pluknet@nginx.com> parents: 6995 diff changeset	3136 "\"ssl_session_ticket_key\" ignored, not supported");
5425 1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3137 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3138
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3139 return NGX_OK;
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3140 }
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3141
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3142 #endif
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3143
1356a3b96924 SSL: added ability to set keys used for Session Tickets (RFC5077). Piotr Sikora <piotr@cloudflare.com> parents: 5424 diff changeset	3144
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3145 void
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3146 ngx_ssl_cleanup_ctx(void *data)
9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3147 {
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	3148 ngx_ssl_t *ssl = data;
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3149
6548 8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3150 X509 cert, next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3151
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3152 cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3153
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3154 while (cert) {
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3155 next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3156 X509_free(cert);
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3157 cert = next;
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3158 }
8a34e92d8ab5 SSL: made it possible to iterate though all certificates. Maxim Dounin <mdounin@mdounin.ru> parents: 6545 diff changeset	3159
589 d4e858a5751a nginx-0.3.16-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 583 diff changeset	3160 SSL_CTX_free(ssl->ctx);
509 9b8c906f6e63 nginx-0.1.29-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 501 diff changeset	3161 }
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	3162
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	3163
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3164 ngx_int_t
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3165 ngx_ssl_check_host(ngx_connection_t c, ngx_str_t name)
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3166 {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3167 X509 *cert;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3168
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3169 cert = SSL_get_peer_certificate(c->ssl->connection);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3170 if (cert == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3171 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3172 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3173
6725 9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 6699 diff changeset	3174 #ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3175
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3176 /* X509_check_host() is only available in OpenSSL 1.0.2+ */
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3177
5669 cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3178 if (name->len == 0) {
cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3179 goto failed;
cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3180 }
cac82b9b3499 SSL: explicit handling of empty names. Maxim Dounin <mdounin@mdounin.ru> parents: 5666 diff changeset	3181
5767 abd460ece11e SSL: fix build with recent OpenSSL. Piotr Sikora <piotr@cloudflare.com> parents: 5760 diff changeset	3182 if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) {
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3183 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3184 "X509_check_host(): no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3185 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3186 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3187
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3188 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3189 "X509_check_host(): match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3190
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3191 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3192
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3193 #else
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3194 {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3195 int n, i;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3196 X509_NAME *sname;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3197 ASN1_STRING *str;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3198 X509_NAME_ENTRY *entry;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3199 GENERAL_NAME *altname;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3200 STACK_OF(GENERAL_NAME) *altnames;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3201
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3202 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3203 * As per RFC6125 and RFC2818, we check subjectAltName extension,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3204 * and if it's not present - commonName in Subject is checked.
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3205 */
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3206
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3207 altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3208
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3209 if (altnames) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3210 n = sk_GENERAL_NAME_num(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3211
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3212 for (i = 0; i < n; i++) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3213 altname = sk_GENERAL_NAME_value(altnames, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3214
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3215 if (altname->type != GEN_DNS) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3216 continue;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3217 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3218
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3219 str = altname->d.dNSName;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3220
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3221 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3222 "SSL subjectAltName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3223 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3224
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3225 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3226 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3227 "SSL subjectAltName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3228 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3229 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3230 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3231 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3232
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3233 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3234 "SSL subjectAltName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3235
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3236 GENERAL_NAMES_free(altnames);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3237 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3238 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3239
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3240 /*
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3241 * If there is no subjectAltName extension, check commonName
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3242 * in Subject. While RFC2818 requires to only check "most specific"
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3243 * CN, both Apache and OpenSSL check all CNs, and so do we.
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3244 */
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3245
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3246 sname = X509_get_subject_name(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3247
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3248 if (sname == NULL) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3249 goto failed;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3250 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3251
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3252 i = -1;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3253 for ( ;; ) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3254 i = X509_NAME_get_index_by_NID(sname, NID_commonName, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3255
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3256 if (i < 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3257 break;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3258 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3259
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3260 entry = X509_NAME_get_entry(sname, i);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3261 str = X509_NAME_ENTRY_get_data(entry);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3262
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3263 ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3264 "SSL commonName: \"%*s\"",
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3265 ASN1_STRING_length(str), ASN1_STRING_data(str));
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3266
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3267 if (ngx_ssl_check_name(name, str) == NGX_OK) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3268 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3269 "SSL commonName: match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3270 goto found;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3271 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3272 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3273
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3274 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3275 "SSL commonName: no match");
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3276 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3277 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3278
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3279 failed:
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3280
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3281 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3282 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3283
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3284 found:
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3285
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3286 X509_free(cert);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3287 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3288 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3289
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3290
6725 9b9ae81cd4f0 SSL: use X509_check_host() with LibreSSL. Maxim Dounin <mdounin@mdounin.ru> parents: 6699 diff changeset	3291 #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3292
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3293 static ngx_int_t
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3294 ngx_ssl_check_name(ngx_str_t name, ASN1_STRING pattern)
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3295 {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3296 u_char s, p, *end;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3297 size_t slen, plen;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3298
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3299 s = name->data;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3300 slen = name->len;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3301
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3302 p = ASN1_STRING_data(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3303 plen = ASN1_STRING_length(pattern);
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3304
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3305 if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3306 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3307 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3308
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3309 if (plen > 2 && p[0] == '*' && p[1] == '.') {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3310 plen -= 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3311 p += 1;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3312
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3313 end = s + slen;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3314 s = ngx_strlchr(s, end, '.');
5666 a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3315
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3316 if (s == NULL) {
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3317 return NGX_ERROR;
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3318 }
a77c0839c993 SSL: added explicit check for ngx_strlchr() result. Maxim Dounin <mdounin@mdounin.ru> parents: 5661 diff changeset	3319
5661 060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3320 slen = end - s;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3321
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3322 if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) {
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3323 return NGX_OK;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3324 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3325 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3326
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3327 return NGX_ERROR;
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3328 }
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3329
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3330 #endif
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3331
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3332
060c2e692b96 Upstream: proxy_ssl_verify and friends. Maxim Dounin <mdounin@mdounin.ru> parents: 5658 diff changeset	3333 ngx_int_t
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3334 ngx_ssl_get_protocol(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3335 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3336 s->data = (u_char *) SSL_get_version(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3337 return NGX_OK;
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3338 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3339
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3340
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3341 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3342 ngx_ssl_get_cipher_name(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3343 {
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3344 s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3345 return NGX_OK;
611 3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3346 }
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3347
3f8a2132b93d nginx-0.3.27-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 597 diff changeset	3348
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3349 ngx_int_t
6816 ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3350 ngx_ssl_get_ciphers(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3351 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3352 #ifdef SSL_CTRL_GET_RAW_CIPHERLIST
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3353
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3354 int n, i, bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3355 size_t len;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3356 u_char ciphers, p;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3357 const SSL_CIPHER *cipher;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3358
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3359 bytes = SSL_get0_raw_cipherlist(c->ssl->connection, NULL);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3360 n = SSL_get0_raw_cipherlist(c->ssl->connection, &ciphers);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3361
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3362 if (n <= 0) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3363 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3364 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3365 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3366
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3367 len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3368 n /= bytes;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3369
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3370 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3371 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3372
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3373 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3374 len += ngx_strlen(SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3375
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3376 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3377 len += sizeof("0x") - 1 + bytes * (sizeof("00") - 1);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3378 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3379
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3380 len += sizeof(":") - 1;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3381 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3382
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3383 s->data = ngx_pnalloc(pool, len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3384 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3385 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3386 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3387
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3388 p = s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3389
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3390 for (i = 0; i < n; i++) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3391 cipher = SSL_CIPHER_find(c->ssl->connection, ciphers + i * bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3392
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3393 if (cipher) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3394 p = ngx_sprintf(p, "%s", SSL_CIPHER_get_name(cipher));
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3395
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3396 } else {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3397 p = ngx_sprintf(p, "0x");
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3398 p = ngx_hex_dump(p, ciphers + i * bytes, bytes);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3399 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3400
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3401 *p++ = ':';
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3402 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3403
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3404 p--;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3405
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3406 s->len = p - s->data;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3407
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3408 #else
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3409
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3410 u_char buf[4096];
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3411
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3412 if (SSL_get_shared_ciphers(c->ssl->connection, (char *) buf, 4096)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3413 == NULL)
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3414 {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3415 s->len = 0;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3416 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3417 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3418
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3419 s->len = ngx_strlen(buf);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3420 s->data = ngx_pnalloc(pool, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3421 if (s->data == NULL) {
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3422 return NGX_ERROR;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3423 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3424
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3425 ngx_memcpy(s->data, buf, s->len);
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3426
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3427 #endif
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3428
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3429 return NGX_OK;
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3430 }
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3431
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3432
ea93c7d8752a SSL: $ssl_ciphers (ticket #870). Maxim Dounin <mdounin@mdounin.ru> parents: 6815 diff changeset	3433 ngx_int_t
6817 e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3434 ngx_ssl_get_curves(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3435 {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3436 #ifdef SSL_CTRL_GET_CURVES
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3437
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3438 int *curves, n, i, nid;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3439 u_char *p;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3440 size_t len;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3441
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3442 n = SSL_get1_curves(c->ssl->connection, NULL);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3443
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3444 if (n <= 0) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3445 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3446 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3447 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3448
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3449 curves = ngx_palloc(pool, n * sizeof(int));
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3450
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3451 n = SSL_get1_curves(c->ssl->connection, curves);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3452 len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3453
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3454 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3455 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3456
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3457 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3458 len += sizeof("0x0000") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3459
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3460 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3461 len += ngx_strlen(OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3462 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3463
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3464 len += sizeof(":") - 1;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3465 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3466
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3467 s->data = ngx_pnalloc(pool, len);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3468 if (s->data == NULL) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3469 return NGX_ERROR;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3470 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3471
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3472 p = s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3473
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3474 for (i = 0; i < n; i++) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3475 nid = curves[i];
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3476
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3477 if (nid & TLSEXT_nid_unknown) {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3478 p = ngx_sprintf(p, "0x%04xd", nid & 0xffff);
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3479
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3480 } else {
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3481 p = ngx_sprintf(p, "%s", OBJ_nid2sn(nid));
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3482 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3483
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3484 *p++ = ':';
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3485 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3486
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3487 p--;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3488
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3489 s->len = p - s->data;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3490
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3491 #else
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3492
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3493 s->len = 0;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3494
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3495 #endif
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3496
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3497 return NGX_OK;
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3498 }
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3499
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3500
e75e854657ba SSL: $ssl_curves (ticket #1088). Maxim Dounin <mdounin@mdounin.ru> parents: 6816 diff changeset	3501 ngx_int_t
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3502 ngx_ssl_get_session_id(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3503 {
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3504 u_char *buf;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3505 SSL_SESSION *sess;
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3506 unsigned int len;
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3507
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3508 sess = SSL_get0_session(c->ssl->connection);
5537 49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	3509 if (sess == NULL) {
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	3510 s->len = 0;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	3511 return NGX_OK;
49b1ad48b55c SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. Maxim Dounin <mdounin@mdounin.ru> parents: 5531 diff changeset	3512 }
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3513
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3514 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3515
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3516 buf = (u_char *) SSL_SESSION_get_id(sess, &len);
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3517
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3518 #else
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3519
5531 97e3769637a7 SSL: fixed $ssl_session_id variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5487 diff changeset	3520 buf = sess->session_id;
97e3769637a7 SSL: fixed $ssl_session_id variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5487 diff changeset	3521 len = sess->session_id_length;
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3522
5756 5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3523 #endif
5b7276408565 SSL: stop accessing SSL_SESSION's fields directly. Piotr Sikora <piotr@cloudflare.com> parents: 5755 diff changeset	3524
3154 823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3525 s->len = 2 * len;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3526 s->data = ngx_pnalloc(pool, 2 * len);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3527 if (s->data == NULL) {
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3528 return NGX_ERROR;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3529 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3530
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3531 ngx_hex_dump(s->data, buf, len);
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3532
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3533 return NGX_OK;
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3534 }
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3535
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3536
823f72db46c0 $ssl_session_id Igor Sysoev <igor@sysoev.ru> parents: 3002 diff changeset	3537 ngx_int_t
5573 7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3538 ngx_ssl_get_session_reused(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3539 {
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3540 if (SSL_session_reused(c->ssl->connection)) {
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3541 ngx_str_set(s, "r");
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3542
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3543 } else {
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3544 ngx_str_set(s, ".");
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3545 }
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3546
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3547 return NGX_OK;
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3548 }
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3549
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3550
7c05f6590753 SSL: the $ssl_session_reused variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5537 diff changeset	3551 ngx_int_t
5658 94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3552 ngx_ssl_get_server_name(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3553 {
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3554 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3555
7092 2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3556 size_t len;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3557 const char *name;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3558
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3559 name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3560
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3561 if (name) {
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3562 len = ngx_strlen(name);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3563
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3564 s->len = len;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3565 s->data = ngx_pnalloc(pool, len);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3566 if (s->data == NULL) {
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3567 return NGX_ERROR;
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3568 }
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3569
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3570 ngx_memcpy(s->data, name, len);
2e8de3d81783 SSL: fixed possible use-after-free in $ssl_server_name. Maxim Dounin <mdounin@mdounin.ru> parents: 7091 diff changeset	3571
5658 94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3572 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3573 }
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3574
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3575 #endif
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3576
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3577 s->len = 0;
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3578 return NGX_OK;
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3579 }
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3580
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3581
94ae92776441 SSL: $ssl_server_name variable. Maxim Dounin <mdounin@mdounin.ru> parents: 5657 diff changeset	3582 ngx_int_t
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3583 ngx_ssl_get_raw_certificate(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2045 2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3584 {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3585 size_t len;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3586 BIO *bio;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3587 X509 *cert;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3588
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3589 s->len = 0;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3590
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3591 cert = SSL_get_peer_certificate(c->ssl->connection);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3592 if (cert == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3593 return NGX_OK;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3594 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3595
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3596 bio = BIO_new(BIO_s_mem());
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3597 if (bio == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3598 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3599 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3600 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3601 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3602
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3603 if (PEM_write_bio_X509(bio, cert) == 0) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3604 ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3605 goto failed;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3606 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3607
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3608 len = BIO_pending(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3609 s->len = len;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3610
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	3611 s->data = ngx_pnalloc(pool, len);
2045 2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3612 if (s->data == NULL) {
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3613 goto failed;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3614 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3615
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3616 BIO_read(bio, s->data, len);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3617
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3618 BIO_free(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3619 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3620
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3621 return NGX_OK;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3622
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3623 failed:
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3624
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3625 BIO_free(bio);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3626 X509_free(cert);
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3627
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3628 return NGX_ERROR;
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3629 }
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3630
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3631
2b11822b12d6 $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2044 diff changeset	3632 ngx_int_t
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3633 ngx_ssl_get_certificate(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3634 {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3635 u_char *p;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3636 size_t len;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3637 ngx_uint_t i;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3638 ngx_str_t cert;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3639
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3640 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3641 return NGX_ERROR;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3642 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3643
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3644 if (cert.len == 0) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3645 s->len = 0;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3646 return NGX_OK;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3647 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3648
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3649 len = cert.len - 1;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3650
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3651 for (i = 0; i < cert.len - 1; i++) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3652 if (cert.data[i] == LF) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3653 len++;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3654 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3655 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3656
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3657 s->len = len;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3658 s->data = ngx_pnalloc(pool, len);
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3659 if (s->data == NULL) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3660 return NGX_ERROR;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3661 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3662
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3663 p = s->data;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3664
3002 bf0c7e58e016 fix memory corruption in $ssl_client_cert Igor Sysoev <igor@sysoev.ru> parents: 2997 diff changeset	3665 for (i = 0; i < cert.len - 1; i++) {
2123 9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3666 *p++ = cert.data[i];
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3667 if (cert.data[i] == LF) {
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3668 *p++ = '\t';
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3669 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3670 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3671
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3672 return NGX_OK;
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3673 }
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3674
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3675
9697407e9ecb ) ssl_verify_client ask Igor Sysoev <igor@sysoev.ru>* parents: 2052 diff changeset	3676 ngx_int_t
7091 82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3677 ngx_ssl_get_escaped_certificate(ngx_connection_t c, ngx_pool_t pool,
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3678 ngx_str_t *s)
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3679 {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3680 ngx_str_t cert;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3681 uintptr_t n;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3682
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3683 if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3684 return NGX_ERROR;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3685 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3686
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3687 if (cert.len == 0) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3688 s->len = 0;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3689 return NGX_OK;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3690 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3691
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3692 n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3693
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3694 s->len = cert.len + n * 2;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3695 s->data = ngx_pnalloc(pool, s->len);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3696 if (s->data == NULL) {
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3697 return NGX_ERROR;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3698 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3699
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3700 ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3701
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3702 return NGX_OK;
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3703 }
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3704
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3705
82f0b8dcca27 SSL: the $ssl_client_escaped_cert variable (ticket #857). Maxim Dounin <mdounin@mdounin.ru> parents: 7087 diff changeset	3706 ngx_int_t
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3707 ngx_ssl_get_subject_dn(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3708 {
6780 56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3709 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3710 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3711 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3712
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3713 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3714
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3715 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3716 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3717 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3718 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3719
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3720 name = X509_get_subject_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3721 if (name == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3722 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3723 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3724
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3725 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3726 if (bio == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3727 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3728 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3729 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3730
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3731 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3732 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3733 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3734
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3735 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3736 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3737 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3738 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3739 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3740
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3741 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3742
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3743 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3744 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3745
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3746 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3747
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3748 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3749
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3750 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3751 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3752
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3753 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3754 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3755
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3756
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3757 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3758 ngx_ssl_get_issuer_dn(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3759 {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3760 BIO *bio;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3761 X509 *cert;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3762 X509_NAME *name;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3763
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3764 s->len = 0;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3765
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3766 cert = SSL_get_peer_certificate(c->ssl->connection);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3767 if (cert == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3768 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3769 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3770
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3771 name = X509_get_issuer_name(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3772 if (name == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3773 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3774 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3775
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3776 bio = BIO_new(BIO_s_mem());
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3777 if (bio == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3778 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3779 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3780 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3781
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3782 if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3783 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3784 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3785
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3786 s->len = BIO_pending(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3787 s->data = ngx_pnalloc(pool, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3788 if (s->data == NULL) {
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3789 goto failed;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3790 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3791
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3792 BIO_read(bio, s->data, s->len);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3793
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3794 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3795 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3796
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3797 return NGX_OK;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3798
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3799 failed:
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3800
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3801 BIO_free(bio);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3802 X509_free(cert);
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3803
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3804 return NGX_ERROR;
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3805 }
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3806
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3807
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3808 ngx_int_t
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3809 ngx_ssl_get_subject_dn_legacy(ngx_connection_t c, ngx_pool_t pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3810 ngx_str_t *s)
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3811 {
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3812 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3813 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3814 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3815 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3816
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3817 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3818
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3819 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3820 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3821 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3822 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3823
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3824 name = X509_get_subject_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3825 if (name == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3826 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3827 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3828 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3829
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3830 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3831
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3832 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3833
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3834 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	3835 s->data = ngx_pnalloc(pool, len);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3836 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3837 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3838 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3839 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3840 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3841
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3842 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3843
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3844 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3845 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3846
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3847 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3848 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3849
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3850
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3851 ngx_int_t
6780 56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3852 ngx_ssl_get_issuer_dn_legacy(ngx_connection_t c, ngx_pool_t pool,
56d6bfe6b609 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn. Dmitry Volyntsev <xeioex@nginx.com> parents: 6775 diff changeset	3853 ngx_str_t *s)
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3854 {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3855 char *p;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3856 size_t len;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3857 X509 *cert;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3858 X509_NAME *name;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3859
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3860 s->len = 0;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3861
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3862 cert = SSL_get_peer_certificate(c->ssl->connection);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3863 if (cert == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3864 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3865 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3866
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3867 name = X509_get_issuer_name(cert);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3868 if (name == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3869 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3870 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3871 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3872
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3873 p = X509_NAME_oneline(name, NULL, 0);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3874
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3875 for (len = 0; p[len]; len++) { /* void */ }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3876
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3877 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	3878 s->data = ngx_pnalloc(pool, len);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3879 if (s->data == NULL) {
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3880 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3881 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3882 return NGX_ERROR;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3883 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3884
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3885 ngx_memcpy(s->data, p, len);
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3886
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3887 OPENSSL_free(p);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3888 X509_free(cert);
647 95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3889
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3890 return NGX_OK;
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3891 }
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3892
95d7da23ea53 nginx-0.3.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 611 diff changeset	3893
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3894 ngx_int_t
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3895 ngx_ssl_get_serial_number(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3896 {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3897 size_t len;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3898 X509 *cert;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3899 BIO *bio;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3900
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3901 s->len = 0;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3902
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3903 cert = SSL_get_peer_certificate(c->ssl->connection);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3904 if (cert == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3905 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3906 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3907
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3908 bio = BIO_new(BIO_s_mem());
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3909 if (bio == NULL) {
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3910 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3911 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3912 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3913
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3914 i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert));
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3915 len = BIO_pending(bio);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3916
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3917 s->len = len;
2049 2a92804f4109 ) back out r2040 Igor Sysoev <igor@sysoev.ru>* parents: 2045 diff changeset	3918 s->data = ngx_pnalloc(pool, len);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3919 if (s->data == NULL) {
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3920 BIO_free(bio);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3921 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3922 return NGX_ERROR;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3923 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3924
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3925 BIO_read(bio, s->data, len);
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3926 BIO_free(bio);
1974 f32cc6df6bd6 fix memory leak when ssl_verify_client is on Igor Sysoev <igor@sysoev.ru> parents: 1948 diff changeset	3927 X509_free(cert);
671 cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3928
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3929 return NGX_OK;
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3930 }
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3931
cec32b3753ac nginx-0.3.57-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 647 diff changeset	3932
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3933 ngx_int_t
5700 5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3934 ngx_ssl_get_fingerprint(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3935 {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3936 X509 *cert;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3937 unsigned int len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3938 u_char buf[EVP_MAX_MD_SIZE];
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3939
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3940 s->len = 0;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3941
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3942 cert = SSL_get_peer_certificate(c->ssl->connection);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3943 if (cert == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3944 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3945 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3946
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3947 if (!X509_digest(cert, EVP_sha1(), buf, &len)) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3948 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3949 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3950 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3951
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3952 s->len = 2 * len;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3953 s->data = ngx_pnalloc(pool, 2 * len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3954 if (s->data == NULL) {
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3955 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3956 return NGX_ERROR;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3957 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3958
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3959 ngx_hex_dump(s->data, buf, len);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3960
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3961 X509_free(cert);
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3962
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3963 return NGX_OK;
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3964 }
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3965
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3966
5e892d40e5cc SSL: $ssl_client_fingerprint variable. Sergey Budnevitch <sb@waeme.net> parents: 5669 diff changeset	3967 ngx_int_t
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3968 ngx_ssl_get_client_verify(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3969 {
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3970 X509 *cert;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3971 long rc;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3972 const char *str;
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3973
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3974 cert = SSL_get_peer_certificate(c->ssl->connection);
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3975 if (cert == NULL) {
3516 dd1570b6f237 ngx_str_set() and ngx_str_null() Igor Sysoev <igor@sysoev.ru> parents: 3488 diff changeset	3976 ngx_str_set(s, "NONE");
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3977 return NGX_OK;
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3978 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3979
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3980 X509_free(cert);
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3981
6814 379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3982 rc = SSL_get_verify_result(c->ssl->connection);
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3983
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3984 if (rc == X509_V_OK) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3985 ngx_str_set(s, "SUCCESS");
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3986 return NGX_OK;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3987 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3988
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3989 str = X509_verify_cert_error_string(rc);
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3990
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3991 s->data = ngx_pnalloc(pool, sizeof("FAILED:") - 1 + ngx_strlen(str));
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3992 if (s->data == NULL) {
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3993 return NGX_ERROR;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3994 }
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3995
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3996 s->len = ngx_sprintf(s->data, "FAILED:%s", str) - s->data;
379139020d36 SSL: $ssl_client_verify extended with a failure reason. Maxim Dounin <mdounin@mdounin.ru> parents: 6812 diff changeset	3997
2994 f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3998 return NGX_OK;
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	3999 }
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4000
f33c48457d0c ) $ssl_client_verify Igor Sysoev <igor@sysoev.ru>* parents: 2912 diff changeset	4001
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4002 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4003 ngx_ssl_get_client_v_start(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4004 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4005 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4006 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4007 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4008
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4009 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4010
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4011 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4012 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4013 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4014 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4015
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4016 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4017 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4018 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4019 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4020 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4021
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4022 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4023 ASN1_TIME_print(bio, X509_get0_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4024 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4025 ASN1_TIME_print(bio, X509_get_notBefore(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4026 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4027
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4028 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4029
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4030 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4031 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4032 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4033 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4034 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4035 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4036 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4037
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4038 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4039 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4040 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4041
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4042 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4043 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4044
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4045
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4046 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4047 ngx_ssl_get_client_v_end(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4048 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4049 BIO *bio;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4050 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4051 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4052
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4053 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4054
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4055 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4056 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4057 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4058 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4059
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4060 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4061 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4062 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4063 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4064 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4065
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4066 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4067 ASN1_TIME_print(bio, X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4068 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4069 ASN1_TIME_print(bio, X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4070 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4071
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4072 len = BIO_pending(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4073
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4074 s->len = len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4075 s->data = ngx_pnalloc(pool, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4076 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4077 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4078 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4079 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4080 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4081
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4082 BIO_read(bio, s->data, len);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4083 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4084 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4085
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4086 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4087 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4088
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4089
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4090 ngx_int_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4091 ngx_ssl_get_client_v_remain(ngx_connection_t c, ngx_pool_t pool, ngx_str_t *s)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4092 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4093 X509 *cert;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4094 time_t now, end;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4095
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4096 s->len = 0;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4097
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4098 cert = SSL_get_peer_certificate(c->ssl->connection);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4099 if (cert == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4100 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4101 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4102
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4103 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4104 end = ngx_ssl_parse_time(X509_get0_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4105 #else
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4106 end = ngx_ssl_parse_time(X509_get_notAfter(cert));
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4107 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4108
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4109 if (end == (time_t) NGX_ERROR) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4110 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4111 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4112 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4113
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4114 now = ngx_time();
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4115
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4116 if (end < now + 86400) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4117 ngx_str_set(s, "0");
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4118 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4119 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4120 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4121
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4122 s->data = ngx_pnalloc(pool, NGX_TIME_T_LEN);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4123 if (s->data == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4124 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4125 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4126 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4127
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4128 s->len = ngx_sprintf(s->data, "%T", (end - now) / 86400) - s->data;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4129
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4130 X509_free(cert);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4131
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4132 return NGX_OK;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4133 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4134
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4135
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4136 static time_t
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4137 ngx_ssl_parse_time(
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4138 #if OPENSSL_VERSION_NUMBER > 0x10100000L
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4139 const
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4140 #endif
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4141 ASN1_TIME *asn1time)
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4142 {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4143 BIO *bio;
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4144 char *value;
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4145 size_t len;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4146 time_t time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4147
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4148 /*
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4149 * OpenSSL doesn't provide a way to convert ASN1_TIME
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4150 * into time_t. To do this, we use ASN1_TIME_print(),
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4151 * which uses the "MMM DD HH:MM:SS YYYY [GMT]" format (e.g.,
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4152 * "Feb 3 00:55:52 2015 GMT"), and parse the result.
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4153 */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4154
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4155 bio = BIO_new(BIO_s_mem());
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4156 if (bio == NULL) {
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4157 return NGX_ERROR;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4158 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4159
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4160 /* fake weekday prepended to match C asctime() format */
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4161
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4162 BIO_write(bio, "Tue ", sizeof("Tue ") - 1);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4163 ASN1_TIME_print(bio, asn1time);
6842 25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4164 len = BIO_get_mem_data(bio, &value);
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4165
25d0d6dabe00 SSL: backed out changeset e7cb5deb951d, reimplemented properly. Maxim Dounin <mdounin@mdounin.ru> parents: 6841 diff changeset	4166 time = ngx_parse_http_time((u_char *) value, len);
6815 2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4167
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4168 BIO_free(bio);
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4169
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4170 return time;
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4171 }
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4172
2d15fff64e3c SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. Maxim Dounin <mdounin@mdounin.ru> parents: 6814 diff changeset	4173
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4174 static void *
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4175 ngx_openssl_create_conf(ngx_cycle_t *cycle)
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4176 {
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4177 ngx_openssl_conf_t *oscf;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4178
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4179 oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t));
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4180 if (oscf == NULL) {
2912 c7d57b539248 return NULL instead of NGX_CONF_ERROR on a create conf failure Igor Sysoev <igor@sysoev.ru> parents: 2764 diff changeset	4181 return NULL;
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4182 }
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4183
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4184 /*
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4185 * set by ngx_pcalloc():
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4186 *
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4187 * oscf->engine = 0;
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4188 */
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4189
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4190 return oscf;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4191 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4192
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4193
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4194 static char *
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4195 ngx_openssl_engine(ngx_conf_t cf, ngx_command_t cmd, void *conf)
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4196 {
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4197 #ifndef OPENSSL_NO_ENGINE
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4198
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4199 ngx_openssl_conf_t *oscf = conf;
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4200
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4201 ENGINE *engine;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4202 ngx_str_t *value;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4203
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4204 if (oscf->engine) {
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4205 return "is duplicate";
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4206 }
577 4d9ea73a627a nginx-0.3.10-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 571 diff changeset	4207
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4208 oscf->engine = 1;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4209
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4210 value = cf->args->elts;
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4211
6552 addd98357629 SSL: style. Maxim Dounin <mdounin@mdounin.ru> parents: 6551 diff changeset	4212 engine = ENGINE_by_id((char *) value[1].data);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4213
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4214 if (engine == NULL) {
6699 9cf2dce316e5 Fixed log levels of configuration parsing errors. Valentin Bartenev <vbart@nginx.com> parents: 6687 diff changeset	4215 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4216 "ENGINE_by_id(\"%V\") failed", &value[1]);
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4217 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4218 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4219
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4220 if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) {
6699 9cf2dce316e5 Fixed log levels of configuration parsing errors. Valentin Bartenev <vbart@nginx.com> parents: 6687 diff changeset	4221 ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4222 "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed",
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4223 &value[1]);
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4224
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4225 ENGINE_free(engine);
9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4226
541 b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4227 return NGX_CONF_ERROR;
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4228 }
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4229
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4230 ENGINE_free(engine);
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4231
b09ee85d0ac8 nginx-0.1.45-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 539 diff changeset	4232 return NGX_CONF_OK;
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4233
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4234 #else
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4235
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4236 return "is not supported";
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4237
4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4238 #endif
2504 9e9a985d956a load SSL engine before certificates, Igor Sysoev <igor@sysoev.ru> parents: 2388 diff changeset	4239 }
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4240
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4241
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4242 static void
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4243 ngx_openssl_exit(ngx_cycle_t *cycle)
458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4244 {
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4245 #if OPENSSL_VERSION_NUMBER < 0x10100003L
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4246
3464 7f99ce2247f9 add OpenSSL_add_all_algorithms(), this fixes the error Igor Sysoev <igor@sysoev.ru> parents: 3457 diff changeset	4247 EVP_cleanup();
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4248 #ifndef OPENSSL_NO_ENGINE
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4249 ENGINE_cleanup();
5777 4d092aa2f463 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP. Piotr Sikora <piotr@cloudflare.com> parents: 5775 diff changeset	4250 #endif
6488 a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4251
a57b2b8999e7 SSL: initialization changes for OpenSSL 1.1.0. Maxim Dounin <mdounin@mdounin.ru> parents: 6487 diff changeset	4252 #endif
571 458b6c3fea65 nginx-0.3.7-RELEASE import Igor Sysoev <igor@sysoev.ru> parents: 563 diff changeset	4253 }

Mercurial > hg > nginx

annotate src/event/ngx_event_openssl.c @ 7412:6c52c99c475e stable-1.14